Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 80b4d63

Browse files
tamasvajktamasvajk
committed
Java: Convert SpringMultipartRequestSource to CSV based flow source
1 parent 06fdd64 commit 80b4d63

2 files changed

Lines changed: 8 additions & 16 deletions

File tree

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -95,7 +95,14 @@ private predicate sourceModelCsv(string row) {
9595
// SocketGetInputStreamMethod
9696
"java.net;Socket;false;getInputStream;();;ReturnValue;remote",
9797
// BeanValidationSource
98-
"javax.validation;ConstraintValidator;true;isValid;;;Parameter[0];remote"
98+
"javax.validation;ConstraintValidator;true;isValid;;;Parameter[0];remote",
99+
// SpringMultipartRequestSource
100+
"org.springframework.web.multipart;MultipartRequest;true;getFile;(String);;ReturnValue;remote",
101+
"org.springframework.web.multipart;MultipartRequest;true;getFileMap;();;ReturnValue;remote",
102+
"org.springframework.web.multipart;MultipartRequest;true;getFileNames;();;ReturnValue;remote",
103+
"org.springframework.web.multipart;MultipartRequest;true;getFiles;(String);;ReturnValue;remote",
104+
"org.springframework.web.multipart;MultipartRequest;true;getMultiFileMap;();;ReturnValue;remote",
105+
"org.springframework.web.multipart;MultipartRequest;true;getMultipartContentType;(String);;ReturnValue;remote"
99106
]
100107
}
101108

java/ql/src/semmle/code/java/dataflow/FlowSources.qll

Lines changed: 0 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -115,21 +115,6 @@ private class MessageBodyReaderParameterSource extends RemoteFlowSource {
115115
override string getSourceType() { result = "MessageBodyReader parameter" }
116116
}
117117

118-
private class SpringMultipartRequestSource extends RemoteFlowSource {
119-
SpringMultipartRequestSource() {
120-
exists(MethodAccess ma, Method m |
121-
ma = this.asExpr() and
122-
m = ma.getMethod() and
123-
m.getDeclaringType()
124-
.getASourceSupertype*()
125-
.hasQualifiedName("org.springframework.web.multipart", "MultipartRequest") and
126-
m.getName().matches("get%")
127-
)
128-
}
129-
130-
override string getSourceType() { result = "Spring MultipartRequest getter" }
131-
}
132-
133118
private class PlayParameterSource extends RemoteFlowSource {
134119
PlayParameterSource() { exists(PlayActionMethodQueryParameter p | p = this.asParameter()) }
135120

0 commit comments

Comments
 (0)