Merge pull request github#5300 from tamasvajk/feature/external-remote-flow-sources

aschackmull · web-flow · commit 87e4dec86a76 · 2021-03-11T10:44:17.000+01:00
Java: Convert remote flow sources to use new CSV format
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -96,7 +96,87 @@ private predicate sourceModelCsv(string row) {
       // SocketGetInputStreamMethod
       "java.net;Socket;false;getInputStream;();;ReturnValue;remote",
       // BeanValidationSource
-      "javax.validation;ConstraintValidator;true;isValid;;;Parameter[0];remote"
+      "javax.validation;ConstraintValidator;true;isValid;;;Parameter[0];remote",
+      // SpringMultipartRequestSource
+      "org.springframework.web.multipart;MultipartRequest;true;getFile;(String);;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartRequest;true;getFileMap;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartRequest;true;getFileNames;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartRequest;true;getFiles;(String);;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartRequest;true;getMultiFileMap;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartRequest;true;getMultipartContentType;(String);;ReturnValue;remote",
+      // SpringMultipartFileSource
+      "org.springframework.web.multipart;MultipartFile;true;getBytes;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartFile;true;getContentType;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartFile;true;getInputStream;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartFile;true;getName;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartFile;true;getOriginalFilename;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartFile;true;getResource;();;ReturnValue;remote",
+      // HttpServletRequest.get*
+      "javax.servlet.http;HttpServletRequest;false;getHeader;(String);;ReturnValue;remote",
+      "javax.servlet.http;HttpServletRequest;false;getHeaders;(String);;ReturnValue;remote",
+      "javax.servlet.http;HttpServletRequest;false;getHeaderNames;();;ReturnValue;remote",
+      "javax.servlet.http;HttpServletRequest;false;getPathInfo;();;ReturnValue;remote",
+      "javax.servlet.http;HttpServletRequest;false;getRequestURI;();;ReturnValue;remote",
+      "javax.servlet.http;HttpServletRequest;false;getRequestURL;();;ReturnValue;remote",
+      "javax.servlet.http;HttpServletRequest;false;getRemoteUser;();;ReturnValue;remote",
+      // SpringWebRequestGetMethod
+      "org.springframework.web.context.request;WebRequest;false;getDescription;;;ReturnValue;remote",
+      "org.springframework.web.context.request;WebRequest;false;getHeader;;;ReturnValue;remote",
+      "org.springframework.web.context.request;WebRequest;false;getHeaderNames;;;ReturnValue;remote",
+      "org.springframework.web.context.request;WebRequest;false;getHeaderValues;;;ReturnValue;remote",
+      "org.springframework.web.context.request;WebRequest;false;getParameter;;;ReturnValue;remote",
+      "org.springframework.web.context.request;WebRequest;false;getParameterMap;;;ReturnValue;remote",
+      "org.springframework.web.context.request;WebRequest;false;getParameterNames;;;ReturnValue;remote",
+      "org.springframework.web.context.request;WebRequest;false;getParameterValues;;;ReturnValue;remote",
+      // TODO consider org.springframework.web.context.request.WebRequest.getRemoteUser
+      // ServletRequestGetBodyMethod
+      "javax.servlet;ServletRequest;false;getInputStream;();;ReturnValue;remote",
+      "javax.servlet;ServletRequest;false;getReader;();;ReturnValue;remote",
+      // CookieGet*
+      "javax.servlet.http;Cookie;false;getValue;();;ReturnValue;remote",
+      "javax.servlet.http;Cookie;false;getName;();;ReturnValue;remote",
+      "javax.servlet.http;Cookie;false;getComment;();;ReturnValue;remote",
+      // ApacheHttp*
+      "org.apache.http;HttpMessage;false;getParams;();;ReturnValue;remote",
+      "org.apache.http;HttpEntity;false;getContent;();;ReturnValue;remote",
+      // In the setting of Android we assume that XML has been transmitted over
+      // the network, so may be tainted.
+      // XmlPullGetMethod
+      "org.xmlpull.v1;XmlPullParser;false;getName;();;ReturnValue;remote",
+      "org.xmlpull.v1;XmlPullParser;false;getNamespace;();;ReturnValue;remote",
+      "org.xmlpull.v1;XmlPullParser;false;getText;();;ReturnValue;remote",
+      // XmlAttrSetGetMethod
+      "android.util;AttributeSet;false;getAttributeBooleanValue;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getAttributeCount;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getAttributeFloatValue;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getAttributeIntValue;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getAttributeListValue;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getAttributeName;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getAttributeNameResource;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getAttributeNamespace;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getAttributeResourceValue;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getAttributeUnsignedIntValue;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getAttributeValue;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getClassAttribute;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getIdAttribute;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getIdAttributeResourceValue;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getPositionDescription;;;ReturnValue;remote",
+      "android.util;AttributeSet;false;getStyleAttribute;;;ReturnValue;remote",
+      // The current URL in a browser may be untrusted or uncontrolled.
+      // WebViewGetUrlMethod
+      "android.webkit;WebView;false;getUrl;();;ReturnValue;remote",
+      "android.webkit;WebView;false;getOriginalUrl;();;ReturnValue;remote",
+      // SpringRestTemplateResponseEntityMethod
+      "org.springframework.web.client;RestTemplate;false;exchange;;;ReturnValue;remote",
+      "org.springframework.web.client;RestTemplate;false;getForEntity;;;ReturnValue;remote",
+      "org.springframework.web.client;RestTemplate;false;postForEntity;;;ReturnValue;remote",
+      // WebSocketMessageParameterSource
+      "java.net.http;WebSocket$Listener;true;onText;(WebSocket,CharSequence,boolean);;Parameter[1];remote",
+      // PlayRequestGetMethod
+      "play.mvc;Http$RequestHeader;false;queryString;;;ReturnValue;remote",
+      "play.mvc;Http$RequestHeader;false;getQueryString;;;ReturnValue;remote",
+      "play.mvc;Http$RequestHeader;false;header;;;ReturnValue;remote",
+      "play.mvc;Http$RequestHeader;false;getHeader;;;ReturnValue;remote"
     ]
 }
 
