Java: Add remote user input sources for Spring servlets.

Author: aschackmull

change-notes/1.19/analysis-java.md

@@ -17,5 +17,9 @@
 
 ## Changes to QL libraries
 
+* The default set of taint sources in the `FlowSources` library is extended to
+  cover parameters annotated with Spring framework annotations indicating
+  remote user input from servlets. This affects all security queries, which
+  will yield additional results on projects using the Spring Web framework.
 * The `ParityAnalysis` library is replaced with the more general `ModulusAnalysis` library, which improves the range analysis.
 

java/ql/src/semmle/code/java/dataflow/FlowSources.qll

@@ -16,6 +16,7 @@ import semmle.code.java.frameworks.android.XmlParsing
 import semmle.code.java.frameworks.android.WebView
 import semmle.code.java.frameworks.JaxWS
 import semmle.code.java.frameworks.android.Intent
+import semmle.code.java.frameworks.SpringWeb
 
 /** Class for `tainted` user input. */
 abstract class UserInput extends DataFlow::Node { }
@@ -66,6 +67,8 @@ class RemoteUserInput extends UserInput {
       m.getParameter(4) = this.asParameter() or
       m.getParameter(5) = this.asParameter()
     )
+    or
+    this.asParameter().getAnAnnotation() instanceof SpringServletInputAnnotation
   }
 
   /**

java/ql/src/semmle/code/java/frameworks/SpringWeb.qll

@@ -0,0 +1,17 @@
+import java
+
+/** A Spring framework annotation indicating remote user input from servlets. */
+class SpringServletInputAnnotation extends Annotation {
+  SpringServletInputAnnotation() {
+    exists(AnnotationType a |
+      a = this.getType() and
+      a.getPackage().getName() = "org.springframework.web.bind.annotation"
+    |
+      a.hasName("MatrixVariable") or
+      a.hasName("RequestParam") or
+      a.hasName("RequestHeader") or
+      a.hasName("CookieValue") or
+      a.hasName("RequestPart")
+    )
+  }
+}