Resove taint tracking issues from asMultimap

JLLeitschuh · JLLeitschuh · commit db2892b9eaec · 2021-10-18T14:30:46.000-04:00
Signed-off-by: Jonathan Leitschuh &lt;Jonathan.Leitschuh@gmail.com&gt;
diff --git a/java/ql/lib/semmle/code/java/frameworks/ratpack/Ratpack.qll b/java/ql/lib/semmle/code/java/frameworks/ratpack/Ratpack.qll
@@ -81,7 +81,7 @@ private class RatpackModel extends SummaryModelCsv {
           "MultiValueMap;true;getAll;();;MapValue of Argument[-1];Element of MapValue of ReturnValue;value",
           "MultiValueMap;true;getAll;(Object);;MapValue of Argument[-1];Element of ReturnValue;value",
           "MultiValueMap;true;asMultimap;;;MapKey of Argument[-1];MapKey of ReturnValue;value",
-          "MultiValueMap;true;asMultimap;;;MapValue of Argument[-1];Element of MapValue of ReturnValue;value"
+          "MultiValueMap;true;asMultimap;;;MapValue of Argument[-1];MapValue of ReturnValue;value"
         ]
   }
 }
diff --git a/java/ql/test/library-tests/frameworks/ratpack/CollectionPassingTest.java b/java/ql/test/library-tests/frameworks/ratpack/CollectionPassingTest.java
@@ -0,0 +1,70 @@
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
+
+import ratpack.core.handling.Context;
+import ratpack.core.form.Form;
+
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.List;
+import java.util.function.Predicate;
+
+public class CollectionPassingTest {
+
+    void sink(Object o) {}
+
+    String taint() {
+        return null;
+    }
+
+    void test_1(Context ctx) {
+        // Given
+        ctx
+            .getRequest()
+            .getBody()
+            .map(data -> ctx.parse(data, Form.form()))
+            .then(form -> {
+                // When
+                Map<String, Object> pojoMap = new HashMap<>();
+                merge(form.asMultimap().asMap(), pojoMap);
+                // Then
+                sink(pojoMap.get("value")); //$hasTaintFlow
+                pojoMap.forEach((key, value) -> {
+                    sink(value); //$hasTaintFlow
+                    List<Object> values = (List<Object>) value;
+                    sink(values.get(0)); //$hasTaintFlow
+                });
+            });
+    }
+
+    void test_2() {
+        // Given
+        Map<String, Collection<String>> taintedMap = new HashMap<>();
+        taintedMap.put("value", ImmutableList.of(taint()));
+        Map<String, Object> pojoMap = new HashMap<>();
+        // When
+        merge(taintedMap, pojoMap);
+        // Then
+        sink(pojoMap.get("value")); //$hasTaintFlow
+        pojoMap.forEach((key, value) -> {
+            sink(value); //$hasTaintFlow
+            List<Object> values = (List<Object>) value;
+            sink(values.get(0)); //$hasTaintFlow
+        });
+    }
+
+
+    private static void merge(Map<String, Collection<String>> params, Map<String, Object> defaults) {
+        for(Map.Entry<String, Collection<String>> entry : params.entrySet()) {
+            String name = entry.getKey();
+            Collection<String> values = entry.getValue();
+            defaults.put(name, extractSingleValueIfPossible(values));
+        }
+    }
+
+    private static Object extractSingleValueIfPossible(Collection<String> values) {
+        return values.size() == 1 ? values.iterator().next() : ImmutableList.copyOf(values);
+    }
+    
+}
diff --git a/java/ql/test/library-tests/frameworks/ratpack/resources/IntegrationTest.java b/java/ql/test/library-tests/frameworks/ratpack/resources/IntegrationTest.java
@@ -31,9 +31,15 @@ class IntegrationTest {
     static class Pojo {
         String value;
 
+        List<String> values;
+
         String getValue() {
             return value;
         }
+
+        List<String> getValues() {
+            return values;
+        }
     }
 
     private final ObjectMapper objectMapper = new ObjectMapper();
@@ -112,6 +118,24 @@ void test5(Context ctx) {
             });
     }
 
+    void test6(Context ctx) {
+        bindQuery(ctx, Pojo.class)
+            .then(pojo -> {
+                sink(pojo.getValue()); //$hasTaintFlow
+                sink(pojo.getValues()); //$hasTaintFlow
+            });
+    }
+
+    public <T> Promise<T> bindQuery(Context ctx, Class<T> type) {
+        return bindQuery(ctx, type, Action.noop());
+    }
+
+    public <T> Promise<T> bindQuery(Context ctx, Class<T> type, Action<? super ImmutableMap.Builder<String, Object>> defaults) {
+        return Promise.sync(() ->
+            bind(ctx, toObjectNode(ctx.getRequest().getQueryParams(), defaults, name -> false), type)
+        );
+    }
+
     private <T> Promise<T> bindJson(Context ctx, Class<T> type) {
         return ctx.getRequest().getBody()
             .map(data -> {
@@ -215,4 +239,4 @@ public void serializeWithType(Object gen, Object serializers, Object typeSer) th
             // empty
         }
     }
-}
+}
diff --git a/java/ql/test/library-tests/frameworks/ratpack/resources/Resource.java b/java/ql/test/library-tests/frameworks/ratpack/resources/Resource.java
@@ -316,6 +316,5 @@ void test12() {
             .then(value -> {
                 sink(value); // no tainted flow
             });
-    }
-    
-}
+    }    
+}

Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,7 @@ private class RatpackModel extends SummaryModelCsv {`
`81`	`81`	`"MultiValueMap;true;getAll;();;MapValue of Argument[-1];Element of MapValue of ReturnValue;value",`
`82`	`82`	`"MultiValueMap;true;getAll;(Object);;MapValue of Argument[-1];Element of ReturnValue;value",`
`83`	`83`	`"MultiValueMap;true;asMultimap;;;MapKey of Argument[-1];MapKey of ReturnValue;value",`
`84`		`- "MultiValueMap;true;asMultimap;;;MapValue of Argument[-1];Element of MapValue of ReturnValue;value"`
	`84`	`+ "MultiValueMap;true;asMultimap;;;MapValue of Argument[-1];MapValue of ReturnValue;value"`
`85`	`85`	`]`
`86`	`86`	`}`
`87`	`87`	`}`