diff --git a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
@@ -39,14 +39,6 @@ private class ExternalRemoteFlowSource extends RemoteFlowSource {
   override string getSourceType() { result = "external" }
 }
 
-private class RemoteTaintedMethodAccessSource extends RemoteFlowSource {
-  RemoteTaintedMethodAccessSource() {
-    this.asExpr().(MethodAccess).getMethod() instanceof RemoteTaintedMethod
-  }
-
-  override string getSourceType() { result = "network data source" }
-}
-
 private class RmiMethodParameterSource extends RemoteFlowSource {
   RmiMethodParameterSource() {
     exists(RemoteCallableMethod method |
@@ -115,42 +107,12 @@ private class MessageBodyReaderParameterSource extends RemoteFlowSource {
   override string getSourceType() { result = "MessageBodyReader parameter" }
 }
 
-private class SpringMultipartRequestSource extends RemoteFlowSource {
-  SpringMultipartRequestSource() {
-    exists(MethodAccess ma, Method m |
-      ma = this.asExpr() and
-      m = ma.getMethod() and
-      m.getDeclaringType()
-          .getASourceSupertype*()
-          .hasQualifiedName("org.springframework.web.multipart", "MultipartRequest") and
-      m.getName().matches("get%")
-    )
-  }
-
-  override string getSourceType() { result = "Spring MultipartRequest getter" }
-}
-
 private class PlayParameterSource extends RemoteFlowSource {
   PlayParameterSource() { exists(PlayActionMethodQueryParameter p | p = this.asParameter()) }
 
   override string getSourceType() { result = "Play Query Parameters" }
 }
 
-private class SpringMultipartFileSource extends RemoteFlowSource {
-  SpringMultipartFileSource() {
-    exists(MethodAccess ma, Method m |
-      ma = this.asExpr() and
-      m = ma.getMethod() and
-      m.getDeclaringType()
-          .getASourceSupertype*()
-          .hasQualifiedName("org.springframework.web.multipart", "MultipartFile") and
-      m.getName().matches("get%")
-    )
-  }
-
-  override string getSourceType() { result = "Spring MultipartFile getter" }
-}
-
 private class SpringServletInputParameterSource extends RemoteFlowSource {
   SpringServletInputParameterSource() {
     this.asParameter() = any(SpringRequestMappingParameter srmp | srmp.isTaintedInput())
@@ -188,30 +150,6 @@ private class ThriftIfaceParameterSource extends RemoteFlowSource {
   override string getSourceType() { result = "Thrift Iface parameter" }
 }
 
