Java: Add models for spring WebSocketHandler#20999
Open
Uh oh!
There was an error while loading. Please reload this page.
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -0,0 +1,16 @@ | |||
| import java | |||
| import semmle.code.java.dataflow.DataFlow | |||
Check warning
Code scanning / CodeQL
Redundant import Warning test
Contributor
Click to show differences in coveragejavaGenerated file changes for java
- `Spring <https://spring.io/>`_,``org.springframework.*``,38,486,143,26,,28,14,,35+ `Spring <https://spring.io/>`_,``org.springframework.*``,47,492,143,26,,28,14,,35- Totals,,330,26361,2656,404,16,128,33,1,409+ Totals,,339,26367,2656,404,16,128,33,1,409
+ org.springframework.web.socket,,9,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,6, |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds remote flow source models for Spring Framework's WebSocket API, enabling taint tracking through WebSocket handler methods. The changes model parameters of WebSocketHandler and AbstractWebSocketHandler methods as remote sources, and add taint propagation steps for related WebSocket types.
Key changes:
- Adds remote flow source models for WebSocketHandler interface methods and AbstractWebSocketHandler class methods
- Adds taint summary models for WebSocketSession and WebSocketMessage getter methods
- Includes comprehensive test stubs and test cases to validate the new models
Reviewed changes
Copilot reviewed 16 out of 17 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| java/ql/lib/ext/org.springframework.web.socket.model.yml | Defines source models for WebSocketHandler methods and summary models for taint propagation through WebSocket-related getters |
| java/ql/lib/change-notes/2025-12-08-spring-websocket-handler.md | Documents the addition of remote flow sources from the org.springframework.web.socket package |
| java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/WebSocketHandler.java | Test stub for the WebSocketHandler interface |
| java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/handler/AbstractWebSocketHandler.java | Test stub for the AbstractWebSocketHandler abstract class |
| java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/handler/TextWebSocketHandler.java | Test stub for the TextWebSocketHandler class |
| java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/WebSocketSession.java | Test stub for the WebSocketSession interface with various getter methods |
| java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/WebSocketMessage.java | Test stub for the generic WebSocketMessage interface |
| java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/AbstractWebSocketMessage.java | Test stub for the AbstractWebSocketMessage base class |
| java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/TextMessage.java | Test stub for TextMessage with asBytes() method |
| java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/BinaryMessage.java | Test stub for BinaryMessage |
| java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/PongMessage.java | Test stub for PongMessage |
| java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/CloseStatus.java | Test stub for CloseStatus class |
| java/ql/test/stubs/springframework-5.8.x/org/springframework/web/socket/WebSocketExtension.java | Test stub for WebSocketExtension class |
| java/ql/test/library-tests/frameworks/spring/websocket/Test.java | Test cases validating taint flow through WebSocket handler methods |
| java/ql/test/library-tests/frameworks/spring/websocket/test.ql | Test query configuration for inline flow tests |
| java/ql/test/library-tests/frameworks/spring/websocket/test.expected | Expected test results file (empty, will be generated) |
| java/ql/test/library-tests/frameworks/spring/websocket/options | Compiler options for the test |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
java/ql/test/library-tests/frameworks/spring/websocket/Test.java Outdated Show resolvedHide resolved
Uh oh!
There was an error while loading. Please reload this page.
java/ql/test/library-tests/frameworks/spring/websocket/Test.java Outdated Show resolvedHide resolved
Uh oh!
There was an error while loading. Please reload this page.
joefarebrotherforce-pushed the java-spring-websocket branch from f1721bb to 94fcee5CompareSign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds remote flow sources for parameters of
WebSocketHandlermethods, and taint steps for related types.