Initial support for Play Framework > 2.6.x

Author: torque59

java/ql/src/semmle/code/java/dataflow/FlowSources.qll

@@ -17,6 +17,8 @@ import semmle.code.java.frameworks.android.WebView
 import semmle.code.java.frameworks.JaxWS
 import semmle.code.java.frameworks.javase.WebSocket
 import semmle.code.java.frameworks.android.Intent
+import semmle.code.java.frameworks.play.PlayController
+import semmle.code.java.frameworks.play.PlayHTTPRequestHeader
 import semmle.code.java.frameworks.spring.SpringWeb
 import semmle.code.java.frameworks.spring.SpringController
 import semmle.code.java.frameworks.spring.SpringWebClient
@@ -122,6 +124,18 @@ private class SpringMultipartRequestSource extends RemoteFlowSource {
   override string getSourceType() { result = "Spring MultipartRequest getter" }
 }
 
+class PlayParameterSource extends RemoteFlowSource {
+  PlayParameterSource() {
+    exists(PlayActionQueryParameter p | p = this.asParameter())
+    or
+    exists(PlayHTTPRequestHeaderMethods m |
+      m.hasName("getQueryString") and m.getAParameter() = this.asParameter()
+    )
+  }
+
+  override string getSourceType() { result = "Play Query Parameters" }
+}
+
 private class SpringMultipartFileSource extends RemoteFlowSource {
   SpringMultipartFileSource() {
     exists(MethodAccess ma, Method m |
@@ -245,6 +259,7 @@ private class RemoteTaintedMethod extends Method {
     this instanceof HttpServletRequestGetRequestURIMethod or
     this instanceof HttpServletRequestGetRequestURLMethod or
     this instanceof HttpServletRequestGetRemoteUserMethod or
+    this instanceof PlayRequestGetMethod or
     this instanceof SpringWebRequestGetMethod or
     this instanceof SpringRestTemplateResponseEntityMethod or
     this instanceof ServletRequestGetBodyMethod or
@@ -264,6 +279,13 @@ private class RemoteTaintedMethod extends Method {
   }
 }
 
+private class PlayRequestGetMethod extends PlayHTTPRequestHeaderMethods {
+  PlayRequestGetMethod() {
+    this.hasName("Header") or
+    this.hasName("getQueryString")
+  }
+}
+
 private class SpringWebRequestGetMethod extends Method {
   SpringWebRequestGetMethod() {
     exists(SpringWebRequest swr | this = swr.getAMethod() |

java/ql/src/semmle/code/java/frameworks/play/Play.qll

@@ -0,0 +1,9 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.frameworks.play.PlayController
+import semmle.code.java.frameworks.play.PlayAddCSRFToken
+import semmle.code.java.frameworks.play.PlayAsyncResult
+import semmle.code.java.frameworks.play.PlayBodyParser
+import semmle.code.java.frameworks.play.PlayHTTPRequestHeader
+import semmle.code.java.frameworks.play.PlayMVCResult
+import semmle.code.java.frameworks.play.PlayMVCResults

java/ql/src/semmle/code/java/frameworks/play/PlayAddCSRFToken.qll

@@ -0,0 +1,13 @@
+import java
+
+/**
+ * Play Framework AddCSRFToken
+ *
+ * @description Gets the methods using AddCSRFToken annotation.
+ * (https://www.playframework.com/documentation/2.6.x/JavaBodyParsers#Choosing-an-explicit-body-parser)
+ */
+class PlayAddCSRFTokenAnnotation extends Annotation {
+  PlayAddCSRFTokenAnnotation() {
+    this.getType().hasQualifiedName("play.filters.csrf", "AddCSRFToken")
+  }
+}

java/ql/src/semmle/code/java/frameworks/play/PlayAsyncResult.qll

@@ -0,0 +1,30 @@
+import java
+
+/**
+ * Play Framework Async Promise of Generic Result
+ *
+ * @description Gets the Promise<Result> Generic Type of (play.libs.F), This is async in 2.6x and below.
+ * (https://www.playframework.com/documentation/2.5.1/api/java/play/libs/F.Promise.html)
+ */
+class PlayAsyncResultPromise extends Member {
+  PlayAsyncResultPromise() {
+    exists(Class c |
+      c.hasQualifiedName("play.libs", "F") and
+      this = c.getAMember() and
+      this.getQualifiedName() = "F.Promise<Result>"
+    )
+  }
+}
+
+/**
+ * Play Framework Async Generic Result extending generic promise API called CompletionStage.
+ *
+ * @description Gets the CompletionStage<Result> Generic Type of (java.util.concurrent)
+ * (https://www.playframework.com/documentation/2.6.x/JavaAsync)
+ */
+class PlayAsyncResultCompletionStage extends Type {
+  PlayAsyncResultCompletionStage() {
+    this.hasName("CompletionStage<Result>") and
+    this.getCompilationUnit().getPackage().hasName("java.util.concurrent")
+  }
+}

java/ql/src/semmle/code/java/frameworks/play/PlayBodyParser.qll

@@ -0,0 +1,11 @@
+import java
+
+/**
+ * Play Framework Explicit Body Parser
+ *
+ * @description Gets the methods using the explicit body parser annotation. The methods are usually controller action methods
+ * (https://www.playframework.com/documentation/2.8.x/JavaBodyParsers#Choosing-an-explicit-body-parser)
+ */
+class PlayBodyParserAnnotation extends Annotation {
+  PlayBodyParserAnnotation() { this.getType().hasQualifiedName("play.mvc", "BodyParser<>$Of") }
+}

