Merge pull request #6478 from smowton/smowton/feature/jax-rs-request-filters

Java: Add sources for Jax-RS filters

Author: smowton

java/change-notes/2021-08-12-jax-rs-filter-sources.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Remote information sources relating to JAX-RS request filters are now recognised. This may lead to additional results from any query where a filter uses user-controlled data in a dangerous way.

java/ql/lib/semmle/code/java/frameworks/JaxWS.qll

@@ -0,0 +1,19 @@
+import jakarta.ws.rs.container.ContainerRequestContext;
+
+public class JakartaContainerRequestContextSources {
+  void sink(Object o) {}
+
+  void test(ContainerRequestContext context) throws Exception {
+    sink(context.getAcceptableLanguages()); // $ hasValueFlow
+    sink(context.getAcceptableMediaTypes().get(0).getType()); // $ hasTaintFlow
+    sink(context.getCookies().get("someKey").getValue()); // $ hasTaintFlow
+    byte[] buf = new byte[1024];
+    context.getEntityStream().read(buf);
+    sink(buf); // $ hasTaintFlow
+    sink(context.getHeaders().getFirst("someKey")); // $ hasTaintFlow
+    sink(context.getHeaderString("someKey")); // $ hasValueFlow
+    sink(context.getLanguage()); // $ hasValueFlow
+    sink(context.getMediaType().getType()); // $ hasTaintFlow
+    sink(context.getUriInfo().getPath()); // $ hasTaintFlow
+  }
+}

java/ql/test/library-tests/frameworks/JaxWs/JakartaContainerRequestContextSources.java

@@ -57,11 +57,11 @@ private static class SetStringSource {
   static PathSegment taint(PathSegment ps) { return ps; }
 
   static UriInfo taint(UriInfo ui) { return ui; }
-  
+
   static Map taint(Map m) { return m; }
-  
+
   static Link taint(Link l) { return l; }
-  
+
   static Class taint(Class c) { return c; }
 
   private static class UriSource {
@@ -196,12 +196,21 @@ void testPathSegment(PathSegment ps1, PathSegment ps2) {
     sink(taint(ps2).getPath()); // $ hasTaintFlow
   }
 
-  void testUriInfo(UriInfo ui1, UriInfo ui2, UriInfo ui3, UriInfo ui4, UriInfo ui5) {
-    sink(taint(ui1).getPathParameters()); // $ hasTaintFlow
-    sink(taint(ui2).getPathSegments()); // $ hasTaintFlow
-    sink(taint(ui2).getQueryParameters()); // $ hasTaintFlow
-    sink(taint(ui2).getRequestUri()); // $ hasTaintFlow
-    sink(taint(ui2).getRequestUriBuilder()); // $ hasTaintFlow
+  void testUriInfo(UriInfo ui, UriInfo untaintedUriInfo) throws Exception {
+    ui = taint(ui);
+    sink(ui.getPathParameters()); // $ hasTaintFlow
+    sink(ui.getPathSegments()); // $ hasTaintFlow
+    sink(ui.getQueryParameters()); // $ hasTaintFlow
+    sink(ui.getRequestUri()); // $ hasTaintFlow
+    sink(ui.getRequestUriBuilder()); // $ hasTaintFlow
+    sink(ui.getQueryParameters().getFirst("someKey")); // $ hasTaintFlow
+    sink(ui.getRequestUri()); // $ hasTaintFlow
+    sink(ui.getRequestUriBuilder().build()); // $ hasTaintFlow
+    URI taintedUri = UriSource.taint();
+    URI untaintedUri = new URI("");
+    sink(untaintedUriInfo.relativize(taintedUri)); // $ hasTaintFlow
+    sink(untaintedUriInfo.resolve(taintedUri)); // $ hasTaintFlow
+    sink(ui.resolve(untaintedUri)); // $ hasTaintFlow
   }
 
   void testCookie() {
@@ -341,7 +350,7 @@ void testUriBuilder() throws Exception {
     sink(UriBuilder.fromPath(taint()).buildFromEncodedMap(new HashMap<String, String>())); // $ hasTaintFlow
     sink(UriBuilder.fromPath("").buildFromMap(taint(new HashMap<String, String>()), false)); // $ hasTaintFlow
     sink(UriBuilder.fromPath(taint()).buildFromMap(new HashMap<String, String>(), true)); // $ hasTaintFlow
-    
+
     sink(UriBuilder.fromPath(taint()).clone()); // $ hasTaintFlow
     sink(UriBuilder.fromPath("").fragment(taint())); // $ hasTaintFlow
     sink(UriBuilder.fromPath(taint()).fragment("")); // $ hasTaintFlow

