Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 03348b1

Browse files
artem-smotrakovartem-smotrakov
committed
Simplified TaintPropagatingJexlMethodCall
1 parent a47147b commit 03348b1

1 file changed

Lines changed: 48 additions & 82 deletions

File tree

java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll

Lines changed: 48 additions & 82 deletions
Original file line numberDiff line numberDiff line change
@@ -59,29 +59,26 @@ private class JexlEvaluationSink extends DataFlow::ExprNode {
5959
* from Jexl library.
6060
*/
6161
private class TaintPropagatingJexlMethodCall extends MethodAccess {
62-
string methodName;
63-
RefType instanceType;
6462
Expr taintFromExpr;
6563

6664
TaintPropagatingJexlMethodCall() {
67-
exists(Method m |
65+
exists(Method m, RefType taintType |
6866
this.getMethod() = m and
69-
m.getDeclaringType() = instanceType and
70-
m.hasName(methodName)
67+
taintType = taintFromExpr.getType()
7168
|
72-
isMethodForCreatingJexlScript(instanceType, methodName) and
69+
m instanceof CreateJexlScriptMethod and
7370
taintFromExpr = this.getArgument(0) and
74-
taintFromExpr.getType() instanceof TypeString
71+
taintType instanceof TypeString
7572
or
76-
isMethodForCreatingJexlCallable(instanceType, methodName) and
73+
m instanceof CreateJexlCallableMethod and
7774
taintFromExpr = this.getQualifier()
7875
or
79-
isMethodForCreatingJexlExpression(instanceType, methodName) and
76+
m instanceof CreateJexlExpressionMethod and
8077
taintFromExpr = this.getAnArgument() and
81-
taintFromExpr.getType() instanceof TypeString
78+
taintType instanceof TypeString
8279
or
83-
isMethodForCreatingJexlTemplate(instanceType, methodName) and
84-
(taintFromExpr.getType() instanceof TypeString or taintFromExpr.getType() instanceof Reader) and
80+
m instanceof CreateJexlTemplateMethod and
81+
(taintType instanceof TypeString or taintType instanceof Reader) and
8582
taintFromExpr = this.getArgument([0, 1])
8683
)
8784
}
@@ -95,39 +92,6 @@ private class TaintPropagatingJexlMethodCall extends MethodAccess {
9592
}
9693
}
9794

98-
/**
99-
* Checks if `instanceType.methodName()` method creates a Jexl script.
100-
*/
101-
private predicate isMethodForCreatingJexlScript(RefType instanceType, string methodName) {
102-
instanceType instanceof JexlEngine and methodName = "createScript"
103-
}
104-
105-
/**
106-
* Checks if `instanceType.methodName()` method creates a `Callable` for a Jexl expression or script.
107-
*/
108-
private predicate isMethodForCreatingJexlCallable(RefType instanceType, string methodName) {
109-
(instanceType instanceof JexlExpression or instanceType instanceof JexlScript) and
110-
methodName = "callable"
111-
}
112-
113-
/**
114-
* Checks if `instanceType.methodName()` method creates a Jexl template.
115-
*/
116-
private predicate isMethodForCreatingJexlTemplate(RefType instanceType, string methodName) {
117-
(instanceType instanceof JxltEngine or instanceType instanceof UnifiedJexl) and
118-
methodName = "createTemplate"
119-
}
120-
121-
/**
122-
* Checks if `instanceType.methodName()` method creates a Jexl expression.
123-
*/
124-
private predicate isMethodForCreatingJexlExpression(RefType instanceType, string methodName) {
125-
(instanceType instanceof JexlEngine or instanceType instanceof JxltEngine) and
126-
methodName = "createExpression"
127-
or
128-
instanceType instanceof UnifiedJexl and methodName = "parse"
129-
}
130-
13195
/**
13296
* Holds if `fromNode` to `toNode` is a dataflow step that returns data from
13397
* a tainted bean by calling one of its getters.
@@ -160,28 +124,23 @@ abstract private class DirectJexlEvaluationMethod extends Method { }
160124
*/
161125
private class JexlExpressionEvaluateMethod extends DirectJexlEvaluationMethod {
162126
JexlExpressionEvaluateMethod() {
163-
getDeclaringType() instanceof JexlExpression and
164-
hasName("evaluate")
127+
getDeclaringType() instanceof JexlExpression and hasName("evaluate")
165128
}
166129
}
167130

168131
/**
169132
* A method in the `JexlScript` class that executes a Jexl script.
170133
*/
171134
private class JexlScriptExecuteMethod extends DirectJexlEvaluationMethod {
172-
JexlScriptExecuteMethod() {
173-
getDeclaringType() instanceof JexlScript and
174-
hasName("execute")
175-
}
135+
JexlScriptExecuteMethod() { getDeclaringType() instanceof JexlScript and hasName("execute") }
176136
}
177137

178138
/**
179139
* A method in the `JxltEngine.Expression` class that evaluates an expression.
180140
*/
181141
private class JxltEngineExpressionEvaluateMethod extends DirectJexlEvaluationMethod {
182142
JxltEngineExpressionEvaluateMethod() {
183-
getDeclaringType() instanceof JxltEngineExpression and
184-
hasName("evaluate")
143+
getDeclaringType() instanceof JxltEngineExpression and hasName("evaluate")
185144
}
186145
}
187146

