Java: Add models for the Spring web.util package

[sauyon]

No description provided.

[github-actions]

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged. The differences can be found in the comparison artifact of this workflow run.

[aschackmull]

I think this ought to be restricted with a signature - no need to match all the constructors.

[aschackmull]

You should be able to rebase and remove this now.

[github-actions]

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged. The differences can be found in the comparison artifact of this workflow run.

[github-actions]

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged. The differences can be found in the comparison artifact of this workflow run.

[sauyon]

This PR should be good to go now that my constructor PR is merged.

[aschackmull]

Looks like there's a bad row somewhere:

 invalidModelRow
+| Wrong number of columns in summary model row, expected 9, got 10. |

[sauyon]

Oops, forgot to actually push the fixes. I missed the test generator error for that one, have now double checked.

[sauyon]

I've now actually added a test for the sanitizer and confirmed that at least the webutil test passes. This review cycle definitely shouldn't have happened, sorry.

[aschackmull]

Suggested change

	this.asExpr().(MethodAccess).getMethod().getName().regexpMatch("(?i)html_?escape.*")
	// Match `org.springframework.web.util.HtmlUtils.htmlEscape` and possibly other methods like it.
	this.asExpr().(MethodAccess).getMethod().getName().regexpMatch("(?i)html_?escape.*")

[aschackmull]

Typo. This should be caught by our tests. If it isn't: find out why.

[github-actions]

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged. The following differences were found:

java

Generated file changes for java

• Changes to framework-coverage-java.rst:

-    `Spring <https://spring.io/>`_,``org.springframework.*``,29,306,91,,,,19,14,,29
+    `Spring <https://spring.io/>`_,``org.springframework.*``,29,467,91,,,,19,14,,29
-    Totals,,84,2705,398,13,6,6,107,33,1,66
+    Totals,,84,2866,398,13,6,6,107,33,1,66

• Changes to framework-coverage-java.csv:

+ org.springframework.web.util,,,161,,,,,,,,,,,,,,,,,,,136,25

[sauyon]

Fixed. The reason the tests didn't catch it is threefold:

• The test generator generates tests for UriBuilder using UriComponentsBuilder,
• I'd added redundant models for methods of UriComponentBuilder, and
• the models for UriComponentBuilder applied to calls on UriBuilder, presumably because there was only one implementation of UriBuilder.

I also added tests for the HTML utility functions that I'd added models for.

[github-actions]

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged. The following differences were found:

java

Generated file changes for java

• Changes to framework-coverage-java.rst:

-    `Spring <https://spring.io/>`_,``org.springframework.*``,29,306,91,,,,19,14,,29
+    `Spring <https://spring.io/>`_,``org.springframework.*``,29,467,91,,,,19,14,,29
-    Totals,,84,2711,398,13,6,6,107,33,1,66
+    Totals,,84,2872,398,13,6,6,107,33,1,66

• Changes to framework-coverage-java.csv:

+ org.springframework.web.util,,,161,,,,,,,,,,,,,,,,,,,136,25

[smowton]

These are defined on the abstract superclass too

[sauyon]

I assume you meant the DefaultUriBuilderFactory models below; I've removed them.

[smowton]

I meant they're specified by https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/util/AbstractUriTemplateHandler.html like getBaseUrl et al below, so should be modelled against it for consistency

[sauyon]

It seems to me like AbstractUriTemplateHandler is an implementation of UriTemplateHandler?

[smowton]

Doh yes sorry, I read the class hierarchy backwards

[github-actions]

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged. The following differences were found:

java

Generated file changes for java

• Changes to framework-coverage-java.rst:

-    `Spring <https://spring.io/>`_,``org.springframework.*``,29,306,91,,,,19,14,,29
+    `Spring <https://spring.io/>`_,``org.springframework.*``,29,464,91,,,,19,14,,29
-    Totals,,84,2711,398,13,6,6,107,33,1,66
+    Totals,,84,2869,398,13,6,6,107,33,1,66

• Changes to framework-coverage-java.csv:

+ org.springframework.web.util,,,158,,,,,,,,,,,,,,,,,,,133,25

[smowton]

I meant they're specified by https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/web/util/AbstractUriTemplateHandler.html like getBaseUrl et al below, so should be modelled against it for consistency

[smowton]

Worth noting for a future task: we don't currently model the superclass javax.servlet.[Http]ServletResponseWrapper

[smowton]

I think normalize and toString should both be taint propagating here

[smowton]

to check: probably has a taint-propagating toString?

[sauyon]

toString returns the template, so I would assume yes.

[smowton]

I think getPathWithinServletMapping etc are taint propagating (sounds like if you servlet is mounted at a and the user requested a/b then that would yield /b?) I'd appreciate a once-over from someone who knows their servlets though regarding which of these methods in practice yields developer/admin-specified config information and which yield user/remote-specified data.

[sauyon]

This sounds right to me.

[sauyon]

I've removed getOriginatingServletPath since that seems like it would be admin-specified.

[smowton]

Model setters?

[sauyon]

I'm unsure why I didn't model the session variable setter, but I excluded the system property setter because it doesn't seem easily modelable.

[github-actions]

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged. The following differences were found:

java

Generated file changes for java

• Changes to framework-coverage-java.rst:

-    `Spring <https://spring.io/>`_,``org.springframework.*``,29,306,91,,,,19,14,,29
+    `Spring <https://spring.io/>`_,``org.springframework.*``,29,469,91,,,,19,14,,29
-    Totals,,84,2711,398,13,6,6,107,33,1,66
+    Totals,,84,2874,398,13,6,6,107,33,1,66

• Changes to framework-coverage-java.csv:

+ org.springframework.web.util,,,163,,,,,,,,,,,,,,,,,,,138,25