github
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java‎
Lines changed: 25 additions & 10 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java‎
Lines changed: 25 additions & 10 deletions
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp‎
Lines changed: 1 addition & 1 deletion b/‎java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql‎
Lines changed: 13 additions & 14 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql‎
Lines changed: 13 additions & 14 deletions
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll‎
Lines changed: 32 additions & 15 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll‎
Lines changed: 32 additions & 15 deletions
diff --git a/‎java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpController.java‎
Lines changed: 25 additions & 10 deletions b/‎java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpController.java‎
Lines changed: 25 additions & 10 deletions
@@ -26,9 +26,6 @@ public class JsonpInjection {
         hashMap.put("password","123456");
     }
 
-    private String name = null;
-
-
     @GetMapping(value = "jsonp1")
     @ResponseBody
     public String bad1(HttpServletRequest request) {
@@ -77,7 +74,6 @@ public void bad5(HttpServletRequest request,
         PrintWriter pw = null;
         Gson gson = new Gson();
         String result = gson.toJson(hashMap);
-
         String resultStr = null;
         pw = response.getWriter();
         resultStr = jsonpCallback + "(" + result + ")";
@@ -109,13 +105,25 @@ public String bad7(HttpServletRequest request) {
         return resultStr;
     }
 
-
     @GetMapping(value = "jsonp8")
     @ResponseBody
-    public String good1(HttpServletRequest request) {
+    public String bad8(HttpServletRequest request) {
         String resultStr = null;
         String token = request.getParameter("token");
-        if (verifToken(token)){
+        boolean result = verifToken(token); //Just check.
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+
+    @GetMapping(value = "jsonp9")
+    @ResponseBody
+    public String good1(HttpServletRequest request) {
+        String resultStr = null;
+        String referer = request.getParameter("referer");
+        if (verifReferer(referer)){
             String jsonpCallback = request.getParameter("jsonpCallback");
             String jsonStr = getJsonStr(hashMap);
             resultStr = jsonpCallback + "(" + jsonStr + ")";
@@ -125,7 +133,7 @@ public String good1(HttpServletRequest request) {
     }
 
 
-    @GetMapping(value = "jsonp9")
+    @GetMapping(value = "jsonp10")
     @ResponseBody
     public String good2(HttpServletRequest request) {
         String resultStr = null;
@@ -140,7 +148,7 @@ public String good2(HttpServletRequest request) {
         return resultStr;
     }
 
-    @RequestMapping(value = "jsonp10")
+    @RequestMapping(value = "jsonp11")
     @ResponseBody
     public String good3(HttpServletRequest request) {
         JSONObject parameterObj = readToJSONObect(request);
@@ -151,7 +159,7 @@ public String good3(HttpServletRequest request) {
         return resultStr;
     }
 
-    @RequestMapping(value = "jsonp11")
+    @RequestMapping(value = "jsonp12")
     @ResponseBody
     public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
         if(null == file){
@@ -200,4 +208,11 @@ public static boolean verifToken(String token){
         }
         return true;
     }
+
+    public static boolean verifReferer(String str){
+        if (str != "xxxx"){
+            return false;
+        }
+        return true;
+    }
 }
@@ -14,7 +14,7 @@ When there is a cross-domain problem, the problem of sensitive information leaka
 </recommendation>
 <example>
 
-<p>The following examples show the bad case and the good case respectively. Bad case, such as <code>bad1</code> to <code>bad7</code>, 
+<p>The following examples show the bad case and the good case respectively. Bad case, such as <code>bad1</code> to <code>bad8</code>, 
 will cause information leakage problems when there are cross-domain problems. In a good case, for example, in the <code>good1</code> 
 method and the <code>good2</code> method, use the <code>verifToken</code> method to do the random <code>token</code> Verification can 
 solve the problem of information leakage caused by cross-domain.</p>
 
@@ -18,20 +18,18 @@ import DataFlow::PathGraph
 
 /** Determine whether there is a verification method for the remote streaming source data flow path method. */
 predicate existsFilterVerificationMethod() {
-  exists(MethodAccess ma, Node existsNode, Method m |
-    ma.getMethod() instanceof VerificationMethodClass and
-    existsNode.asExpr() = ma and
-    m = getACallingCallableOrSelf(existsNode.getEnclosingCallable()) and
+  exists(DataFlow::Node source, DataFlow::Node sink, VerificationMethodFlowConfig vmfc, Method m |
+    vmfc.hasFlow(source, sink) and
+    m = getACallingCallableOrSelf(source.getEnclosingCallable()) and
     isDoFilterMethod(m)
   )
 }
 
 /** Determine whether there is a verification method for the remote streaming source data flow path method. */
 predicate existsServletVerificationMethod(Node checkNode) {
-  exists(MethodAccess ma, Node existsNode |
-    ma.getMethod() instanceof VerificationMethodClass and
-    existsNode.asExpr() = ma and
-    getACallingCallableOrSelf(existsNode.getEnclosingCallable()) =
+  exists(DataFlow::Node source, DataFlow::Node sink, VerificationMethodFlowConfig vmfc |
+    vmfc.hasFlow(source, sink) and
+    getACallingCallableOrSelf(source.getEnclosingCallable()) =
       getACallingCallableOrSelf(checkNode.getEnclosingCallable())
   )
 }
@@ -40,13 +38,14 @@ predicate existsServletVerificationMethod(Node checkNode) {
 class RequestResponseFlowConfig extends TaintTracking::Configuration {
   RequestResponseFlowConfig() { this = "RequestResponseFlowConfig" }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof RemoteFlowSource and
+    getACallingCallableOrSelf(source.getEnclosingCallable()) instanceof RequestGetMethod
+  }
 
