Merge pull request #1262 from sb-semmle/more-spring-sources

yh-semmle · web-flow · commit 04954f77def0 · 2019-04-18T18:08:44.000-04:00
Parameters annotated with Spring's @RequestBody and @PathVariable are remote input sources.
diff --git a/change-notes/1.21/analysis-java.md b/change-notes/1.21/analysis-java.md
@@ -22,5 +22,6 @@
   methods. This means that more guards are recognized yielding precision
   improvements in a number of queries including `java/index-out-of-bounds`,
   `java/dereferenced-value-may-be-null`, and `java/useless-null-check`.
-
-
+* Spring framework support is enhanced by taking into account additional
+  annotations that indicate remote user input. This affects all security
+  queries, which may yield additional results.
diff --git a/java/ql/src/semmle/code/java/frameworks/SpringWeb.qll b/java/ql/src/semmle/code/java/frameworks/SpringWeb.qll
@@ -11,7 +11,9 @@ class SpringServletInputAnnotation extends Annotation {
       a.hasName("RequestParam") or
       a.hasName("RequestHeader") or
       a.hasName("CookieValue") or
-      a.hasName("RequestPart")
+      a.hasName("RequestPart") or
+      a.hasName("PathVariable") or
+      a.hasName("RequestBody")
     )
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,9 @@ class SpringServletInputAnnotation extends Annotation {`
`11`	`11`	`a.hasName("RequestParam") or`
`12`	`12`	`a.hasName("RequestHeader") or`
`13`	`13`	`a.hasName("CookieValue") or`
`14`		`- a.hasName("RequestPart")`
	`14`	`+ a.hasName("RequestPart") or`
	`15`	`+ a.hasName("PathVariable") or`
	`16`	`+ a.hasName("RequestBody")`
`15`	`17`	`)`
`16`	`18`	`}`
`17`	`19`	`}`