Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Java: Add models for spring WebSocketHandler#20999

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
joefarebrother wants to merge6 commits intogithub:main
base:main
Choose a base branch
Loading
fromjoefarebrother:java-spring-websocket

Conversation

@joefarebrother
Copy link
Contributor

Adds remote flow sources for parameters ofWebSocketHandler methods, and taint steps for related types.

@joefarebrotherjoefarebrother requested a review froma team as acode ownerDecember 9, 2025 13:50
CopilotAI review requested due to automatic review settingsDecember 9, 2025 13:50
@@ -0,0 +1,16 @@
import java
import semmle.code.java.dataflow.DataFlow

Check warning

Code scanning / CodeQL

Redundant import Warning test

Redundant import, the module is already imported inside
semmle.code.java.dataflow.FlowSources
Loading
.
Redundant import, the module is already imported inside
utils.test.InlineFlowTest
Loading
.
@github-actions
Copy link
Contributor

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in theartifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    `Spring <https://spring.io/>`_,``org.springframework.*``,38,486,143,26,,28,14,,35+    `Spring <https://spring.io/>`_,``org.springframework.*``,47,492,143,26,,28,14,,35-    Totals,,330,26361,2656,404,16,128,33,1,409+    Totals,,339,26367,2656,404,16,128,33,1,409
  • Changes to framework-coverage-java.csv:
+ org.springframework.web.socket,,9,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,6,

Copy link
Contributor

CopilotAI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Pull request overview

This PR adds remote flow source models for Spring Framework's WebSocket API, enabling taint tracking through WebSocket handler methods. The changes model parameters ofWebSocketHandler andAbstractWebSocketHandler methods as remote sources, and add taint propagation steps for related WebSocket types.

Key changes:

  • Adds remote flow source models for WebSocketHandler interface methods and AbstractWebSocketHandler class methods
  • Adds taint summary models for WebSocketSession and WebSocketMessage getter methods
  • Includes comprehensive test stubs and test cases to validate the new models

Reviewed changes

Copilot reviewed 16 out of 17 changed files in this pull request and generated 2 comments.

Show a summary per file
FileDescription
java/ql/lib/ext/org.springframework.web.socket.model.ymlDefines source models for WebSocketHandler methods and summary models for taint propagation through WebSocket-related getters
java/ql/lib/change-notes/2025-12-08-spring-websocket-handler.mdDocuments the addition of remote flow sources from the org.springframework.web.socket package
java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/WebSocketHandler.javaTest stub for the WebSocketHandler interface
java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/handler/AbstractWebSocketHandler.javaTest stub for the AbstractWebSocketHandler abstract class
java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/handler/TextWebSocketHandler.javaTest stub for the TextWebSocketHandler class
java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/WebSocketSession.javaTest stub for the WebSocketSession interface with various getter methods
java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/WebSocketMessage.javaTest stub for the generic WebSocketMessage interface
java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/AbstractWebSocketMessage.javaTest stub for the AbstractWebSocketMessage base class
java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/TextMessage.javaTest stub for TextMessage with asBytes() method
java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/BinaryMessage.javaTest stub for BinaryMessage
java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/PongMessage.javaTest stub for PongMessage
java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/CloseStatus.javaTest stub for CloseStatus class
java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/WebSocketExtension.javaTest stub for WebSocketExtension class
java/ql/test/library-tests/frameworks/spring/websocket/Test.javaTest cases validating taint flow through WebSocket handler methods
java/ql/test/library-tests/frameworks/spring/websocket/test.qlTest query configuration for inline flow tests
java/ql/test/library-tests/frameworks/spring/websocket/test.expectedExpected test results file (empty, will be generated)
java/ql/test/library-tests/frameworks/spring/websocket/optionsCompiler options for the test

💡Add Copilot custom instructions for smarter, more guided reviews.Learn how to get started.

Copy link
Contributor

@owen-mcowen-mc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Overall very good. Two suggestions for extra things to model.

Comment on lines +11 to +14
- ["org.springframework.web.socket.handler", "AbstractWebSocketHandler", True, "handleBinaryMessage", "", "", "Parameter[0]", "remote", "manual"]
- ["org.springframework.web.socket.handler", "AbstractWebSocketHandler", True, "handleBinaryMessage", "", "", "Parameter[1]", "remote", "manual"]
- ["org.springframework.web.socket.handler", "AbstractWebSocketHandler", True, "handleTextMessage", "", "", "Parameter[0]", "remote", "manual"]
- ["org.springframework.web.socket.handler", "AbstractWebSocketHandler", True, "handleTextMessage", "", "", "Parameter[1]", "remote", "manual"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

  • You can make this more concise by usingParameter[0,1] orParameter[0..1].
  • I think you should also modelhandlePongMessage, as it can have a string payload. It's generally just compared to what was sent in a ping message, but I suppose it might be logged or something.

pack: codeql/java-all
extensible: summaryModel
data:
- ["org.springframework.web.socket", "TextMessage", True, "asBytes", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Suggested change
-["org.springframework.web.socket", "TextMessage", True, "asBytes", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
-["org.springframework.web.socket", "AbstractWebSocketMessage", True, "toStringPayload", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
-["org.springframework.web.socket", "TextMessage", True, "asBytes", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

Copilot code reviewCopilotCopilot left review comments

@owen-mcowen-mcowen-mc approved these changes

Assignees

No one assigned

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joefarebrother@owen-mc
[8]ページ先頭
©2009-2025 Movatter.jp