-  /** Eliminate the method of calling the node is not the get method. */
-  override predicate isSanitizer(DataFlow::Node node) {
-    not getACallingCallableOrSelf(node.getEnclosingCallable()) instanceof RequestGetMethod
+  override predicate isSink(DataFlow::Node sink) {
+    sink instanceof XssSink and
+    getACallingCallableOrSelf(sink.getEnclosingCallable()) instanceof RequestGetMethod
   }
 
   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
 
@@ -3,30 +3,47 @@ import DataFlow
 import JsonStringLib
 import semmle.code.java.security.XSS
 import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.DataFlow3
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.spring.SpringController
 
-/** Taint-tracking configuration tracing flow from untrusted inputs to verification of remote user input. */
-class VerificationMethodFlowConfig extends TaintTracking::Configuration {
-  VerificationMethodFlowConfig() { this = "VerificationMethodFlowConfig" }
+/** A data flow configuration is tracing flow from the access to the authentication method of token/auth/referer/origin to if condition. */
+class VerificationMethodToIfFlowConfig extends DataFlow3::Configuration {
+  VerificationMethodToIfFlowConfig() { this = "VerificationMethodToIfFlowConfig" }
 
-  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+  override predicate isSource(DataFlow::Node src) {
+    exists(MethodAccess ma, BarrierGuard bg | ma = bg |
+      (
+        ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
+        or
+        ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
+      ) and
+      ma = src.asExpr()
+    )
+  }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma |
-      ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*") and
-      ma.getAnArgument() = sink.asExpr()
-    )
+    exists(IfStmt is | is.getCondition() = sink.asExpr())
   }
 }
 
-/** The parameter names of this method are token/auth/referer/origin. */
-class VerificationMethodClass extends Method {
-  VerificationMethodClass() {
-    exists(MethodAccess ma, VerificationMethodFlowConfig vmfc, Node node |
-      this = ma.getMethod() and
-      node.asExpr() = ma.getAnArgument() and
-      vmfc.hasFlowTo(node)
+/** Taint-tracking configuration tracing flow from untrusted inputs to verification of remote user input. */
+class VerificationMethodFlowConfig extends TaintTracking2::Configuration {
+  VerificationMethodFlowConfig() { this = "VerificationMethodFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(MethodAccess ma, BarrierGuard bg, int i, VerificationMethodToIfFlowConfig vmtifc |
+      ma = bg
+    |
+      (
+        ma.getMethod().getParameter(i).getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
+        or
+        ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
+      ) and
+      ma.getArgument(i) = sink.asExpr() and
+      vmtifc.hasFlow(exprNode(ma), _)
     )
   }
 }
 
@@ -26,9 +26,6 @@ public class JsonpController {
         hashMap.put("password","123456");
     }
 
-    private String name = null;
-
-
     @GetMapping(value = "jsonp1")
     @ResponseBody
     public String bad1(HttpServletRequest request) {
@@ -77,7 +74,6 @@ public void bad5(HttpServletRequest request,
         PrintWriter pw = null;
         Gson gson = new Gson();
         String result = gson.toJson(hashMap);
-
         String resultStr = null;
         pw = response.getWriter();
         resultStr = jsonpCallback + "(" + result + ")";
@@ -109,13 +105,25 @@ public String bad7(HttpServletRequest request) {
         return resultStr;
     }
 
-
     @GetMapping(value = "jsonp8")
     @ResponseBody
-    public String good1(HttpServletRequest request) {
+    public String bad8(HttpServletRequest request) {
         String resultStr = null;
         String token = request.getParameter("token");
-        if (verifToken(token)){
+        boolean result = verifToken(token); //Just check.
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
+
+
+    @GetMapping(value = "jsonp9")
+    @ResponseBody
+    public String good1(HttpServletRequest request) {
+        String resultStr = null;
+        String referer = request.getParameter("referer");
+        if (verifReferer(referer)){
             String jsonpCallback = request.getParameter("jsonpCallback");
             String jsonStr = getJsonStr(hashMap);
             resultStr = jsonpCallback + "(" + jsonStr + ")";
@@ -125,7 +133,7 @@ public String good1(HttpServletRequest request) {
     }
 
 
-    @GetMapping(value = "jsonp9")
+    @GetMapping(value = "jsonp10")
     @ResponseBody
     public String good2(HttpServletRequest request) {
         String resultStr = null;
@@ -140,7 +148,7 @@ public String good2(HttpServletRequest request) {
         return resultStr;
     }
 
-    @RequestMapping(value = "jsonp10")
+    @RequestMapping(value = "jsonp11")
     @ResponseBody
     public String good3(HttpServletRequest request) {
         JSONObject parameterObj = readToJSONObect(request);
@@ -151,7 +159,7 @@ public String good3(HttpServletRequest request) {
         return resultStr;
     }
 
-    @RequestMapping(value = "jsonp11")
+    @RequestMapping(value = "jsonp12")
     @ResponseBody
     public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
         if(null == file){
@@ -200,4 +208,11 @@ public static boolean verifToken(String token){
         }
         return true;
     }
+
+    public static boolean verifReferer(String str){
+        if (str != "xxxx"){
+            return false;
+        }
+        return true;
+    }
 }