java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java

@@ -0,0 +1,19 @@
+import javax.ws.rs.container.ContainerRequestContext;
+
+public class JaxRsContainerRequestContextSources {
+  void sink(Object o) {}
+
+  void test(ContainerRequestContext context) throws Exception {
+    sink(context.getAcceptableLanguages()); // $ hasValueFlow
+    sink(context.getAcceptableMediaTypes().get(0).getType()); // $ hasTaintFlow
+    sink(context.getCookies().get("someKey").getValue()); // $ hasTaintFlow
+    byte[] buf = new byte[1024];
+    context.getEntityStream().read(buf);
+    sink(buf); // $ hasTaintFlow
+    sink(context.getHeaders().getFirst("someKey")); // $ hasTaintFlow
+    sink(context.getHeaderString("someKey")); // $ hasValueFlow
+    sink(context.getLanguage()); // $ hasValueFlow
+    sink(context.getMediaType().getType()); // $ hasTaintFlow
+    sink(context.getUriInfo().getPath()); // $ hasTaintFlow
+  }
+}

java/ql/test/library-tests/frameworks/JaxWs/JaxRsContainerRequestContextSources.java

@@ -57,11 +57,11 @@ private static class SetStringSource {
   static PathSegment taint(PathSegment ps) { return ps; }
 
   static UriInfo taint(UriInfo ui) { return ui; }
-  
+
   static Map taint(Map m) { return m; }
-  
+
   static Link taint(Link l) { return l; }
-  
+
   static Class taint(Class c) { return c; }
 
   private static class UriSource {
@@ -192,12 +192,21 @@ void testPathSegment(PathSegment ps1, PathSegment ps2) {
     sink(taint(ps2).getPath()); // $ hasTaintFlow
   }
 
-  void testUriInfo(UriInfo ui1, UriInfo ui2, UriInfo ui3, UriInfo ui4, UriInfo ui5) {
-    sink(taint(ui1).getPathParameters()); // $ hasTaintFlow
-    sink(taint(ui2).getPathSegments()); // $ hasTaintFlow
-    sink(taint(ui2).getQueryParameters()); // $ hasTaintFlow
-    sink(taint(ui2).getRequestUri()); // $ hasTaintFlow
-    sink(taint(ui2).getRequestUriBuilder()); // $ hasTaintFlow
+  void testUriInfo(UriInfo ui, UriInfo untaintedUriInfo) throws Exception {
+    ui = taint(ui);
+    sink(ui.getPathParameters()); // $ hasTaintFlow
+    sink(ui.getPathSegments()); // $ hasTaintFlow
+    sink(ui.getQueryParameters()); // $ hasTaintFlow
+    sink(ui.getRequestUri()); // $ hasTaintFlow
+    sink(ui.getRequestUriBuilder()); // $ hasTaintFlow
+    sink(ui.getQueryParameters().getFirst("someKey")); // $ hasTaintFlow
+    sink(ui.getRequestUri()); // $ hasTaintFlow
+    sink(ui.getRequestUriBuilder().build()); // $ hasTaintFlow
+    URI taintedUri = UriSource.taint();
+    URI untaintedUri = new URI("");
+    sink(untaintedUriInfo.relativize(taintedUri)); // $ hasTaintFlow
+    sink(untaintedUriInfo.resolve(taintedUri)); // $ hasTaintFlow
+    sink(ui.resolve(untaintedUri)); // $ hasTaintFlow
   }
 
   void testCookie() {
@@ -337,7 +346,7 @@ void testUriBuilder() throws Exception {
     sink(UriBuilder.fromPath(taint()).buildFromEncodedMap(new HashMap<String, String>())); // $ hasTaintFlow
     sink(UriBuilder.fromPath("").buildFromMap(taint(new HashMap<String, String>()), false)); // $ hasTaintFlow
     sink(UriBuilder.fromPath(taint()).buildFromMap(new HashMap<String, String>(), true)); // $ hasTaintFlow
-    
+
     sink(UriBuilder.fromPath(taint()).clone()); // $ hasTaintFlow
     sink(UriBuilder.fromPath("").fragment(taint())); // $ hasTaintFlow
     sink(UriBuilder.fromPath(taint()).fragment("")); // $ hasTaintFlow

java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java

@@ -1,12 +1,15 @@
 import java
 import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.FlowSources
 import TestUtilities.InlineExpectationsTest
 
 class TaintFlowConf extends TaintTracking::Configuration {
   TaintFlowConf() { this = "qltest:frameworks:jax-rs-taint" }
 
   override predicate isSource(DataFlow::Node n) {
     n.asExpr().(MethodAccess).getMethod().hasName("taint")
+    or
+    n instanceof RemoteFlowSource
   }
 
   override predicate isSink(DataFlow::Node n) {
@@ -21,6 +24,8 @@ class ValueFlowConf extends DataFlow::Configuration {
 
   override predicate isSource(DataFlow::Node n) {
     n.asExpr().(MethodAccess).getMethod().hasName("taint")
+    or
+    n instanceof RemoteFlowSource
   }
 
   override predicate isSink(DataFlow::Node n) {