Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit f71897d

Browse files
smowtonowen-mc
smowton
authored and
owen-mc
committed
Rename JAX-WS -> JAX-RS where necessary. Improve change note and fix missing QLDoc.
1 parent ca684be commit f71897d

3 files changed

Lines changed: 25 additions & 19 deletions

File tree

java/change-notes/2021-03-22-jax-ws-improvements.md renamed to java/change-notes/2021-03-22-jax-rs-improvements.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,2 @@
11
lgtm,codescanning
2-
* Added support for detecting XSS via JAX-WS sinks, and propagating tainted data via various container types (e.g. Form, Cookie, MultivaluedMap).
2+
* Added support for detecting XSS via JAX-RS sinks, and propagating tainted data via various container types (e.g. Form, Cookie, MultivaluedMap).

java/ql/src/semmle/code/java/frameworks/JaxWS.qll

Lines changed: 20 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,16 @@
11
import java
22
private import semmle.code.java.dataflow.ExternalFlow
33

4-
string getAJaxWsPackage() { result in ["javax.ws.rs", "jakarta.ws.rs"] }
4+
/**
5+
* Gets a name for the root package of JAX-RS.
6+
*/
7+
string getAJaxRsPackage() { result in ["javax.ws.rs", "jakarta.ws.rs"] }
58

9+
/**
10+
* Gets a name for package `subpackage` within the JAX-RS hierarchy.
11+
*/
612
bindingset[subpackage]
7-
string getAJaxWsPackage(string subpackage) { result = getAJaxWsPackage() + "." + subpackage }
13+
string getAJaxRsPackage(string subpackage) { result = getAJaxRsPackage() + "." + subpackage }
814

915
/**
1016
* A JAX WS endpoint is constructed by the container, and its methods
@@ -34,7 +40,7 @@ class JaxWsEndpoint extends Class {
3440
private predicate hasPathAnnotation(Annotatable annotatable) {
3541
exists(AnnotationType a |
3642
a = annotatable.getAnAnnotation().getType() and
37-
a.getPackage().getName() = getAJaxWsPackage()
43+
a.getPackage().getName() = getAJaxRsPackage()
3844
|
3945
a.hasName("Path")
4046
)
@@ -47,7 +53,7 @@ class JaxRsResourceMethod extends Method {
4753
JaxRsResourceMethod() {
4854
exists(AnnotationType a |
4955
a = this.getAnAnnotation().getType() and
50-
a.getPackage().getName() = getAJaxWsPackage()
56+
a.getPackage().getName() = getAJaxRsPackage()
5157
|
5258
a.hasName("GET") or
5359
a.hasName("POST") or
@@ -184,7 +190,7 @@ class JaxRsInjectionAnnotation extends JaxRSAnnotation {
184190
JaxRsInjectionAnnotation() {
185191
exists(AnnotationType a |
186192
a = getType() and
187-
a.getPackage().getName() = getAJaxWsPackage()
193+
a.getPackage().getName() = getAJaxRsPackage()
188194
|
189195
a.hasName("BeanParam") or
190196
a.hasName("CookieParam") or
@@ -195,25 +201,25 @@ class JaxRsInjectionAnnotation extends JaxRSAnnotation {
195201
a.hasName("QueryParam")
196202
)
197203
or
198-
getType().hasQualifiedName(getAJaxWsPackage("core"), "Context")
204+
getType().hasQualifiedName(getAJaxRsPackage("core"), "Context")
199205
}
200206
}
201207

202208
class JaxRsResponse extends Class {
203-
JaxRsResponse() { this.hasQualifiedName(getAJaxWsPackage("core"), "Response") }
209+
JaxRsResponse() { this.hasQualifiedName(getAJaxRsPackage("core"), "Response") }
204210
}
205211

206212
class JaxRsResponseBuilder extends Class {
207213
JaxRsResponseBuilder() {
208-
this.hasQualifiedName(getAJaxWsPackage("core"), "Response$ResponseBuilder")
214+
this.hasQualifiedName(getAJaxRsPackage("core"), "Response$ResponseBuilder")
209215
}
210216
}
211217

212218
/**
213219
* The class `javax.ws.rs.client.Client`.
214220
*/
215221
class JaxRsClient extends RefType {
216-
JaxRsClient() { this.hasQualifiedName(getAJaxWsPackage("client"), "Client") }
222+
JaxRsClient() { this.hasQualifiedName(getAJaxRsPackage("client"), "Client") }
217223
}
218224

