Model UriInfo.relativize and resolve.

smowton · smowton · commit 5e7a3ca2e6ed · 2021-09-10T16:36:37.000+01:00
diff --git a/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll b/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll
@@ -552,14 +552,20 @@ private class UriInfoModel extends SummaryModelCsv {
         "javax.ws.rs.core;UriInfo;true;getQueryParameters;;;Argument[-1];ReturnValue;taint",
         "javax.ws.rs.core;UriInfo;true;getRequestUri;;;Argument[-1];ReturnValue;taint",
         "javax.ws.rs.core;UriInfo;true;getRequestUriBuilder;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriInfo;true;relativize;;;Argument[0];ReturnValue;taint",
+        "javax.ws.rs.core;UriInfo;true;resolve;;;Argument[-1];ReturnValue;taint",
+        "javax.ws.rs.core;UriInfo;true;resolve;;;Argument[0];ReturnValue;taint",
         "jakarta.ws.rs.core;UriInfo;true;getAbsolutePath;;;Argument[-1];ReturnValue;taint",
         "jakarta.ws.rs.core;UriInfo;true;getAbsolutePathBuilder;;;Argument[-1];ReturnValue;taint",
         "jakarta.ws.rs.core;UriInfo;true;getPath;;;Argument[-1];ReturnValue;taint",
         "jakarta.ws.rs.core;UriInfo;true;getPathParameters;;;Argument[-1];ReturnValue;taint",
         "jakarta.ws.rs.core;UriInfo;true;getPathSegments;;;Argument[-1];ReturnValue;taint",
         "jakarta.ws.rs.core;UriInfo;true;getQueryParameters;;;Argument[-1];ReturnValue;taint",
         "jakarta.ws.rs.core;UriInfo;true;getRequestUri;;;Argument[-1];ReturnValue;taint",
-        "jakarta.ws.rs.core;UriInfo;true;getRequestUriBuilder;;;Argument[-1];ReturnValue;taint"
+        "jakarta.ws.rs.core;UriInfo;true;getRequestUriBuilder;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriInfo;true;relativize;;;Argument[0];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriInfo;true;resolve;;;Argument[-1];ReturnValue;taint",
+        "jakarta.ws.rs.core;UriInfo;true;resolve;;;Argument[0];ReturnValue;taint"
       ]
   }
 }
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java b/java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java
@@ -196,7 +196,7 @@ void testPathSegment(PathSegment ps1, PathSegment ps2) {
     sink(taint(ps2).getPath()); // $ hasTaintFlow
   }
 
-  void testUriInfo(UriInfo ui) {
+  void testUriInfo(UriInfo ui, UriInfo untaintedUriInfo) throws Exception {
     ui = taint(ui);
     sink(ui.getPathParameters()); // $ hasTaintFlow
     sink(ui.getPathSegments()); // $ hasTaintFlow
@@ -206,6 +206,11 @@ void testUriInfo(UriInfo ui) {
     sink(ui.getQueryParameters().getFirst("someKey")); // $ hasTaintFlow
     sink(ui.getRequestUri()); // $ hasTaintFlow
     sink(ui.getRequestUriBuilder().build()); // $ hasTaintFlow
+    URI taintedUri = UriSource.taint();
+    URI untaintedUri = new URI("");
+    sink(untaintedUriInfo.relativize(taintedUri)); // $ hasTaintFlow
+    sink(untaintedUriInfo.resolve(taintedUri)); // $ hasTaintFlow
+    sink(ui.resolve(untaintedUri)); // $ hasTaintFlow
   }
 
   void testCookie() {
diff --git a/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java b/java/ql/test/library-tests/frameworks/JaxWs/JaxRsFlow.java
@@ -192,7 +192,7 @@ void testPathSegment(PathSegment ps1, PathSegment ps2) {
     sink(taint(ps2).getPath()); // $ hasTaintFlow
   }
 
-  void testUriInfo(UriInfo ui) {
+  void testUriInfo(UriInfo ui, UriInfo untaintedUriInfo) throws Exception {
     ui = taint(ui);
     sink(ui.getPathParameters()); // $ hasTaintFlow
     sink(ui.getPathSegments()); // $ hasTaintFlow
@@ -202,6 +202,11 @@ void testUriInfo(UriInfo ui) {
     sink(ui.getQueryParameters().getFirst("someKey")); // $ hasTaintFlow
     sink(ui.getRequestUri()); // $ hasTaintFlow
     sink(ui.getRequestUriBuilder().build()); // $ hasTaintFlow
+    URI taintedUri = UriSource.taint();
+    URI untaintedUri = new URI("");
+    sink(untaintedUriInfo.relativize(taintedUri)); // $ hasTaintFlow
+    sink(untaintedUriInfo.resolve(taintedUri)); // $ hasTaintFlow
+    sink(ui.resolve(untaintedUri)); // $ hasTaintFlow
   }
 
   void testCookie() {
