Merge pull request #5953 from github/sauyon/java/spring-webutil

Java: Add models for the Spring `web.util` package
github · Aug 18, 2021 · cc4fe73 · cc4fe73
2 parents 27df272 + 17cef3f
commit cc4fe73
Show file tree

Hide file tree

Showing 75 changed files with 4,341 additions and 17 deletions.
diff --git a/java/change-notes/2021-07-01-spring-webutil.md b/java/change-notes/2021-07-01-spring-webutil.md
@@ -0,0 +1,4 @@
+lgtm,codescanning
+* Additional flow steps in the `org.springframework.web.util` package of the Spring framework have
+  been modelled.  This may result in additional results for security queries on projects using this
+  framework.
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -95,6 +95,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.spring.SpringWebClient
   private import semmle.code.java.frameworks.spring.SpringBeans
   private import semmle.code.java.frameworks.spring.SpringWebMultipart
+  private import semmle.code.java.frameworks.spring.SpringWebUtil
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.InformationLeak
   private import semmle.code.java.security.GroovyInjection

diff --git a/java/ql/src/semmle/code/java/frameworks/spring/Spring.qll b/java/ql/src/semmle/code/java/frameworks/spring/Spring.qll
@@ -39,6 +39,7 @@ import semmle.code.java.frameworks.spring.SpringUtil
 import semmle.code.java.frameworks.spring.SpringValidation
 import semmle.code.java.frameworks.spring.SpringValue
 import semmle.code.java.frameworks.spring.SpringWebMultipart
+import semmle.code.java.frameworks.spring.SpringWebUtil
 import semmle.code.java.frameworks.spring.SpringXMLElement
 import semmle.code.java.frameworks.spring.metrics.MetricSpringBean
 import semmle.code.java.frameworks.spring.metrics.MetricSpringBeanFile
diff --git a/java/ql/src/semmle/code/java/frameworks/spring/SpringWebUtil.qll b/java/ql/src/semmle/code/java/frameworks/spring/SpringWebUtil.qll
diff --git a/java/ql/src/semmle/code/java/security/XSS.qll b/java/ql/src/semmle/code/java/security/XSS.qll
@@ -93,7 +93,10 @@ private class DefaultXssSink extends XssSink {
 /** A default sanitizer that considers numeric and boolean typed data safe for writing to output. */
 private class DefaultXSSSanitizer extends XssSanitizer {
   DefaultXSSSanitizer() {
-    this.getType() instanceof NumericType or this.getType() instanceof BooleanType
+    this.getType() instanceof NumericType or
+    this.getType() instanceof BooleanType or
+    // Match `org.springframework.web.util.HtmlUtils.htmlEscape` and possibly other methods like it.
+    this.asExpr().(MethodAccess).getMethod().getName().regexpMatch("(?i)html_?escape.*")
   }
 }