-private class WebSocketMessageParameterSource extends RemoteFlowSource {
-  WebSocketMessageParameterSource() {
-    exists(WebsocketOnText t | t.getParameter(1) = this.asParameter())
-  }
-
-  override string getSourceType() { result = "Websocket onText parameter" }
-}
-
-private class BeanValidationSource extends RemoteFlowSource {
-  BeanValidationSource() {
-    exists(Method m, Parameter v |
-      this.asParameter() = v and
-      m.getParameter(0) = v and
-      m.getDeclaringType()
-          .getASourceSupertype+()
-          .hasQualifiedName("javax.validation", "ConstraintValidator") and
-      m.hasName("isValid") and
-      m.fromSource()
-    )
-  }
-
-  override string getSourceType() { result = "BeanValidation source" }
-}
-
 /** Class for `tainted` user input. */
 abstract class UserInput extends DataFlow::Node { }
 
@@ -258,62 +196,6 @@ class DatabaseInput extends LocalUserInput {
   DatabaseInput() { this.asExpr().(MethodAccess).getMethod() instanceof ResultSetGetStringMethod }
 }
 
-private class RemoteTaintedMethod extends Method {
-  RemoteTaintedMethod() {
-    this instanceof ServletRequestGetParameterMethod or
-    this instanceof ServletRequestGetParameterMapMethod or
-    this instanceof ServletRequestGetParameterNamesMethod or
-    this instanceof HttpServletRequestGetQueryStringMethod or
-    this instanceof HttpServletRequestGetHeaderMethod or
-    this instanceof HttpServletRequestGetPathMethod or
-    this instanceof HttpServletRequestGetHeadersMethod or
-    this instanceof HttpServletRequestGetHeaderNamesMethod or
-    this instanceof HttpServletRequestGetRequestURIMethod or
-    this instanceof HttpServletRequestGetRequestURLMethod or
-    this instanceof HttpServletRequestGetRemoteUserMethod or
-    this instanceof PlayRequestGetMethod or
-    this instanceof SpringWebRequestGetMethod or
-    this instanceof SpringRestTemplateResponseEntityMethod or
-    this instanceof ServletRequestGetBodyMethod or
-    this instanceof CookieGetValueMethod or
-    this instanceof CookieGetNameMethod or
-    this instanceof CookieGetCommentMethod or
-    this instanceof URLConnectionGetInputStreamMethod or
-    this instanceof SocketGetInputStreamMethod or
-    this instanceof ApacheHttpGetParams or
-    this instanceof ApacheHttpEntityGetContent or
-    // In the setting of Android we assume that XML has been transmitted over
-    // the network, so may be tainted.
-    this instanceof XmlPullGetMethod or
-    this instanceof XmlAttrSetGetMethod or
-    // The current URL in a browser may be untrusted or uncontrolled.
-    this instanceof WebViewGetUrlMethod
-  }
-}
-
-private class PlayRequestGetMethod extends Method {
-  PlayRequestGetMethod() {
-    this.getDeclaringType() instanceof PlayMvcHttpRequestHeader and
-    this.hasName(["queryString", "getQueryString", "header", "getHeader"])
-  }
-}
-
-private class SpringWebRequestGetMethod extends Method {
-  SpringWebRequestGetMethod() {
-    exists(SpringWebRequest swr | this = swr.getAMethod() |
-      this.hasName("getDescription") or
-      this.hasName("getHeader") or
-      this.hasName("getHeaderNames") or
-      this.hasName("getHeaderValues") or
-      this.hasName("getParameter") or
-      this.hasName("getParameterMap") or
-      this.hasName("getParameterNames") or
-      this.hasName("getParameterValues")
-      // TODO consider getRemoteUser
-    )
-  }
-}
-
 /** A method that reads from the environment, such as `System.getProperty` or `System.getenv`. */
 class EnvReadMethod extends Method {
   EnvReadMethod() {
