Merge pull request #939 from yh-semmle/java-frameworks

semmle-qlci · web-flow · commit 62c0eea5720c · 2019-02-18T17:06:34.000Z
Approved by pavgust
diff --git a/change-notes/1.20/analysis-java.md b/change-notes/1.20/analysis-java.md
@@ -28,5 +28,9 @@
 * Taint tracking now includes additional default data-flow steps through
   collections, maps, and iterators. This affects all security queries, which
   can report more results based on such paths.
+* The `FlowSources` and `TaintTracking` libraries are extended to cover additional remote user
+  input and taint steps from the Apache Thrift, Apache Struts, Guice and Protobuf frameworks.
+  This affects all security queries, which may yield additional results on projects
+  that use these frameworks.
 
 
diff --git a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
@@ -17,6 +17,9 @@ import semmle.code.java.frameworks.android.WebView
 import semmle.code.java.frameworks.JaxWS
 import semmle.code.java.frameworks.android.Intent
 import semmle.code.java.frameworks.SpringWeb
+import semmle.code.java.frameworks.Guice
+import semmle.code.java.frameworks.struts.StrutsActions
+import semmle.code.java.frameworks.Thrift
 
 /** Class for `tainted` user input. */
 abstract class UserInput extends DataFlow::Node { }
@@ -69,6 +72,15 @@ class RemoteUserInput extends UserInput {
     )
     or
     this.asParameter().getAnAnnotation() instanceof SpringServletInputAnnotation
+    or
+    exists(GuiceRequestParametersAnnotation a |
+      a = this.asParameter().getAnAnnotation() or
+      a = this.asExpr().(FieldRead).getField().getAnAnnotation()
+    )
+    or
+    exists(Struts2ActionSupportClass c | c.getASetterMethod().getField() = this.asExpr().(FieldRead).getField())
+    or
+    exists(ThriftIface i | i.getAnImplementingMethod().getAParameter() = this.asParameter())
   }
 
   /**
diff --git a/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll b/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll
@@ -12,6 +12,8 @@ private import DefUse
 private import semmle.code.java.security.SecurityTests
 private import semmle.code.java.security.Validation
 private import semmle.code.java.frameworks.android.Intent
+private import semmle.code.java.frameworks.Guice
+private import semmle.code.java.frameworks.Protobuf
 private import semmle.code.java.Maps
 
 module TaintTracking {
@@ -471,6 +473,10 @@ module TaintTracking {
     or
     m.getDeclaringType().hasQualifiedName("java.nio", "ByteBuffer") and
     m.hasName("get")
+    or
+    m = any(GuiceProvider gp).getAnOverridingGetMethod()
+    or
+    m = any(ProtobufMessageLite p).getAGetterMethod()
   }
 
   private class StringReplaceMethod extends Method {
@@ -575,6 +581,12 @@ module TaintTracking {
     method.getDeclaringType().hasQualifiedName("javax.xml.transform.sax", "SAXSource") and
     method.hasName("sourceToInputSource") and
     arg = 0
+    or
+    exists(ProtobufParser p | method = p.getAParseFromMethod()) and
+    arg = 0
+    or
+    exists(ProtobufMessageLite m | method = m.getAParseFromMethod()) and
+    arg = 0
   }
 
