Java: Convert SpringMultipartFileSource to CSV based flow source

tamasvajk · tamasvajk · commit f2448cc92133 · 2021-03-09T11:40:18.000+01:00
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -102,7 +102,16 @@ private predicate sourceModelCsv(string row) {
       "org.springframework.web.multipart;MultipartRequest;true;getFileNames;();;ReturnValue;remote",
       "org.springframework.web.multipart;MultipartRequest;true;getFiles;(String);;ReturnValue;remote",
       "org.springframework.web.multipart;MultipartRequest;true;getMultiFileMap;();;ReturnValue;remote",
-      "org.springframework.web.multipart;MultipartRequest;true;getMultipartContentType;(String);;ReturnValue;remote"
+      "org.springframework.web.multipart;MultipartRequest;true;getMultipartContentType;(String);;ReturnValue;remote",
+      // SpringMultipartFileSource
+      "org.springframework.web.multipart;MultipartFile;true;getBytes;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartFile;true;getContentType;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartFile;true;getInputStream;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartFile;true;getName;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartFile;true;getOriginalFilename;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartFile;true;getResource;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartFile;true;getSize;();;ReturnValue;remote",
+      "org.springframework.web.multipart;MultipartFile;true;isEmpty;();;ReturnValue;remote"
     ]
 }
 
diff --git a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
@@ -121,21 +121,6 @@ private class PlayParameterSource extends RemoteFlowSource {
   override string getSourceType() { result = "Play Query Parameters" }
 }
 
-private class SpringMultipartFileSource extends RemoteFlowSource {
-  SpringMultipartFileSource() {
-    exists(MethodAccess ma, Method m |
-      ma = this.asExpr() and
-      m = ma.getMethod() and
-      m.getDeclaringType()
-          .getASourceSupertype*()
-          .hasQualifiedName("org.springframework.web.multipart", "MultipartFile") and
-      m.getName().matches("get%")
-    )
-  }
-
-  override string getSourceType() { result = "Spring MultipartFile getter" }
-}
-
 private class SpringServletInputParameterSource extends RemoteFlowSource {
   SpringServletInputParameterSource() {
     this.asParameter() = any(SpringRequestMappingParameter srmp | srmp.isTaintedInput())
diff --git a/java/ql/test/library-tests/dataflow/taintsources/remote.expected b/java/ql/test/library-tests/dataflow/taintsources/remote.expected
@@ -36,6 +36,7 @@
 | RmiFlowImpl.java:4:30:4:40 | path | RmiFlowImpl.java:5:28:5:31 | path |
 | RmiFlowImpl.java:4:30:4:40 | path | RmiFlowImpl.java:6:29:6:35 | command |
 | SpringMultiPart.java:8:3:8:17 | getBytes(...) | SpringMultiPart.java:8:3:8:17 | getBytes(...) |
+| SpringMultiPart.java:9:3:9:16 | isEmpty(...) | SpringMultiPart.java:9:3:9:16 | isEmpty(...) |
 | SpringMultiPart.java:10:3:10:23 | getInputStream(...) | SpringMultiPart.java:10:3:10:23 | getInputStream(...) |
 | SpringMultiPart.java:11:3:11:20 | getResource(...) | SpringMultiPart.java:11:3:11:20 | getResource(...) |
 | SpringMultiPart.java:12:3:12:16 | getName(...) | SpringMultiPart.java:12:3:12:16 | getName(...) |
