Skip to content

Commit a436369

Browse files
committed
Java: add remote user input and taint step for Guice framework
1 parent 5754eb6 commit a436369

File tree

3 files changed

+44
-0
lines changed

3 files changed

+44
-0
lines changed

java/ql/src/semmle/code/java/dataflow/FlowSources.qll

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ import semmle.code.java.frameworks.android.WebView
1717
import semmle.code.java.frameworks.JaxWS
1818
import semmle.code.java.frameworks.android.Intent
1919
import semmle.code.java.frameworks.SpringWeb
20+
import semmle.code.java.frameworks.Guice
2021

2122
/** Class for `tainted` user input. */
2223
abstract class UserInput extends DataFlow::Node { }
@@ -69,6 +70,11 @@ class RemoteUserInput extends UserInput {
6970
)
7071
or
7172
this.asParameter().getAnAnnotation() instanceof SpringServletInputAnnotation
73+
or
74+
exists(GuiceRequestParametersAnnotation a |
75+
a = this.asParameter().getAnAnnotation() or
76+
a = this.asExpr().(FieldRead).getField().getAnAnnotation()
77+
)
7278
}
7379

7480
/**

java/ql/src/semmle/code/java/dataflow/TaintTracking.qll

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ private import DefUse
1212
private import semmle.code.java.security.SecurityTests
1313
private import semmle.code.java.security.Validation
1414
private import semmle.code.java.frameworks.android.Intent
15+
private import semmle.code.java.frameworks.Guice
1516
private import semmle.code.java.Maps
1617

1718
module TaintTracking {
@@ -471,6 +472,8 @@ module TaintTracking {
471472
or
472473
m.getDeclaringType().hasQualifiedName("java.nio", "ByteBuffer") and
473474
m.hasName("get")
475+
or
476+
m = any(GuiceProvider gp).getAnOverridingGetMethod()
474477
}
475478

476479
private class StringReplaceMethod extends Method {
Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
/**
2+
* Provides classes and predicates for working with the Guice framework.
3+
*/
4+
5+
import java
6+
7+
/**
8+
* A `@com.google.inject.servlet.RequestParameters` annotation.
9+
*/
10+
class GuiceRequestParametersAnnotation extends Annotation {
11+
GuiceRequestParametersAnnotation() {
12+
this.getType().hasQualifiedName("com.google.inject.servlet", "RequestParameters")
13+
}
14+
}
15+
16+
/**
17+
* The interface `com.google.inject.Provider`.
18+
*/
19+
class GuiceProvider extends Interface {
20+
GuiceProvider() { this.hasQualifiedName("com.google.inject", "Provider") }
21+
22+
/**
23+
* The method named `get` declared on the interface `com.google.inject.Provider`.
24+
*/
25+
Method getGetMethod() {
26+
result.getDeclaringType() = this and result.getName() = "get" and result.hasNoParameters()
27+
}
28+
29+
/**
30+
* A method that overrides the `get` method on the interface `com.google.inject.Provider`.
31+
*/
32+
Method getAnOverridingGetMethod() {
33+
exists(Method m | m.getSourceDeclaration() = getGetMethod() | result.overrides*(m))
34+
}
35+
}

0 commit comments

Comments
 (0)