   /**
diff --git a/java/ql/src/semmle/code/java/frameworks/Guice.qll b/java/ql/src/semmle/code/java/frameworks/Guice.qll
@@ -0,0 +1,35 @@
+/**
+ * Provides classes and predicates for working with the Guice framework.
+ */
+
+import java
+
+/**
+ * A `@com.google.inject.servlet.RequestParameters` annotation.
+ */
+class GuiceRequestParametersAnnotation extends Annotation {
+  GuiceRequestParametersAnnotation() {
+    this.getType().hasQualifiedName("com.google.inject.servlet", "RequestParameters")
+  }
+}
+
+/**
+ * The interface `com.google.inject.Provider`.
+ */
+class GuiceProvider extends Interface {
+  GuiceProvider() { this.hasQualifiedName("com.google.inject", "Provider") }
+
+  /**
+   * The method named `get` declared on the interface `com.google.inject.Provider`.
+   */
+  Method getGetMethod() {
+    result.getDeclaringType() = this and result.getName() = "get" and result.hasNoParameters()
+  }
+
+  /**
+   * A method that overrides the `get` method on the interface `com.google.inject.Provider`.
+   */
+  Method getAnOverridingGetMethod() {
+    exists(Method m | m.getSourceDeclaration() = getGetMethod() | result.overrides*(m))
+  }
+}
diff --git a/java/ql/src/semmle/code/java/frameworks/Protobuf.qll b/java/ql/src/semmle/code/java/frameworks/Protobuf.qll
@@ -0,0 +1,56 @@
+/**
+ * Provides classes and predicates for working with the Protobuf framework.
+ */
+
+import java
+
+/**
+ * The interface `com.google.protobuf.Parser`.
+ */
+class ProtobufParser extends Interface {
+  ProtobufParser() { this.hasQualifiedName("com.google.protobuf", "Parser") }
+
+  /**
+   * Gets a method named `parseFrom` (or similar) declared on a subtype of `com.google.protobuf.Parser`.
+   */
+  Method getAParseFromMethod() {
+    result.getDeclaringType().getASupertype*().getSourceDeclaration() = this and
+    result.getName().matches("parse%From")
+  }
+}
+
+/**
+ * The interface `com.google.protobuf.MessageLite`.
+ */
+class ProtobufMessageLite extends Interface {
+  ProtobufMessageLite() { this.hasQualifiedName("com.google.protobuf", "MessageLite") }
+
+  /**
+   * Gets a static method named `parseFrom` (or similar) declared on a subtype of the `MessageLite` interface.
+   */
+  Method getAParseFromMethod() {
+    result = getASubtype+().getAMethod() and
+    result.getName().matches("parse%From") and
+    result.isStatic()
+  }
+
+  /**
+   * Gets a getter method declared on a subtype of the `MessageLite` interface.
+   */
+  Method getAGetterMethod() {
+    exists(RefType decl | decl = result.getDeclaringType() and decl = this.getASubtype+() |
+      exists(string name, string suffix |
+        suffix = "" or
+        suffix = "list" or
+        suffix = "map" or
+        suffix = "ordefault" or
+        suffix = "orthrow"
+      |
+        exists(Field f | f.getDeclaringType() = decl |
+          f.getName().toLowerCase().replaceAll("_", "") = name
+        ) and
+        result.getName().toLowerCase() = "get" + name + suffix
+      )
+    )
+  }
+}
diff --git a/java/ql/src/semmle/code/java/frameworks/Thrift.qll b/java/ql/src/semmle/code/java/frameworks/Thrift.qll
@@ -0,0 +1,33 @@
+/**
+ * Provides classes and predicates for working with the Apache Thrift framework.
+ */
+
+import java
+
+/**
+ * A file detected as generated by the Apache Thrift Compiler.
+ */
+class ThriftGeneratedFile extends GeneratedFile {
+  ThriftGeneratedFile() {
+    exists(JavadocElement t | t.getFile() = this |
+      exists(string msg | msg = t.getText() | msg.regexpMatch("(?i).*\\bAutogenerated by Thrift.*"))
+    )
+  }
+}
+
+/**
+ * A Thrift `Iface` interface in a class generated by the Apache Thrift Compiler.
+ */
+class ThriftIface extends Interface {
+  ThriftIface() {
+    this.hasName("Iface") and
+    this.getEnclosingType() instanceof TopLevelType and
+    this.getFile() instanceof ThriftGeneratedFile
+  }
+
+  Method getAnImplementingMethod() {
+    result.getDeclaringType().(Class).getASupertype+() = this and
+    result.overrides(getAMethod()) and
+    not result.getFile() = this.getFile()
+  }
+}
diff --git a/java/ql/src/semmle/code/java/frameworks/struts/StrutsActions.qll b/java/ql/src/semmle/code/java/frameworks/struts/StrutsActions.qll
@@ -124,3 +124,24 @@ class Struts2PrepareMethod extends Method {
     exists(Struts2ActionClass actionClass | this = actionClass.getPrepareMethod())
   }
 }
+
+/**
+ * A subclass of the Struts 2 `ActionSupport` class.
+ */
+class Struts2ActionSupportClass extends Class {
+  Struts2ActionSupportClass() {
+    this.getASupertype+().hasQualifiedName("com.opensymphony.xwork2", "ActionSupport")
+  }
+
+  /**
+   * Gets a setter method declared on a subclass of `ActionSupport`.
+   */
+  SetterMethod getASetterMethod() {
+    result.getDeclaringType() = this and
+    result.isPublic() and
+    exists(string name | result.getField().getName().toLowerCase() = name |
+      result.getName().toLowerCase().substring(3, result.getName().length()) = name and
+      result.getName().matches("set%")
+    )
+  }
+}
diff --git a/java/ql/test/library-tests/frameworks/guice/GuiceRequestParameters.java b/java/ql/test/library-tests/frameworks/guice/GuiceRequestParameters.java
@@ -0,0 +1,20 @@
+import java.util.Map;
+
+import com.google.inject.Provider;
