Java: add remote user input for Struts 2 ActionSupport

Author: yh-semmle

java/ql/src/semmle/code/java/dataflow/FlowSources.qll

@@ -18,6 +18,7 @@ import semmle.code.java.frameworks.JaxWS
 import semmle.code.java.frameworks.android.Intent
 import semmle.code.java.frameworks.SpringWeb
 import semmle.code.java.frameworks.Guice
+import semmle.code.java.frameworks.struts.StrutsActions
 
 /** Class for `tainted` user input. */
 abstract class UserInput extends DataFlow::Node { }
@@ -75,6 +76,8 @@ class RemoteUserInput extends UserInput {
       a = this.asParameter().getAnAnnotation() or
       a = this.asExpr().(FieldRead).getField().getAnAnnotation()
     )
+    or
+    exists(Struts2ActionSupportClass c | c.getASetterMethod().getField() = this.asExpr().(FieldRead).getField())
   }
 
   /**

java/ql/src/semmle/code/java/frameworks/struts/StrutsActions.qll

@@ -124,3 +124,24 @@ class Struts2PrepareMethod extends Method {
     exists(Struts2ActionClass actionClass | this = actionClass.getPrepareMethod())
   }
 }
+
+/**
+ * A subclass of the Struts 2 `ActionSupport` class.
+ */
+class Struts2ActionSupportClass extends Class {
+  Struts2ActionSupportClass() {
+    this.getASupertype+().hasQualifiedName("com.opensymphony.xwork2", "ActionSupport")
+  }
+
+  /**
+   * Gets a setter method declared on a subclass of `ActionSupport`.
+   */
+  SetterMethod getASetterMethod() {
+    result.getDeclaringType() = this and
+    result.isPublic() and
+    exists(string name | result.getField().getName().toLowerCase() = name |
+      result.getName().toLowerCase().substring(3, result.getName().length()) = name and
+      result.getName().matches("set%")
+    )
+  }
+}