Framework Spring

for JavaEE environment

Julia will translate the Spring annotations into its own, marking new methods as entry points, keeping trace of which data comes from an untrusted source and of which fields might be injected from the environment.

Required libraries: spring-web.jar and spring-beans.jar

Applicability

This specification gets automatically applied when:

  • the framework of the analysis contains the word java (case insensitive)
  • there exists an annotation that starts with org.springframework


Implications between annotations

Some annotations of this framework get translated automatically into standard Julia annotations, such that the analysis engine can react accordingly. Namely:

  • if an element is annotated with org.springframework.beans.factory.annotation.Autowired, Julia considers it to be annotated also with:
    • com.juliasoft.julia.extraction.Injected
  • if an element is annotated with org.springframework.beans.factory.annotation.Lookup, Julia considers it to be annotated also with:
    • com.juliasoft.julia.extraction.EntryPoint
  • if an element is annotated with org.springframework.beans.factory.annotation.Required, Julia considers it to be annotated also with:
    • com.juliasoft.julia.extraction.EntryPoint
  • if an element is annotated with org.springframework.beans.factory.annotation.Value, Julia considers it to be annotated also with:
    • com.juliasoft.julia.extraction.Injected
  • if an element is annotated with org.springframework.jmx.export.annotation.ManagedAttribute, Julia considers it to be annotated also with:
    • com.juliasoft.julia.extraction.EntryPoint
  • if an element is annotated with org.springframework.jmx.export.annotation.ManagedMetric, Julia considers it to be annotated also with:
    • com.juliasoft.julia.extraction.EntryPoint
  • if an element is annotated with org.springframework.jmx.export.annotation.ManagedOperation, Julia considers it to be annotated also with:
    • com.juliasoft.julia.extraction.EntryPoint
  • if an element is annotated with org.springframework.messaging.handler.annotation.MessageExceptionHandler, Julia considers it to be annotated also with:
    • com.juliasoft.julia.extraction.EntryPoint
  • if an element is annotated with org.springframework.web.bind.annotation.CookieValue, Julia considers it to be annotated also with:
    • com.juliasoft.julia.checkers.flows.UntrustedExternalStream
    • com.juliasoft.julia.checkers.flows.UntrustedUserInput
  • if an element is annotated with org.springframework.web.bind.annotation.DeleteMapping, Julia considers it to be annotated also with:
    • com.juliasoft.julia.extraction.EntryPoint
  • if an element is annotated with org.springframework.web.bind.annotation.ExceptionHandler, Julia considers it to be annotated also with:
    • com.juliasoft.julia.extraction.EntryPoint
  • if an element is annotated with org.springframework.web.bind.annotation.GetMapping, Julia considers it to be annotated also with:
    • com.juliasoft.julia.extraction.EntryPoint
  • if an element is annotated with org.springframework.web.bind.annotation.PatchMapping, Julia considers it to be annotated also with:
    • com.juliasoft.julia.extraction.EntryPoint
  • if an element is annotated with org.springframework.web.bind.annotation.PostMapping, Julia considers it to be annotated also with:
    • com.juliasoft.julia.extraction.EntryPoint
  • if an element is annotated with org.springframework.web.bind.annotation.PutMapping, Julia considers it to be annotated also with:
    • com.juliasoft.julia.extraction.EntryPoint
  • if an element is annotated with org.springframework.web.bind.annotation.RequestAttribute, Julia considers it to be annotated also with:
    • com.juliasoft.julia.checkers.flows.UntrustedUserInput
  • if an element is annotated with org.springframework.web.bind.annotation.RequestBody, Julia considers it to be annotated also with:
    • com.juliasoft.julia.checkers.flows.UntrustedUserInput
  • if an element is annotated with org.springframework.web.bind.annotation.RequestHeader, Julia considers it to be annotated also with:
    • com.juliasoft.julia.checkers.flows.UntrustedUserInput
  • if an element is annotated with org.springframework.web.bind.annotation.RequestParam, Julia considers it to be annotated also with:
    • com.juliasoft.julia.checkers.flows.UntrustedUserInput
  • if an element is annotated with org.springframework.web.bind.annotation.RequestPart, Julia considers it to be annotated also with:
    • com.juliasoft.julia.checkers.flows.UntrustedUserInput
  • if an element is annotated with org.springframework.web.bind.annotation.SessionAttribute, Julia considers it to be annotated also with:
    • com.juliasoft.julia.checkers.flows.UntrustedUserInput


Specifications on application code

These are conditions that, if satisfied on a given program component, will cause the specified annotations to be placed on such component. These will annotate only program components coming from the application under analysis, and not the libraries. This framework defines the following specifications:

  • annotate any method that satisfies the following:
      that has an annotation whose name is equal to org.springframework.web.bind.annotation.RequestMapping
    with:
    • com.juliasoft.julia.extraction.EntryPoint
  • annotate any method parameter that satisfies the following:
      that has an annotation whose name is equal to org.springframework.web.bind.annotation.ModelAttribute
    with:
    • com.juliasoft.julia.checkers.flows.UntrustedUserInput