Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 09bcf87

Browse files
tamasvajktamasvajk
committed
Java: Convert HttpServletRequest.get* methods to CSV based flow source
1 parent f2448cc commit 09bcf87

2 files changed

Lines changed: 9 additions & 8 deletions

File tree

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -111,7 +111,15 @@ private predicate sourceModelCsv(string row) {
111111
"org.springframework.web.multipart;MultipartFile;true;getOriginalFilename;();;ReturnValue;remote",
112112
"org.springframework.web.multipart;MultipartFile;true;getResource;();;ReturnValue;remote",
113113
"org.springframework.web.multipart;MultipartFile;true;getSize;();;ReturnValue;remote",
114-
"org.springframework.web.multipart;MultipartFile;true;isEmpty;();;ReturnValue;remote"
114+
"org.springframework.web.multipart;MultipartFile;true;isEmpty;();;ReturnValue;remote",
115+
// HttpServletRequest.get*
116+
"javax.servlet.http;HttpServletRequest;false;getHeader;(String);;ReturnValue;remote",
117+
"javax.servlet.http;HttpServletRequest;false;getHeaders;(String);;ReturnValue;remote",
118+
"javax.servlet.http;HttpServletRequest;false;getHeaderNames;();;ReturnValue;remote",
119+
"javax.servlet.http;HttpServletRequest;false;getPathInfo;();;ReturnValue;remote",
120+
"javax.servlet.http;HttpServletRequest;false;getRequestURI;();;ReturnValue;remote",
121+
"javax.servlet.http;HttpServletRequest;false;getRequestURL;();;ReturnValue;remote",
122+
"javax.servlet.http;HttpServletRequest;false;getRemoteUser;();;ReturnValue;remote"
115123
]
116124
}
117125

java/ql/src/semmle/code/java/dataflow/FlowSources.qll

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -214,13 +214,6 @@ class DatabaseInput extends LocalUserInput {
214214

215215
private class RemoteTaintedMethod extends Method {
216216
RemoteTaintedMethod() {
217-
this instanceof HttpServletRequestGetHeaderMethod or
218-
this instanceof HttpServletRequestGetPathMethod or
219-
this instanceof HttpServletRequestGetHeadersMethod or
220-
this instanceof HttpServletRequestGetHeaderNamesMethod or
221-
this instanceof HttpServletRequestGetRequestURIMethod or
222-
this instanceof HttpServletRequestGetRequestURLMethod or
223-
this instanceof HttpServletRequestGetRemoteUserMethod or
224217
this instanceof PlayRequestGetMethod or
225218
this instanceof SpringWebRequestGetMethod or
226219
this instanceof SpringRestTemplateResponseEntityMethod or

0 commit comments

Comments
 (0)