Skip to content

Commit f2edc53

Browse files
lcarteylcartey
committed
Java: Add Spring RestTemplate return values to untrusted data types
 - Also improve unwrapping of lists/arrays/maps etc.
1 parent 9625e82 commit f2edc53

File tree

1 file changed

+15
-2
lines changed

1 file changed

+15
-2
lines changed

java/ql/src/semmle/code/java/frameworks/spring/SpringController.qll

Lines changed: 15 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
import java
22
import semmle.code.java.Maps
33
import SpringWeb
4+
import SpringWebClient
45

56
/**
67
* An annotation type that identifies Spring controllers.
@@ -296,6 +297,13 @@ class SpringModelResponseType extends RefType {
296297
}
297298
}
298299

300+
/** Strips wrapper types. */
301+
private RefType stripType(Type t) {
302+
result = t or
303+
result = stripType(t.(Array).getComponentType()) or
304+
result = stripType(t.(ParameterizedType).getATypeArgument())
305+
}
306+
299307
/**
300308
* A user data type which may be populated from a HTTP request.
301309
*
@@ -310,11 +318,16 @@ class SpringUntrustedDataType extends RefType {
310318
p.getAnAnnotation().(SpringServletInputAnnotation).getType().hasName("RequestBody")
311319
|
312320
this.fromSource() and
313-
this = p.getType()
321+
this = stripType(p.getType())
322+
)
323+
or
324+
exists(SpringRestTemplateResponseEntityMethod rm |
325+
this = stripType(rm.getAReference().getType().(ParameterizedType).getTypeArgument(0)) and
326+
this.fromSource()
314327
)
315328
or
316329
exists(SpringUntrustedDataType mt |
317-
this = mt.getAField().getType() and
330+
this = stripType(mt.getAField().getType()) and
318331
this.fromSource()
319332
)
320333
}

0 commit comments

Comments
 (0)