Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 195755d

Browse files
luchua-bcluchua-bc
committed
Revamp the query to be more selective
1 parent 496db4b commit 195755d

5 files changed

Lines changed: 93 additions & 23 deletions

File tree

java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql

Lines changed: 9 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -23,15 +23,15 @@ class SensitiveInfoExpr extends Expr {
2323
}
2424
}
2525

26-
/** Holds if `c` is a call to some override of `HttpServlet.doGet`. */
27-
private predicate isGetServletMethod(Callable c) { isServletMethod(c, "doGet") }
26+
/** Holds if `ma` is a method access to some override of `HttpServlet.doGet`. */
27+
private predicate isGetServletMethod(MethodAccess ma) { isServletMethod(ma, "doGet") }
2828

29-
/** Sink of GET servlet requests. */
30-
class GetServletMethodSink extends DataFlow::ExprNode {
31-
GetServletMethodSink() {
29+
/** Source of GET servlet requests. */
30+
class GetServletMethodSource extends DataFlow::ExprNode {
31+
GetServletMethodSource() {
3232
exists(MethodAccess ma |
33-
isGetServletMethod(ma.getEnclosingCallable()) and
34-
ma.getAnArgument() = this.getExpr()
33+
isGetServletMethod(ma) and
34+
ma = this.getExpr()
3535
)
3636
}
3737
}
@@ -40,11 +40,9 @@ class GetServletMethodSink extends DataFlow::ExprNode {
4040
class SensitiveGetQueryConfiguration extends TaintTracking::Configuration {
4141
SensitiveGetQueryConfiguration() { this = "SensitiveGetQueryConfiguration" }
4242

43-
override predicate isSource(DataFlow::Node source) {
44-
source.asExpr() instanceof SensitiveInfoExpr
45-
}
43+
override predicate isSource(DataFlow::Node source) { source instanceof GetServletMethodSource }
4644

47-
override predicate isSink(DataFlow::Node sink) { sink instanceof GetServletMethodSink }
45+
override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof SensitiveExpr }
4846
}
4947

5048
from DataFlow::PathNode source, DataFlow::PathNode sink, SensitiveGetQueryConfiguration c

java/ql/src/semmle/code/java/frameworks/Servlets.qll

Lines changed: 16 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -323,11 +323,20 @@ class ServletWebXMLListenerType extends RefType {
323323
}
324324
}
325325

326-
/** Holds if `c` is a call to some override of methods of `HttpServlet`, for example `doGet` or `doPost`. */
327-
predicate isServletMethod(Callable c, string methodName) {
328-
c.getDeclaringType() instanceof ServletClass and
329-
c.getNumberOfParameters() = 2 and
330-
c.getParameter(0).getType() instanceof ServletRequest and
331-
c.getParameter(1).getType() instanceof ServletResponse and
332-
c.getName() = methodName
326+
/** Holds if `ma` is a method access to some override of methods of `HttpServlet`, for example `doGet` or `doPost`. */
327+
predicate isServletMethod(MethodAccess ma, string methodName) {
328+
exists(Method m |
329+
m = ma.getEnclosingCallable() and
330+
m.getDeclaringType() instanceof ServletClass and
331+
m.getNumberOfParameters() = 2 and
332+
m.getParameter(0).getType() instanceof ServletRequest and
333+
m.getParameter(1).getType() instanceof ServletResponse and
334+
m.getName() = methodName and
335+
ma.getQualifier() = m.getParameter(0).getAnAccess() and
336+
(
337+
ma.getMethod() instanceof ServletRequestGetParameterMethod or
338+
ma.getMethod() instanceof ServletRequestGetParameterMapMethod or
339+
ma.getMethod() instanceof HttpServletRequestGetQueryStringMethod
340+
)
341+
)
333342
}

