From 3f6eef8437cd7f4aa76c28ac84ea6aeb28151325 Mon Sep 17 00:00:00 2001
From: Porcupiney Hairs <porcupiney.hairs@protonmail.com>
Date: Tue, 12 May 2020 22:45:48 +0530
Subject: [PATCH 1/2] Java: add websocket reads as remote flow source.

Currently, JAX-WS reads are considered as untrusted. However, `java.net.http.WebSocket` reads are not marked as such.

This PR adds support for the same.
---
 .../semmle/code/java/dataflow/FlowSources.qll |  9 +++++++
 .../code/java/frameworks/javase/WebSocket.qll | 21 +++++++++++++++
 .../CWE-079/semmle/tests/WebsocketXss.java    | 27 +++++++++++++++++++
 3 files changed, 57 insertions(+)
 create mode 100644 java/ql/src/semmle/code/java/frameworks/javase/WebSocket.qll
 create mode 100644 java/ql/test/query-tests/security/CWE-079/semmle/tests/WebsocketXss.java

diff --git a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
index 1d8de8ea4719..b6d367bc32c4 100644
--- a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
+++ b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
@@ -15,6 +15,7 @@ import semmle.code.java.frameworks.ApacheHttp
 import semmle.code.java.frameworks.android.XmlParsing
 import semmle.code.java.frameworks.android.WebView
 import semmle.code.java.frameworks.JaxWS
+import semmle.code.java.frameworks.javase.WebSocket
 import semmle.code.java.frameworks.android.Intent
 import semmle.code.java.frameworks.spring.SpringWeb
 import semmle.code.java.frameworks.spring.SpringController
@@ -155,6 +156,14 @@ private class ThriftIfaceParameterSource extends RemoteFlowSource {
   override string getSourceType() { result = "Thrift Iface parameter" }
 }
 
+private class WebSocketMessageParameterSource extends RemoteFlowSource {
+  WebSocketMessageParameterSource() {
+    exists(WebsocketOnText t | t.getParameter(1) = this.asParameter())
+  }
+
+  override string getSourceType() { result = "Websocket onText parameter" }
+}
+
 /** Class for `tainted` user input. */
 abstract class UserInput extends DataFlow::Node { }
 
diff --git a/java/ql/src/semmle/code/java/frameworks/javase/WebSocket.qll b/java/ql/src/semmle/code/java/frameworks/javase/WebSocket.qll
new file mode 100644
index 000000000000..17d3d4579d2a
--- /dev/null
+++ b/java/ql/src/semmle/code/java/frameworks/javase/WebSocket.qll
@@ -0,0 +1,21 @@
+/**
+ * Provides classes for identifying methods called by the Java SE WebSocket package.
+ */
+
+import java
+
+/** The `java.net.http.Websocket.Listener` interface. */
+class WebsocketListener extends Interface {
+  WebsocketListener() { this.hasQualifiedName("java.net.http", "WebSocket$Listener") }
+}
+
+/** The method `onText` on a type that implements the `java.net.http.Websocket.Listener` interface. */
+class WebsocketOnText extends Method {
+  WebsocketOnText() {
+    exists(WebsocketListener l |
+      this.getDeclaringType().extendsOrImplements(l) and
+      // onText(WebSocket webSocket, CharSequence data, boolean last)
+      this.hasName("onText")
+    )
+  }
+}
diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebsocketXss.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebsocketXss.java
new file mode 100644
index 000000000000..2fc9998b775b
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebsocketXss.java
@@ -0,0 +1,27 @@
+// package test.cwe079.cwe.examples;
+
+// import java.net.http.HttpClient;
+// import java.net.http.WebSocket;
+// import java.net.URI;
+// import java.util.*;
+// import java.util.concurrent.*;
+
+// public class WebsocketXss {
+//     public static void main(String[] args) throws Exception {
+//         WebSocket.Listener listener = new WebSocket.Listener() {
+//             public CompletionStage<?> onText(WebSocket webSocket, CharSequence message, boolean last) {
+//                 try {
+//                     HttpClient client = HttpClient.newBuilder().build();
+//                     CompletableFuture<WebSocket> ws = client.newWebSocketBuilder()
+//                             .buildAsync(URI.create("ws://websocket.example.com"), null);
+//                     ws.get().sendText​(message, false);
+//                 } catch (Exception e) {
+//                     // TODO: handle exception
+//                 }
+
+//                 return null;
+//             };
+//         };
+
+//     }
+// }
\ No newline at end of file

From 4f07733b06ea62aab3da3b455246089d08a1cd11 Mon Sep 17 00:00:00 2001
From: Porcupiney Hairs <porcupiney.hairs@protonmail.com>
Date: Sun, 30 Aug 2020 04:54:02 +0530
Subject: [PATCH 2/2] remove U+200B

---
 .../security/CWE-079/semmle/tests/WebsocketXss.java           | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebsocketXss.java b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebsocketXss.java
index 2fc9998b775b..6d069c6f1182 100644
--- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebsocketXss.java
+++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/WebsocketXss.java
@@ -14,7 +14,7 @@
 //                     HttpClient client = HttpClient.newBuilder().build();
 //                     CompletableFuture<WebSocket> ws = client.newWebSocketBuilder()
 //                             .buildAsync(URI.create("ws://websocket.example.com"), null);
-//                     ws.get().sendText​(message, false);
+//                     ws.get().sendText(message, false);
 //                 } catch (Exception e) {
 //                     // TODO: handle exception
 //                 }
@@ -24,4 +24,4 @@
 //         };
 
 //     }
-// }
\ No newline at end of file
+// }