@@ -190,8 +149,7 @@ private class JxltEngineExpressionEvaluateMethod extends DirectJexlEvaluationMet
190149
*/
191150
private class JxltEngineExpressionPrepareMethod extends DirectJexlEvaluationMethod {
192151
JxltEngineExpressionPrepareMethod() {
193-
getDeclaringType() instanceof JxltEngineExpression and
194-
hasName("prepare")
152+
getDeclaringType() instanceof JxltEngineExpression and hasName("prepare")
195153
}
196154
}
197155

@@ -200,8 +158,7 @@ private class JxltEngineExpressionPrepareMethod extends DirectJexlEvaluationMeth
200158
*/
201159
private class JxltEngineTemplateEvaluateMethod extends DirectJexlEvaluationMethod {
202160
JxltEngineTemplateEvaluateMethod() {
203-
getDeclaringType() instanceof JxltEngineTemplate and
204-
hasName("evaluate")
161+
getDeclaringType() instanceof JxltEngineTemplate and hasName("evaluate")
205162
}
206163
}
207164

@@ -210,8 +167,7 @@ private class JxltEngineTemplateEvaluateMethod extends DirectJexlEvaluationMetho
210167
*/
211168
private class UnifiedJexlExpressionEvaluateMethod extends DirectJexlEvaluationMethod {
212169
UnifiedJexlExpressionEvaluateMethod() {
213-
getDeclaringType() instanceof UnifiedJexlExpression and
214-
hasName("evaluate")
170+
getDeclaringType() instanceof UnifiedJexlExpression and hasName("evaluate")
215171
}
216172
}
217173

@@ -220,8 +176,7 @@ private class UnifiedJexlExpressionEvaluateMethod extends DirectJexlEvaluationMe
220176
*/
221177
private class UnifiedJexlExpressionPrepareMethod extends DirectJexlEvaluationMethod {
222178
UnifiedJexlExpressionPrepareMethod() {
223-
getDeclaringType() instanceof UnifiedJexlExpression and
224-
hasName("prepare")
179+
getDeclaringType() instanceof UnifiedJexlExpression and hasName("prepare")
225180
}
226181
}
227182

@@ -230,18 +185,41 @@ private class UnifiedJexlExpressionPrepareMethod extends DirectJexlEvaluationMet
230185
*/
231186
private class UnifiedJexlTemplateEvaluateMethod extends DirectJexlEvaluationMethod {
232187
UnifiedJexlTemplateEvaluateMethod() {
233-
getDeclaringType() instanceof UnifiedJexlTemplate and
234-
hasName("evaluate")
188+
getDeclaringType() instanceof UnifiedJexlTemplate and hasName("evaluate")
235189
}
236190
}
237191

238192
/**
239193
* A method in the `Callable` class that executes the `Callable`.
240194
*/
241195
private class CallableCallMethod extends Method {
242-
CallableCallMethod() {
243-
getDeclaringType() instanceof CallableInterface and
244-
hasName("call")
196+
CallableCallMethod() { getDeclaringType() instanceof CallableInterface and hasName("call") }
197+
}
198+
199+
private class CreateJexlScriptMethod extends Method {
200+
CreateJexlScriptMethod() { getDeclaringType() instanceof JexlEngine and hasName("createScript") }
201+
}
202+
203+
private class CreateJexlCallableMethod extends Method {
204+
CreateJexlCallableMethod() {
205+
(getDeclaringType() instanceof JexlExpression or getDeclaringType() instanceof JexlScript) and
206+
hasName("callable")
207+
}
208+
}
209+
210+
private class CreateJexlTemplateMethod extends Method {
211+
CreateJexlTemplateMethod() {
212+
(getDeclaringType() instanceof JxltEngine or getDeclaringType() instanceof UnifiedJexl) and
213+
hasName("createTemplate")
214+
}
215+
}
216+
217+
private class CreateJexlExpressionMethod extends Method {
218+
CreateJexlExpressionMethod() {
219+
(getDeclaringType() instanceof JexlEngine or getDeclaringType() instanceof JxltEngine) and
220+
hasName("createExpression")
221+
or
222+
getDeclaringType() instanceof UnifiedJexl and hasName("parse")
245223
}
246224
}
247225

@@ -275,31 +253,19 @@ private class UnifiedJexl extends RefType {
275253
}
276254

277255
private class JxltEngineExpression extends NestedType {
278-
JxltEngineExpression() {
279-
getEnclosingType() instanceof JxltEngine and
280-
hasName("Expression")
281-
}
256+
JxltEngineExpression() { getEnclosingType() instanceof JxltEngine and hasName("Expression") }
282257
}
283258

284259
private class JxltEngineTemplate extends NestedType {
285-
JxltEngineTemplate() {
286-
getEnclosingType() instanceof JxltEngine and
287-
hasName("Template")
288-
}
260+
JxltEngineTemplate() { getEnclosingType() instanceof JxltEngine and hasName("Template") }
289261
}
290262

291263
private class UnifiedJexlExpression extends NestedType {
292-
UnifiedJexlExpression() {
293-
getEnclosingType() instanceof UnifiedJexl and
294-
hasName("Expression")
295-
}
264+
UnifiedJexlExpression() { getEnclosingType() instanceof UnifiedJexl and hasName("Expression") }
296265
}
297266

298267
private class UnifiedJexlTemplate extends NestedType {
299-
UnifiedJexlTemplate() {
300-
getEnclosingType() instanceof UnifiedJexl and
301-
hasName("Template")
302-
}
268+
UnifiedJexlTemplate() { getEnclosingType() instanceof UnifiedJexl and hasName("Template") }
303269
}
304270

305271
private class CallableInterface extends RefType {

0 commit comments

Comments
 (0)