java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.expected

Lines changed: 32 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,35 @@
11
edges
2-
| SensitiveGetQuery.java:12:38:12:45 | password : String | SensitiveGetQuery.java:12:22:12:45 | ... + ... |
2+
| SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object |
3+
| SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:14:30:14:48 | get(...) |
4+
| SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object |
5+
| SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | SensitiveGetQuery2.java:15:29:15:36 | password |
6+
| SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | SensitiveGetQuery2.java:15:29:15:36 | password : Object |
7+
| SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object | SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object |
8+
| SensitiveGetQuery2.java:15:29:15:36 | password : Object | SensitiveGetQuery2.java:18:40:18:54 | password : Object |
9+
| SensitiveGetQuery2.java:18:40:18:54 | password : Object | SensitiveGetQuery2.java:19:61:19:68 | password |
10+
| SensitiveGetQuery.java:12:21:12:52 | getParameter(...) : String | SensitiveGetQuery.java:14:29:14:36 | password |
11+
| SensitiveGetQuery.java:12:21:12:52 | getParameter(...) : String | SensitiveGetQuery.java:14:29:14:36 | password : String |
12+
| SensitiveGetQuery.java:14:29:14:36 | password : String | SensitiveGetQuery.java:17:40:17:54 | password : String |
13+
| SensitiveGetQuery.java:17:40:17:54 | password : String | SensitiveGetQuery.java:18:61:18:68 | password |
314
nodes
4-
| SensitiveGetQuery.java:12:22:12:45 | ... + ... | semmle.label | ... + ... |
5-
| SensitiveGetQuery.java:12:38:12:45 | password : String | semmle.label | password : String |
15+
| SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | semmle.label | getParameterMap(...) : Map |
16+
| SensitiveGetQuery2.java:14:21:14:48 | (...)... : Object | semmle.label | (...)... : Object |
17+
| SensitiveGetQuery2.java:14:30:14:48 | get(...) | semmle.label | get(...) |
18+
| SensitiveGetQuery2.java:14:30:14:48 | get(...) : Object | semmle.label | get(...) : Object |
19+
| SensitiveGetQuery2.java:15:29:15:36 | password | semmle.label | password |
20+
| SensitiveGetQuery2.java:15:29:15:36 | password : Object | semmle.label | password : Object |
21+
| SensitiveGetQuery2.java:18:40:18:54 | password : Object | semmle.label | password : Object |
22+
| SensitiveGetQuery2.java:19:61:19:68 | password | semmle.label | password |
23+
| SensitiveGetQuery.java:12:21:12:52 | getParameter(...) | semmle.label | getParameter(...) |
24+
| SensitiveGetQuery.java:12:21:12:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
25+
| SensitiveGetQuery.java:14:29:14:36 | password | semmle.label | password |
26+
| SensitiveGetQuery.java:14:29:14:36 | password : String | semmle.label | password : String |
27+
| SensitiveGetQuery.java:17:40:17:54 | password : String | semmle.label | password : String |
28+
| SensitiveGetQuery.java:18:61:18:68 | password | semmle.label | password |
629
#select
7-
| SensitiveGetQuery.java:12:22:12:45 | ... + ... | SensitiveGetQuery.java:12:38:12:45 | password : String | SensitiveGetQuery.java:12:22:12:45 | ... + ... | $@ uses GET request method with sensitive information. | SensitiveGetQuery.java:12:38:12:45 | password | sensitive query string |
30+
| SensitiveGetQuery2.java:14:30:14:48 | get(...) | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:14:30:14:48 | get(...) | $@ uses GET request method with sensitive information. | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) | sensitive query string |
31+
| SensitiveGetQuery2.java:15:29:15:36 | password | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:15:29:15:36 | password | $@ uses GET request method with sensitive information. | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) | sensitive query string |
32+
| SensitiveGetQuery2.java:19:61:19:68 | password | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) : Map | SensitiveGetQuery2.java:19:61:19:68 | password | $@ uses GET request method with sensitive information. | SensitiveGetQuery2.java:12:13:12:37 | getParameterMap(...) | sensitive query string |
33+
| SensitiveGetQuery.java:12:21:12:52 | getParameter(...) | SensitiveGetQuery.java:12:21:12:52 | getParameter(...) | SensitiveGetQuery.java:12:21:12:52 | getParameter(...) | $@ uses GET request method with sensitive information. | SensitiveGetQuery.java:12:21:12:52 | getParameter(...) | sensitive query string |
34+
| SensitiveGetQuery.java:14:29:14:36 | password | SensitiveGetQuery.java:12:21:12:52 | getParameter(...) : String | SensitiveGetQuery.java:14:29:14:36 | password | $@ uses GET request method with sensitive information. | SensitiveGetQuery.java:12:21:12:52 | getParameter(...) | sensitive query string |
35+
| SensitiveGetQuery.java:18:61:18:68 | password | SensitiveGetQuery.java:12:21:12:52 | getParameter(...) : String | SensitiveGetQuery.java:18:61:18:68 | password | $@ uses GET request method with sensitive information. | SensitiveGetQuery.java:12:21:12:52 | getParameter(...) | sensitive query string |

java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery.java

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,14 @@
88
public class SensitiveGetQuery extends HttpServlet {
99
// BAD - Tests sending sensitive information in a GET request.
1010
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
11+
String username = request.getParameter("username");
1112
String password = request.getParameter("password");
12-
System.out.println("password = " + password);
13+
14+
processUserInfo(username, password);
15+
}
16+
17+
void processUserInfo(String username, String password) {
18+
System.out.println("username = " + username+"; password "+password);
1319
}
1420

1521
// GOOD - Tests sending sensitive information in a POST request.

java/ql/test/experimental/query-tests/security/CWE-598/SensitiveGetQuery2.java

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
import java.io.IOException;
2+
import java.util.Map;
3+
4+
import javax.servlet.http.HttpServlet;
5+
import javax.servlet.http.HttpServletRequest;
6+
import javax.servlet.http.HttpServletResponse;
7+
import javax.servlet.ServletException;
8+
9+
public class SensitiveGetQuery2 extends HttpServlet {
10+
// BAD - Tests sending sensitive information in a GET request.
11+
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
12+
Map map = request.getParameterMap();
13+
String username = (String) map.get("username");
14+
String password = (String) map.get("password");
15+
processUserInfo(username, password);
16+
}
17+
18+
void processUserInfo(String username, String password) {
19+
System.out.println("username = " + username+"; password "+password);
20+
}
21+
22+
// GOOD - Tests sending sensitive information in a POST request.
23+
public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
24+
Map map = request.getParameterMap();
25+
String username = (String) map.get("username");
26+
String password = (String) map.get("password");
27+
processUserInfo(username, password);
28+
}
29+
}

0 commit comments

Comments
 (0)