Refactor Ratpack to use CSV format

Author: JLLeitschuh

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

@@ -77,6 +77,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.ApacheHttp
   private import semmle.code.java.frameworks.apache.Lang
   private import semmle.code.java.frameworks.guava.Guava
+  private import semmle.code.java.frameworks.ratpack.Ratpack
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.XSS
   private import semmle.code.java.security.LdapInjection

java/ql/src/semmle/code/java/dataflow/FlowSources.qll

@@ -114,25 +114,6 @@ private class PlayParameterSource extends RemoteFlowSource {
   override string getSourceType() { result = "Play Query Parameters" }
 }
 
-private class RatpackHttpMethodSource extends RemoteFlowSource {
-  RatpackHttpMethodSource() {
-    this.asExpr().(MethodAccess).getMethod() instanceof RatpackGetRequestDataMethod
-  }
-
-  override string getSourceType() { result = "Ratpack request method" }
-}
-
-private class RatpackHttpStreamSource extends RemoteFlowSource {
-  RatpackHttpStreamSource() {
-    exists(MethodAccess ma |
-      ma.getMethod() instanceof RatpackHttpTypedDataWriteMethod and
-      ma.getArgument(0) = this.asExpr()
-    )
-  }
-
-  override string getSourceType() { result = "Ratpack request stream" }
-}
-
 private class SpringServletInputParameterSource extends RemoteFlowSource {
   SpringServletInputParameterSource() {
     this.asParameter() = any(SpringRequestMappingParameter srmp | srmp.isTaintedInput())

java/ql/src/semmle/code/java/frameworks/ratpack/Ratpack.qll

@@ -5,97 +5,52 @@
 import java
 private import semmle.code.java.dataflow.DataFlow
 private import semmle.code.java.dataflow.FlowSteps
+private import semmle.code.java.dataflow.ExternalFlow
 
 /**
  * Ratpack methods that access user-supplied request data.
  */
 abstract class RatpackGetRequestDataMethod extends Method { }
 
-/**
- * The interface `ratpack.http.Request`.
- * https://ratpack.io/manual/current/api/ratpack/http/Request.html
- */
-class RatpackRequest extends RefType {
-  RatpackRequest() {
-    hasQualifiedName("ratpack.http", "Request") or
-    hasQualifiedName("ratpack.core.http", "Request")
-  }
-}
-
-/**
- * Methods on `ratpack.http.Request` that return user tainted data.
- */
-class RatpackHttpRequestGetMethod extends RatpackGetRequestDataMethod {
-  RatpackHttpRequestGetMethod() {
-    getDeclaringType() instanceof RatpackRequest and
-    hasName([
-        "getContentLength", "getCookies", "oneCookie", "getHeaders", "getPath", "getQuery",
-        "getQueryParams", "getRawUri", "getUri"
-      ])
+private class RatpackHttpSource extends SourceModelCsv {
+  override predicate row(string row) {
+    row =
+      ["ratpack.http;", "ratpack.core.http;"] +
+        [
+          "Request;true;getContentLength;;;ReturnValue;remote",
+          "Request;true;getCookies;;;ReturnValue;remote",
+          "Request;true;oneCookie;;;ReturnValue;remote",
+          "Request;true;getHeaders;;;ReturnValue;remote",
+          "Request;true;getPath;;;ReturnValue;remote", "Request;true;getQuery;;;ReturnValue;remote",
+          "Request;true;getQueryParams;;;ReturnValue;remote",
+          "Request;true;getRawUri;;;ReturnValue;remote", "Request;true;getUri;;;ReturnValue;remote",
+          "Request;true;getBody;;;ReturnValue;remote"
+        ]
+  }
+}
+
+/**
+ * Ratpack methods that propagate user-supplied request data as tainted.
+ */
+private class RatpackHttpModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      ["ratpack.http;", "ratpack.core.http;"] +
+        [
+          "TypedData;true;getBuffer;;;Argument[-1];ReturnValue;taint",
+          "TypedData;true;getBytes;;;Argument[-1];ReturnValue;taint",
+          "TypedData;true;getContentType;;;Argument[-1];ReturnValue;taint",
+          "TypedData;true;getInputStream;;;Argument[-1];ReturnValue;taint",
+          "TypedData;true;getText;;;Argument[-1];ReturnValue;taint",
+          "TypedData;true;writeTo;;;Argument[-1];Argument[0];taint",
+          "Headers;true;get;;;Argument[-1];ReturnValue;taint",
+          "Headers;true;getAll;;;Argument[-1];ReturnValue;taint",
+          "Headers;true;getNames;;;Argument[-1];ReturnValue;taint",
+          "Headers;true;asMultiValueMap;;;Argument[-1];ReturnValue;taint"
+        ]
+    or
+    row =
+      ["ratpack.form;", "ratpack.core.form;"] +
+        ["UploadedFile;true;getFileName;;;Argument[-1];ReturnValue;taint"]
   }
 }
-
-/**
- * The interface `ratpack.http.TypedData`.
- * https://ratpack.io/manual/current/api/ratpack/http/TypedData.html
- */
-class RatpackTypedData extends RefType {
-  RatpackTypedData() {
-    hasQualifiedName("ratpack.http", "TypedData") or
-    hasQualifiedName("ratpack.core.http", "TypedData")
-  }
-}
-
-/**
- * Methods on `ratpack.http.TypedData` that return user tainted data.
- */
-class RatpackHttpTypedDataGetMethod extends RatpackGetRequestDataMethod {
-  RatpackHttpTypedDataGetMethod() {
-    getDeclaringType() instanceof RatpackTypedData and
-    hasName(["getBuffer", "getBytes", "getContentType", "getInputStream", "getText"])
-  }
-}
-
-/**
- * Methods on `ratpack.http.TypedData` that taint the parameter passed in.
- */
-class RatpackHttpTypedDataWriteMethod extends Method {
-  RatpackHttpTypedDataWriteMethod() {
-    getDeclaringType() instanceof RatpackTypedData and
-    hasName("writeTo")
-  }
-}
-
-/**
- * The interface `ratpack.form.UploadedFile`.
- * https://ratpack.io/manual/current/api/ratpack/form/UploadedFile.html
- */
-class RatpackUploadFile extends RefType {
-  RatpackUploadFile() {
-    hasQualifiedName("ratpack.form", "UploadedFile") or
-    hasQualifiedName("ratpack.core.form", "UploadedFile")
-  }
-}
-
-class RatpackUploadFileGetMethod extends RatpackGetRequestDataMethod {
-  RatpackUploadFileGetMethod() {
-    getDeclaringType() instanceof RatpackUploadFile and
-    hasName("getFileName")
-  }
-}
-
-class RatpackHeader extends RefType {
-  RatpackHeader() {
-    hasQualifiedName("ratpack.http", "Headers") or
-    hasQualifiedName("ratpack.core.http", "Headers")
-  }
-}
-
-private class RatpackHeaderTaintPropagatingMethod extends Method, TaintPreservingCallable {
-  RatpackHeaderTaintPropigatingMethod() {
-    getDeclaringType() instanceof RatpackHeader and
-    hasName(["get", "getAll", "getNames", "asMultiValueMap"])
-  }
-
-  override predicate returnsTaintFrom(int arg) { arg = -1 }
-}

