Combine two Configurations into one

haby0 · haby0 · commit 1b948ac2e2e4 · 2021-04-12T15:44:39.000+08:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
@@ -16,7 +16,7 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.deadcode.WebEntryPoints
 import DataFlow::PathGraph
 
-/** 
+/**
  * Holds if some `Filter.doFilter` method exists in the whole program that takes some user-controlled
  * input and tests it with what appears to be a token- or authentication-checking function.
  */
@@ -28,7 +28,7 @@ predicate existsFilterVerificationMethod() {
   )
 }
 
-/** 
+/**
  * Holds if somewhere in the whole program some user-controlled
  * input is tested with what appears to be a token- or authentication-checking function,
  * and `checkNode` is reachable from any function that can reach the user-controlled input source.
@@ -69,4 +69,4 @@ where
   conf.hasFlowPath(source, sink) and
   exists(JsonpInjectionFlowConfig jhfc | jhfc.hasFlowTo(sink.getNode()))
 select sink.getNode(), source, sink, "Jsonp response might include code from $@.", source.getNode(),
-  "this user input"
+  "this user input"
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -7,48 +7,37 @@ import semmle.code.java.dataflow.DataFlow3
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.spring.SpringController
 
-/** A data flow configuration tracing flow from the result of a method whose name includes token/auth/referer/origin to an if-statement condition. */
-class VerificationMethodToIfFlowConfig extends DataFlow3::Configuration {
-  VerificationMethodToIfFlowConfig() { this = "VerificationMethodToIfFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) {
-    exists(MethodAccess ma | ma instanceof BarrierGuard |
-      (
-        ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
-        or
-        ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
-      ) and
-      ma = src.asExpr()
-    )
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(IfStmt is | is.getCondition() = sink.asExpr())
-  }
-}
-
-/** Taint-tracking configuration tracing flow from untrusted inputs to an argument of a function whose result is used as an if-statement condition.
-* 
-* For example, in the context `String userControlled = request.getHeader("xyz"); boolean isGood = checkToken(userControlled); if(isGood) { ...`,
-* the flow from `checkToken`'s result to the condition of `if(isGood)` matches the configuration `VerificationMethodToIfFlowConfig` above,
-* and so the flow from `getHeader(...)` to the argument to `checkToken` matches this configuration.
+/**
+ * Taint-tracking configuration tracing flow from untrusted inputs to an argument of a function whose result is used as an if-statement condition.
+ *
+ * For example, in the context `String userControlled = request.getHeader("xyz"); boolean isGood = checkToken(userControlled); if(isGood) { ...`,
+ * the flow from `getHeader(...)` to the argument to `checkToken`, and then the flow from `checkToken`'s result to the condition of `if(isGood)`.
  */
 class VerificationMethodFlowConfig extends TaintTracking2::Configuration {
   VerificationMethodFlowConfig() { this = "VerificationMethodFlowConfig" }
 
   override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma, int i, VerificationMethodToIfFlowConfig vmtifc |
-      ma instanceof BarrierGuard
-    |
+    exists(IfStmt is, Method m | is.getEnclosingCallable() = m |
       (
-        ma.getMethod().getParameter(i).getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
+        not m.getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
+        or
+        not m.getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
+      ) and
+      sink.asExpr() = is.getCondition()
+    )
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node prod, DataFlow::Node succ) {
+    exists(MethodAccess ma |
+      (
+        ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
         or
         ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
       ) and
-      ma.getArgument(i) = sink.asExpr() and
-      vmtifc.hasFlow(exprNode(ma), _)
+      ma.getAnArgument() = prod.asExpr() and
+      ma = succ.asExpr()
     )
   }
 }