219225
/**
@@ -226,7 +232,7 @@ class JaxRsBeanParamConstructor extends Constructor {
226232
c = resourceClass.getAnInjectableCallable()
227233
|
228234
p = c.getAParameter() and
229-
p.getAnAnnotation().getType().hasQualifiedName(getAJaxWsPackage(), "BeanParam") and
235+
p.getAnAnnotation().getType().hasQualifiedName(getAJaxRsPackage(), "BeanParam") and
230236
this.getDeclaringType().getSourceDeclaration() = p.getType().(RefType).getSourceDeclaration()
231237
) and
232238
forall(Parameter p | p = getAParameter() |
@@ -239,7 +245,7 @@ class JaxRsBeanParamConstructor extends Constructor {
239245
* The class `javax.ws.rs.ext.MessageBodyReader`.
240246
*/
241247
class MessageBodyReader extends GenericInterface {
242-
MessageBodyReader() { this.hasQualifiedName(getAJaxWsPackage("ext"), "MessageBodyReader") }
248+
MessageBodyReader() { this.hasQualifiedName(getAJaxRsPackage("ext"), "MessageBodyReader") }
243249
}
244250

245251
/**
@@ -265,7 +271,7 @@ class MessageBodyReaderRead extends Method {
265271

266272
/** An `@Produces` annotation that describes which content types can be produced by this resource. */
267273
class JaxRSProducesAnnotation extends JaxRSAnnotation {
268-
JaxRSProducesAnnotation() { getType().hasQualifiedName(getAJaxWsPackage(), "Produces") }
274+
JaxRSProducesAnnotation() { getType().hasQualifiedName(getAJaxRsPackage(), "Produces") }
269275

270276
/**
271277
* Gets a declared content type that can be produced by this resource.
@@ -276,7 +282,7 @@ class JaxRSProducesAnnotation extends JaxRSAnnotation {
276282
exists(Field jaxMediaType |
277283
// Accesses to static fields on `MediaType` class do not have constant strings in the database
278284
// so convert the field name to a content type string
279-
jaxMediaType.getDeclaringType().hasQualifiedName(getAJaxWsPackage("core"), "MediaType") and
285+
jaxMediaType.getDeclaringType().hasQualifiedName(getAJaxRsPackage("core"), "MediaType") and
280286
jaxMediaType.getAnAccess() = getAValue() and
281287
// e.g. MediaType.TEXT_PLAIN => text/plain
282288
result = jaxMediaType.getName().toLowerCase().replaceAll("_", "/")
@@ -286,7 +292,7 @@ class JaxRSProducesAnnotation extends JaxRSAnnotation {
286292

287293
/** An `@Consumes` annotation that describes content types can be consumed by this resource. */
288294
class JaxRSConsumesAnnotation extends JaxRSAnnotation {
289-
JaxRSConsumesAnnotation() { getType().hasQualifiedName(getAJaxWsPackage(), "Consumes") }
295+
JaxRSConsumesAnnotation() { getType().hasQualifiedName(getAJaxRsPackage(), "Consumes") }
290296
}
291297

292298
/**

java/ql/src/semmle/code/java/security/UrlRedirect.qll

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -37,14 +37,14 @@ private class ApacheUrlRedirectSink extends UrlRedirectSink {
3737
}
3838
}
3939

40-
/** A URL redirection sink from JAX-WS */
41-
private class JaxWsUrlRedirectSink extends UrlRedirectSink {
42-
JaxWsUrlRedirectSink() {
40+
/** A URL redirection sink from JAX-RS */
41+
private class JaxRsUrlRedirectSink extends UrlRedirectSink {
42+
JaxRsUrlRedirectSink() {
4343
exists(MethodAccess ma |
4444
ma.getMethod()
4545
.getDeclaringType()
4646
.getAnAncestor()
47-
.hasQualifiedName(getAJaxWsPackage("core"), "Response") and
47+
.hasQualifiedName(getAJaxRsPackage("core"), "Response") and
4848
ma.getMethod().getName() in ["seeOther", "temporaryRedirect"] and
4949
this.asExpr() = ma.getArgument(0)
5050
)

0 commit comments

Comments
 (0)