java/ql/test/library-tests/frameworks/ratpack/resources/Resource.java

@@ -30,25 +30,24 @@ void test1(Context ctx) {
         sink(ctx.getRequest().getUri()); //$hasTaintFlow
     }
 
-    void test2(TypedData td) {
-        sink(td.getText()); //$hasTaintFlow
-        sink(td.getBuffer()); //$hasTaintFlow
-        sink(td.getBytes()); //$hasTaintFlow
-        sink(td.getContentType()); //$hasTaintFlow
-        sink(td.getInputStream()); //$hasTaintFlow
+    void test2(Context ctx, OutputStream os) {
+        ctx.getRequest().getBody().then(td -> {
+            sink(td.getText()); //$hasTaintFlow
+            sink(td.getBuffer()); //$hasTaintFlow
+            sink(td.getBytes()); //$hasTaintFlow
+            sink(td.getContentType()); //$hasTaintFlow
+            sink(td.getInputStream()); //$hasTaintFlow
+            sink(os);
+            td.writeTo(os);
+            sink(os); //$hasTaintFlow
+            if (td instanceof UploadedFile) {
+                UploadedFile uf = (UploadedFile) td;
+                sink(uf.getFileName()); //$hasTaintFlow
+            }
+        });
     }
 
-    void test3(TypedData td, OutputStream os) throws java.io.IOException {
-        sink(os);
-        td.writeTo(os);
-        sink(os); //$hasTaintFlow
-    }
-
-    void test4(UploadedFile uf) {
-        sink(uf.getFileName()); //$hasTaintFlow
-    }
-
-    void test5(Context ctx) {
+    void test3(Context ctx) {
         sink(ctx.getRequest().getBody().map(TypedData::getText)); //$hasTaintFlow
         ctx.getRequest().getBody().map(TypedData::getText).then(this::sink); //$hasTaintFlow
         ctx
@@ -59,7 +58,7 @@ void test5(Context ctx) {
             .then(this::sink); //$hasTaintFlow
     }
 
-    void test6() {
+    void test4() {
         String tainted = taint();
         Promise.value(tainted);
         sink(Promise.value(tainted)); //$hasTaintFlow