Fix SpringRequestMappingMethod URL Extraction: Use getAStringArrayValue Instead of getValue #19512
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR addresses an issue with URL extraction from Spring’s @RequestMapping annotations by switching from getStringValue to getAStringArrayValue, ensuring both single and array-typed values are correctly handled.
- Introduces a new method getArrayValue to extract array-based string values.
- Enhances the accuracy of URL extraction in CodeQL queries for Spring controllers.
Comments suppressed due to low confidence (1)
java/ql/lib/semmle/code/java/frameworks/spring/SpringController.qll:162
- The method getArrayValue is declared to return a single string despite extracting an array value. Confirm whether the intended design is to merge multiple values into one string, and consider adjusting the return type for clarity if necessary.
string getArrayValue() { result = requestMappingAnnotation.getAStringArrayValue("value") }
| @@ -156,6 +156,10 @@ class SpringRequestMappingMethod extends SpringControllerMethod { | |||
| /** Gets the "value" @RequestMapping annotation value, if present. */ | |||
| string getValue() { result = requestMappingAnnotation.getStringValue("value") } | |||
|
|
|||
|
|
|||
|
|
|||
| /** Gets the "value" @RequestMapping annotation array string value, if present. */ | |||
There was a problem hiding this comment.
Clarify in the documentation how getArrayValue behaves when multiple URL strings are present in the annotation, e.g., whether they are concatenated or handled in some other way.
Copilot uses AI. Check for mistakes.
|
@sentient0being Thank you for making this PR. I have a few questions from a very quick read of it.
|
|
@owen-mc Thank you for your review. This PR indeed adds a predicate for reading string array values, but it is not yet used in the code. My intention was to provide this functionality for the SpringRequestMappingMethod class to properly handle URL arrays in the Spring framework. |
|
Thanks again for this change - I've checked and it's all correct. I've added tests and a change note, changed the predicate name slightly and deprecated the original predicate (which doesn't work). I couldn't easily add all these changes to this PR so I've made a new PR #19556. |
Previously, the SpringRequestMappingMethod class in CodeQL used the getValue or getStringValue predicate to extract the "value" attribute from Spring's @RequestMapping and related annotations. However, in Spring, the "value" and "path" attributes are defined as String[] (string arrays), not single strings. This caused issues where URLs could not be extracted if they were specified as arrays.
This PR updates the relevant logic to use getAStringArrayValue, which correctly handles array-typed annotation elements and ensures all specified URLs are extracted, regardless of whether they are provided as single values or arrays. This change improves the accuracy and reliability of Spring controller route extraction in CodeQL queries.
spring-web-5.2.8.RELEASE
org.springframework.web.bind.annotation.RequestMappingor
https://github.com/spring-projects/spring-framework/blob/main/spring-web/src/main/java/org/springframework/web/bind/annotation/RequestMapping.java