java/ql/src/semmle/code/java/frameworks/play/PlayController.qll

@@ -0,0 +1,55 @@
+import java
+import semmle.code.java.frameworks.play.PlayAsyncResult
+import semmle.code.java.frameworks.play.PlayMVCResult
+
+/**
+ * Play MVC Framework Controller
+ *
+ * @description Gets the play.mvc.Controller class
+ */
+class PlayMVCControllerClass extends Class {
+  PlayMVCControllerClass() { this.hasQualifiedName("play.mvc", "Controller") }
+}
+
+/**
+ * Play Framework Controller which extends/implements
+ *
+ * @description Gets the classes which extends play.mvc.controller rescursively.
+ */
+class PlayController extends Class {
+  PlayController() {
+    exists(Class t | this.extendsOrImplements*(t) and t instanceof PlayMVCControllerClass)
+  }
+}
+
+/**
+ * Play Framework Controller Action Methods
+ *
+ * @description Gets the controller action methods defined against it.
+ * (https://www.playframework.com/documentation/2.8.x/JavaActions)
+ * @tip Checking for Public methods usually retrieves direct controller mapped methods defined in routes.
+ */
+class PlayControllerActionMethod extends Method {
+  PlayControllerActionMethod() {
+    exists(PlayController controller |
+      this = controller.getAMethod() and
+      (
+        this.getReturnType() instanceof PlayAsyncResultPromise or
+        this.getReturnType() instanceof PlayMVCResult or
+        this.getReturnType() instanceof PlayAsyncResultCompletionStage
+      )
+    )
+  }
+}
+
+/**
+ * Play Action-Method parameters, these are essentially part of routes.
+ */
+class PlayActionQueryParameter extends Parameter {
+  PlayActionQueryParameter() {
+    exists(PlayControllerActionMethod a |
+      a.isPublic() and
+      this = a.getAParameter()
+    )
+  }
+}

java/ql/src/semmle/code/java/frameworks/play/PlayHTTPRequestHeader.qll

@@ -0,0 +1,20 @@
+import java
+
+/**
+ * Play MVC Framework HTTP Request Header
+ *
+ * @description Member of play.mvc.HTTP. Gets the play.mvc.HTTP$RequestHeader class/interface
+ */
+class PlayMVCHTTPRequestHeader extends RefType {
+  PlayMVCHTTPRequestHeader() { this.hasQualifiedName("play.mvc", "Http$RequestHeader") }
+}
+
+/**
+ * Play Framework HTTP$RequestHeader Methods
+ *
+ * @description Gets the methods of play.mvc.HTTP$RequestHeader like - headers, getQueryString, getHeader, uri
+ * (https://www.playframework.com/documentation/2.6.0/api/java/play/mvc/Http.RequestHeader.html)
+ */
+class PlayHTTPRequestHeaderMethods extends Method {
+  PlayHTTPRequestHeaderMethods() { this.getDeclaringType() instanceof PlayMVCHTTPRequestHeader }
+}

java/ql/src/semmle/code/java/frameworks/play/PlayMVCResult.qll

@@ -0,0 +1,11 @@
+import java
+
+/**
+ * Play MVC Framework Result
+ *
+ * @description Gets the play.mvc.Result class - Used to set a HTTP result with a status code, a set of HTTP headers and a body to be sent to the web client.
+ * (https://www.playframework.com/documentation/2.8.x/JavaActions)
+ */
+class PlayMVCResult extends Class {
+  PlayMVCResult() { this.hasQualifiedName("play.mvc", "Result") }
+}

java/ql/src/semmle/code/java/frameworks/play/PlayMVCResults.qll

@@ -0,0 +1,35 @@
+import java
+
+/**
+ * Play MVC Framework Results
+ *
+ * @description Gets the play.mvc.Results class - Helper utilities to generate results
+ * (https://www.playframework.com/documentation/2.8.x/JavaActions)
+ */
+class PlayMVCResults extends Class {
+  PlayMVCResults() { this.hasQualifiedName("play.mvc", "Results") }
+}
+
+/**
+ * Play Framework mvc.Results Methods
+ *
+ * @description Gets the methods of play.mvc.Results like - ok, status, redirect etc.
+ * (https://www.playframework.com/documentation/2.5.8/api/java/play/mvc/Results.html)
+ */
+class PlayHTTPResultsMethods extends Method {
+  PlayHTTPResultsMethods() { this.getDeclaringType() instanceof PlayMVCResults }
+
+  /**
+   * Gets all references to play.mvc.Results ok method
+   */
+  MethodAccess ok() {
+    exists(MethodAccess ma | ma = this.getAReference() and this.hasName("ok") | result = ma)
+  }
+
+  /**
+   * Gets all references to play.mvc.Results redirect method
+   */
+  MethodAccess redirect() {
+    exists(MethodAccess ma | ma = this.getAReference() and this.hasName("redirect") | result = ma)
+  }
+}

java/ql/test/library-tests/dataflow/taintsources/PlayResource.java

@@ -0,0 +1,14 @@
+import play.mvc.Controller;
+import play.mvc.Result;
+import play.filters.csrf.AddCSRFToken;
+import java.util.concurrent.CompletionStage;
+
+
+public class PlayResource extends Controller {
+
+    @AddCSRFToken
+    public Result play_index(String username, String password) {
+        String append_token = "password" + password;
+        ok("Working");
+      }
+}