Merge pull request #17025 from jcogs33/jcogs33/java/adjust-url-synthe…

…ticfield

Java: add TaintInheritingContent for URL synthetic fields

java/ql/lib/change-notes/2024-07-24-url-fields-inherit-taint.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added flow through some methods of the class `java.net.URL` by ensuring that the fields of a URL are tainted.

java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll

@@ -22,6 +22,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.IoJsonWebToken
   private import semmle.code.java.frameworks.jackson.JacksonSerializability
   private import semmle.code.java.frameworks.InputStream
+  private import semmle.code.java.frameworks.Networking
   private import semmle.code.java.frameworks.Properties
   private import semmle.code.java.frameworks.Protobuf
   private import semmle.code.java.frameworks.ThreadLocal

java/ql/lib/semmle/code/java/frameworks/Networking.qll

@@ -3,6 +3,8 @@
  */
 
 import semmle.code.java.Type
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.FlowSteps
 
 /** The type `java.net.URLConnection`. */
 class TypeUrlConnection extends RefType {
@@ -24,6 +26,11 @@ class TypeUrl extends RefType {
   TypeUrl() { this.hasQualifiedName("java.net", "URL") }
 }
 
+/** Specifies that if a `URL` is tainted, then so are its synthetic fields. */
+private class UrlFieldsInheritTaint extends DataFlow::SyntheticFieldContent, TaintInheritingContent {
+  UrlFieldsInheritTaint() { this.getField().matches("java.net.URL.%") }
+}
+
 /** The type `java.net.URLDecoder`. */
 class TypeUrlDecoder extends RefType {
   TypeUrlDecoder() { this.hasQualifiedName("java.net", "URLDecoder") }

java/ql/test/library-tests/frameworks/jdk/java.net/Test.java

@@ -90,13 +90,29 @@ public void test() throws Exception {
 			out = in.toURL();
 			sink(out); // $ hasTaintFlow
 		}
+		{
+			// manual test for `URI.toURL().getPath()`; checks that if a `URL` is tainted, then so are its synthetic fields
+			// java.net;URL;False;getPath;();;Argument[this].SyntheticField[java.net.URL.path];ReturnValue;taint;ai-manual
+			URL out = null;
+			URI in = (URI) source();
+			out = in.toURL();
+			sink(out.getPath()); // $ hasTaintFlow
+		}
 		{
 			// "java.net;URL;false;URL;(String);;Argument[0];Argument[this];taint;manual"
 			URL out = null;
 			String in = (String) source();
 			out = new URL(in);
 			sink(out); // $ hasTaintFlow
 		}
+		{
+			// manual test for `URL(String).getPath()`; checks that if a `URL` is tainted, then so are its synthetic fields
+			// java.net;URL;False;getPath;();;Argument[this].SyntheticField[java.net.URL.path];ReturnValue;taint;ai-manual
+			URL out = null;
+			String in = (String) source();
+			out = new URL(in);
+			sink(out.getPath()); // $ hasTaintFlow
+		}
 		{
 			// "java.net;URL;false;URL;(URL,String);;Argument[0];Argument[this];taint;ai-generated"
 			URL out = null;