Java: add remote user input for Struts 2 `ActionSupport`

2019-02-05 20:58:56 -05:00 · 2019-02-05 20:58:56 -05:00 · 751bbbf583
--- a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
+++ b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
@ -18,6 +18,7 @@ import semmle.code.java.frameworks.JaxWS
 import semmle.code.java.frameworks.android.Intent
 import semmle.code.java.frameworks.SpringWeb
 import semmle.code.java.frameworks.Guice
+import semmle.code.java.frameworks.struts.StrutsActions

 /** Class for `tainted` user input. */
 abstract class UserInput extends DataFlow::Node { }
@ -75,6 +76,8 @@ class RemoteUserInput extends UserInput {
      a = this.asParameter().getAnAnnotation() or
      a = this.asExpr().(FieldRead).getField().getAnAnnotation()
    )
+    or
+    exists(Struts2ActionSupportClass c | c.getASetterMethod().getField() = this.asExpr().(FieldRead).getField())
  }

  /**
--- a/java/ql/src/semmle/code/java/frameworks/struts/StrutsActions.qll
+++ b/java/ql/src/semmle/code/java/frameworks/struts/StrutsActions.qll
@ -124,3 +124,24 @@ class Struts2PrepareMethod extends Method {
    exists(Struts2ActionClass actionClass | this = actionClass.getPrepareMethod())
  }
 }
+
+/**
+ * A subclass of the Struts 2 `ActionSupport` class.
+ */
+class Struts2ActionSupportClass extends Class {
+  Struts2ActionSupportClass() {
+    this.getASupertype+().hasQualifiedName("com.opensymphony.xwork2", "ActionSupport")
+  }
+
+  /**
+   * Gets a setter method declared on a subclass of `ActionSupport`.
+   */
+  SetterMethod getASetterMethod() {
+    result.getDeclaringType() = this and
+    result.isPublic() and
+    exists(string name | result.getField().getName().toLowerCase() = name |
+      result.getName().toLowerCase().substring(3, result.getName().length()) = name and
+      result.getName().matches("set%")
+    )
+  }
+}