Merge pull request #20999 from joefarebrother/java-spring-websocket

Java: Add models for spring WebSocketHandler

Author: owen-mc

java/ql/lib/change-notes/2025-12-08-spring-websocket-handler.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Additional remote flow sources from the `org.springframework.web.socket` package have been modeled. 

java/ql/lib/ext/org.springframework.web.socket.model.yml

@@ -0,0 +1,23 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+     - ["org.springframework.web.socket", "WebSocketHandler", True, "afterConnectionClosed", "", "", "Parameter[0]", "remote", "manual"]
+     - ["org.springframework.web.socket", "WebSocketHandler", True, "afterConnectionEstablished", "", "", "Parameter[0]", "remote", "manual"]
+     - ["org.springframework.web.socket", "WebSocketHandler", True, "handleMessage", "", "", "Parameter[0]", "remote", "manual"]
+     - ["org.springframework.web.socket", "WebSocketHandler", True, "handleMessage", "", "", "Parameter[1]", "remote", "manual"]
+     - ["org.springframework.web.socket", "WebSocketHandler", True, "handleTransportError", "", "", "Parameter[0]", "remote", "manual"]
+     - ["org.springframework.web.socket.handler", "AbstractWebSocketHandler", True, "handleBinaryMessage", "", "", "Parameter[0..1]", "remote", "manual"]
+     - ["org.springframework.web.socket.handler", "AbstractWebSocketHandler", True, "handlePongMessage", "", "", "Parameter[0..1]", "remote", "manual"]
+     - ["org.springframework.web.socket.handler", "AbstractWebSocketHandler", True, "handleTextMessage", "", "", "Parameter[0..1]", "remote", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["org.springframework.web.socket", "TextMessage", True, "asBytes", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["org.springframework.web.socket", "WebSocketMessage", True, "getPayload", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["org.springframework.web.socket", "WebSocketSession", True, "getAcceptedProtocol", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["org.springframework.web.socket", "WebSocketSession", True, "getHandshakeHeaders", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["org.springframework.web.socket", "WebSocketSession", True, "getPrincipal", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["org.springframework.web.socket", "WebSocketSession", True, "getUri", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]

java/ql/test/library-tests/frameworks/spring/websocket/Test.java

@@ -0,0 +1,64 @@
+
+import org.springframework.web.socket.handler.TextWebSocketHandler;
+import org.springframework.web.socket.WebSocketSession;
+import org.springframework.web.socket.WebSocketMessage;
+import org.springframework.web.socket.TextMessage;
+import org.springframework.web.socket.BinaryMessage;
+import org.springframework.web.socket.PongMessage;
+import org.springframework.web.socket.CloseStatus;
+
+
+public class Test  {
+    void sink(Object o) {}
+
+    public class A extends TextWebSocketHandler {
+        @Override
+        public void handleMessage(WebSocketSession s, WebSocketMessage<?> m) {
+            sink(s); // $hasTaintFlow
+            sink(s.getAcceptedProtocol()); // $hasTaintFlow
+            sink(s.getHandshakeHeaders()); // $hasTaintFlow
+            sink(s.getPrincipal()); // $hasTaintFlow
+            sink(s.getUri()); // $hasTaintFlow
+
+            sink(m); // $hasTaintFlow
+            sink(m.getPayload()); // $hasTaintFlow
+
+        }
+
+        @Override 
+        protected void handleTextMessage(WebSocketSession s, TextMessage m) {
+            sink(s);  // $hasTaintFlow
+            sink(m);  // $hasTaintFlow
+            sink(m.asBytes()); // $hasTaintFlow
+        }
+
+        @Override 
+        protected void handleBinaryMessage(WebSocketSession s, BinaryMessage m) {
+            sink(s); // $hasTaintFlow
+            sink(m); // $hasTaintFlow
+        }
+
+        @Override
+        protected void handlePongMessage(WebSocketSession s, PongMessage m) {
+            sink(s); // $hasTaintFlow
+            sink(m); // $hasTaintFlow
+        }
+
+        @Override
+        public void afterConnectionEstablished(WebSocketSession s) {
+            sink(s); // $hasTaintFlow
+        }
+
+        @Override 
+        public void afterConnectionClosed(WebSocketSession s, CloseStatus c) {
+            sink(s); // $hasTaintFlow
+        }
+
+        @Override 
+        public void handleTransportError(WebSocketSession s, Throwable exc) { 
+            sink(s);  // $hasTaintFlow
+        }
+
+    }
+
+}

java/ql/test/library-tests/frameworks/spring/websocket/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.8.x:${testdir}/../../../../stubs/javax-servlet-2.5:${testdir}/../../../../stubs/apache-commons-logging-1.2

java/ql/test/library-tests/frameworks/spring/websocket/test.expected

@@ -0,0 +1,16 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.FlowSources
+import utils.test.InlineFlowTest
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) {
+    DefaultFlowConfig::isSource(node)
+    or
+    node instanceof ActiveThreatModelSource
+  }
+
+  predicate isSink = DefaultFlowConfig::isSink/1;
+}
+
+import FlowTest<DefaultFlowConfig, Config>