Java: XSS - ignore Spring sinks when content-type is safe.

lcartey · lcartey · commit e2cec582be9f · 2020-06-16T09:50:35.000+01:00
Methods annotated with a produces field which indicates a safe content-type should not be considered XSS sinks. For example: @RequestMapping(..., produces = "application/json")
diff --git a/java/ql/src/semmle/code/java/security/XSS.qll b/java/ql/src/semmle/code/java/security/XSS.qll
@@ -35,7 +35,9 @@ class XssSink extends DataFlow::ExprNode {
     or
     exists(SpringRequestMappingMethod requestMappingMethod, ReturnStmt rs |
       requestMappingMethod = rs.getEnclosingCallable() and
-      this.asExpr() = rs.getResult() |
+      this.asExpr() = rs.getResult() and
+      (not exists(requestMappingMethod.getProduces()) or requestMappingMethod.getProduces().matches("text/%"))
+      |
       // If a Spring request mapping method is either annotated with @ResponseBody (or equivalent),
       // or returns a HttpEntity or sub-type, then the return value of the method is converted into
       // a HTTP reponse using a HttpMessageConverter implementation. The implementation is chosen
