Java: add remote user input for Apache Thrift framework

Author: yh-semmle

java/ql/src/semmle/code/java/dataflow/FlowSources.qll

@@ -19,6 +19,7 @@ import semmle.code.java.frameworks.android.Intent
 import semmle.code.java.frameworks.SpringWeb
 import semmle.code.java.frameworks.Guice
 import semmle.code.java.frameworks.struts.StrutsActions
+import semmle.code.java.frameworks.Thrift
 
 /** Class for `tainted` user input. */
 abstract class UserInput extends DataFlow::Node { }
@@ -78,6 +79,8 @@ class RemoteUserInput extends UserInput {
     )
     or
     exists(Struts2ActionSupportClass c | c.getASetterMethod().getField() = this.asExpr().(FieldRead).getField())
+    or
+    exists(ThriftIface i | i.getAnImplementingMethod().getAParameter() = this.asParameter())
   }
 
   /**

java/ql/src/semmle/code/java/frameworks/Thrift.qll

@@ -0,0 +1,33 @@
+/**
+ * Provides classes and predicates for working with the Apache Thrift framework.
+ */
+
+import java
+
+/**
+ * A file detected as generated by the Apache Thrift Compiler.
+ */
+class ThriftGeneratedFile extends GeneratedFile {
+  ThriftGeneratedFile() {
+    exists(JavadocElement t | t.getFile() = this |
+      exists(string msg | msg = t.getText() | msg.regexpMatch("(?i).*\\bAutogenerated by Thrift.*"))
+    )
+  }
+}
+
+/**
+ * A Thrift `Iface` interface in a class generated by the Apache Thrift Compiler.
+ */
+class ThriftIface extends Interface {
+  ThriftIface() {
+    this.hasName("Iface") and
+    this.getEnclosingType() instanceof TopLevelType and
+    this.getFile() instanceof ThriftGeneratedFile
+  }
+
+  Method getAnImplementingMethod() {
+    result.getDeclaringType().(Class).getASupertype+() = this and
+    result.overrides(getAMethod()) and
+    not result.getFile() = this.getFile()
+  }
+}