+import com.google.inject.servlet.RequestParameters;
+
+public class GuiceRequestParameters {
+	@RequestParameters
+	private Map<String,String> paramMap;
+	@RequestParameters
+	private Provider<Map<String,String>> providerMap;
+
+	void test(String key) {
+		String s = paramMap.get(key);
+		sink(s);
+		String value = providerMap.get().get(key);
+		sink(value);
+	}
+
+	private void sink(String s) {}
+}
diff --git a/java/ql/test/library-tests/frameworks/guice/flow.expected b/java/ql/test/library-tests/frameworks/guice/flow.expected
@@ -0,0 +1,2 @@
+| GuiceRequestParameters.java:13:14:13:21 | paramMap | GuiceRequestParameters.java:14:8:14:8 | s |
+| GuiceRequestParameters.java:15:18:15:28 | providerMap | GuiceRequestParameters.java:16:8:16:12 | value |
diff --git a/java/ql/test/library-tests/frameworks/guice/flow.ql b/java/ql/test/library-tests/frameworks/guice/flow.ql
@@ -0,0 +1,23 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking
+
+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "conf" }
+
+  override predicate isSource(DataFlow::Node src) {
+    src instanceof RemoteUserInput
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma |
+      sink.asExpr() = ma.getAnArgument() and
+      ma.getMethod().hasName("sink")
+    ) and
+    sink.asExpr().getFile().getStem() = "GuiceRequestParameters"
+  }
+}
+
+from Conf c, DataFlow::Node src, DataFlow::Node sink
+where c.hasFlow(src, sink)
+select src, sink
diff --git a/java/ql/test/library-tests/frameworks/guice/options b/java/ql/test/library-tests/frameworks/guice/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/guice-servlet-4.2.2/:${testdir}/../../../stubs/guice-4.2.2/
diff --git a/java/ql/test/stubs/guice-4.2.2/com/google/inject/Provider.java b/java/ql/test/stubs/guice-4.2.2/com/google/inject/Provider.java
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2006 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * Adapted from Guice version 4.2.2 as available at
+ *   https://search.maven.org/classic/remotecontent?filepath=com/google/inject/guice/4.2.2/guice-4.2.2-sources.jar
+ * Only relevant stubs of this file have been retained for test purposes.
+ */
+
+package com.google.inject;
+
+/**
+ * An object capable of providing instances of type {@code T}. Providers are used in numerous ways
+ * by Guice:
+ *
+ * <ul>
+ * <li>When the default means for obtaining instances (an injectable or parameterless constructor)
+ *     is insufficient for a particular binding, the module can specify a custom {@code Provider}
+ *     instead, to control exactly how Guice creates or obtains instances for the binding.
+ * <li>An implementation class may always choose to have a {@code Provider<T>} instance injected,
+ *     rather than having a {@code T} injected directly. This may give you access to multiple
+ *     instances, instances you wish to safely mutate and discard, instances which are out of scope
+ *     (e.g. using a {@code @RequestScoped} object from within a {@code @SessionScoped} object), or
+ *     instances that will be initialized lazily.
+ * <li>A custom {@link Scope} is implemented as a decorator of {@code Provider<T>}, which decides
+ *     when to delegate to the backing provider and when to provide the instance some other way.
+ * <li>The {@link Injector} offers access to the {@code Provider<T>} it uses to fulfill requests for
+ *     a given key, via the {@link Injector#getProvider} methods.
+ * </ul>
+ *
+ * @param <T> the type of object this provides
+ * @author crazybob@google.com (Bob Lee)
+ */
+public interface Provider<T> {
+
+  /**
+   * Provides an instance of {@code T}.
+   *
+   * @throws OutOfScopeException when an attempt is made to access a scoped object while the scope
+   *     in question is not currently active
+   * @throws ProvisionException if an instance cannot be provided. Such exceptions include messages
+   *     and throwables to describe why provision failed.
+   */
+  T get();
+}
diff --git a/java/ql/test/stubs/guice-servlet-4.2.2/com/google/inject/servlet/RequestParameters.java b/java/ql/test/stubs/guice-servlet-4.2.2/com/google/inject/servlet/RequestParameters.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2006 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/*
+ * Adapted from Guice Servlet version 4.2.2 as available at
+ *   https://search.maven.org/classic/remotecontent?filepath=com/google/inject/extensions/guice-servlet/4.2.2/guice-servlet-4.2.2-sources.jar
+ * Only relevant stubs of this file have been retained for test purposes.
+ */
+
+package com.google.inject.servlet;
+
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+/**
+ * Apply this to field or parameters of type {@code Map<String, String[]>} when you want the HTTP
+ * request parameter map to be injected.
+ *
+ * @author crazybob@google.com (Bob Lee)
+ */
+@Retention(RUNTIME)
+@Target({ElementType.FIELD, ElementType.PARAMETER, ElementType.METHOD})
+public @interface RequestParameters {}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+\| GuiceRequestParameters.java:13:14:13:21 \| paramMap \| GuiceRequestParameters.java:14:8:14:8 \| s \|`
	`2`	`+\| GuiceRequestParameters.java:15:18:15:28 \| providerMap \| GuiceRequestParameters.java:16:8:16:12 \| value \|`