Java: add remote user input and taint step for Guice framework

yh-semmle · yh-semmle · commit a436369846b7 · 2019-02-15T20:01:06.000-05:00
diff --git a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
@@ -17,6 +17,7 @@ import semmle.code.java.frameworks.android.WebView
 import semmle.code.java.frameworks.JaxWS
 import semmle.code.java.frameworks.android.Intent
 import semmle.code.java.frameworks.SpringWeb
+import semmle.code.java.frameworks.Guice
 
 /** Class for `tainted` user input. */
 abstract class UserInput extends DataFlow::Node { }
@@ -69,6 +70,11 @@ class RemoteUserInput extends UserInput {
     )
     or
     this.asParameter().getAnAnnotation() instanceof SpringServletInputAnnotation
+    or
+    exists(GuiceRequestParametersAnnotation a |
+      a = this.asParameter().getAnAnnotation() or
+      a = this.asExpr().(FieldRead).getField().getAnAnnotation()
+    )
   }
 
   /**
diff --git a/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll b/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll
@@ -12,6 +12,7 @@ private import DefUse
 private import semmle.code.java.security.SecurityTests
 private import semmle.code.java.security.Validation
 private import semmle.code.java.frameworks.android.Intent
+private import semmle.code.java.frameworks.Guice
 private import semmle.code.java.Maps
 
 module TaintTracking {
@@ -471,6 +472,8 @@ module TaintTracking {
     or
     m.getDeclaringType().hasQualifiedName("java.nio", "ByteBuffer") and
     m.hasName("get")
+    or
+    m = any(GuiceProvider gp).getAnOverridingGetMethod()
   }
 
   private class StringReplaceMethod extends Method {
diff --git a/java/ql/src/semmle/code/java/frameworks/Guice.qll b/java/ql/src/semmle/code/java/frameworks/Guice.qll
@@ -0,0 +1,35 @@
+/**
+ * Provides classes and predicates for working with the Guice framework.
+ */
+
+import java
+
+/**
+ * A `@com.google.inject.servlet.RequestParameters` annotation.
+ */
+class GuiceRequestParametersAnnotation extends Annotation {
+  GuiceRequestParametersAnnotation() {
+    this.getType().hasQualifiedName("com.google.inject.servlet", "RequestParameters")
+  }
+}
+
+/**
+ * The interface `com.google.inject.Provider`.
+ */
+class GuiceProvider extends Interface {
+  GuiceProvider() { this.hasQualifiedName("com.google.inject", "Provider") }
+
+  /**
+   * The method named `get` declared on the interface `com.google.inject.Provider`.
+   */
+  Method getGetMethod() {
+    result.getDeclaringType() = this and result.getName() = "get" and result.hasNoParameters()
+  }
+
+  /**
+   * A method that overrides the `get` method on the interface `com.google.inject.Provider`.
+   */
+  Method getAnOverridingGetMethod() {
+    exists(Method m | m.getSourceDeclaration() = getGetMethod() | result.overrides*(m))
+  }
+}
