The Wayback Machine - https://web.archive.org/web/20211101022504/https://github.com/github/codeql/pull/7007
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java: Ratpack HTTP Framework Additional Modeling #7007

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Java: Ratpack HTTP Framework Additional Modeling #7007

wants to merge 1 commit into from

Conversation

Labels
documentation Java
1 participant
@JLLeitschuh
@JLLeitschuh
Copy link
Contributor

@JLLeitschuh JLLeitschuh commented Oct 29, 2021

Adds models for ratpack.func.Pair, and ratpack.exec.Result.
Improve models for ratpack.exec.Promise.
@JLLeitschuh
Java: Ratpack HTTP Framework Additional Modeling
c4f2d27 
Adds models for `ratpack.func.Pair`, and `ratpack.exec.Result`.
Improve moels for `ratpack.exec.Promise`.

Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
@JLLeitschuh JLLeitschuh requested a review from as a code owner Oct 29, 2021
@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Oct 29, 2021

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    Others,"``cn.hutool.core.codec``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.opensymphony.xwork2.ognl``, ``com.unboundid.ldap.sdk``, ``flexjson``, ``groovy.lang``, ``groovy.util``, ``jodd.json``, ``net.sf.saxon.s9api``, ``ognl``, ``org.apache.commons.codec``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.ibatis.jdbc``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.hibernate``, ``org.jooq``, ``org.mvel2``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``",39,99,151,,,,14,18,,
+    Others,"``cn.hutool.core.codec``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.opensymphony.xwork2.ognl``, ``com.unboundid.ldap.sdk``, ``flexjson``, ``groovy.lang``, ``groovy.util``, ``jodd.json``, ``net.sf.saxon.s9api``, ``ognl``, ``org.apache.commons.codec``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.ibatis.jdbc``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.hibernate``, ``org.jooq``, ``org.mvel2``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``",39,239,151,,,,14,18,,
-    Totals,,175,5332,408,13,6,10,107,33,1,66
+    Totals,,175,5472,408,13,6,10,107,33,1,66
  • Changes to framework-coverage-java.csv:
- ratpack.exec,,,26,,,,,,,,,,,,,,,,,,,,,,26
+ ratpack.exec,,,58,,,,,,,,,,,,,,,,,,,,,,58
- ratpack.func,,,5,,,,,,,,,,,,,,,,,,,,,,5
+ ratpack.func,,,59,,,,,,,,,,,,,,,,,,,,,,59
- ratpack.util,,,5,,,,,,,,,,,,,,,,,,,,,,5
+ ratpack.util,,,59,,,,,,,,,,,,,,,,,,,,,,59
JLLeitschuh
JLLeitschuh reviewed Oct 29, 2021
View changes
java/ql/lib/semmle/code/java/frameworks/ratpack/Ratpack.qll
left = "Field[ratpack.func.Pair.left]" and
right = "Field[ratpack.func.Pair.right]"
or
left = "SyntheticField[ratpack.func.Pair.left]" and
right = "SyntheticField[ratpack.func.Pair.right]"
Copy link
Contributor Author

@JLLeitschuh JLLeitschuh Oct 29, 2021
edited

This seems like the wrong thing to do here. I think there's a bug somewhere in SummaryModelCsv.

This issues is described here:

https://ghsecuritylab.slack.com/archives/CQJU6RN49/p1635517815004000?thread_ts=1635439827.001500&cid=CQJU6RN49

The behaviour of SyntheticField[ratpack.func.Pair.left] and Field[ratpack.func.Pair.left] is different when passing the field as a parameter into a lambda.

IE. This works "mapLeft;;;SyntheticField[ratpack.func.Pair.left] of Argument[-1];Parameter[0] of Argument[0];value", when everything in the model uses SyntheticField but this doesn't work: "mapLeft;;;Field[ratpack.func.Pair.left] of Argument[-1];Parameter[0] of Argument[0];value", when everything is modeled using Field

This is the test that fails when moving from SyntheticField to Field

Pair<String, String> pair = Pair.of(taint(), taint());
        Pair<String, String> taintLeft = pair.mapLeft(left -> {
            sink(left); //$hasTaintFlow
            return "safe";
        });

But when moving from SyntheticField to Field this test passes now passes for pair.left and pair.right

Pair<String, String> pair = Pair.of(taint(), taint());
        sink(pair.left); //$hasTaintFlow
        sink(pair.getLeft()); //$hasTaintFlow
        sink(pair.right); //$hasTaintFlow
        sink(pair.getRight()); //$hasTaintFlow

When I specify both, everything works and all tests pass.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment