Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 29ce0e9

Browse files
luchua-bcluchua-bc
committed
Add sanitizer for virtual method calls
1 parent 8bcffc2 commit 29ce0e9

1 file changed

Lines changed: 19 additions & 1 deletion

File tree

java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -145,6 +145,23 @@ private class NullOrEmptyCheckSanitizer extends DataFlow::Node {
145145
NullOrEmptyCheckSanitizer() { isNullOrEmptyCheck(this.asExpr()) }
146146
}
147147

148+
/** Holds if `ma` is a virtual method call of Map::get or Object::toString. */
149+
predicate isVirtualMethod(MethodAccess ma, Expr expr) {
150+
ma.getMethod().getDeclaringType() instanceof TypeObject and
151+
ma.getMethod().hasName("toString") and
152+
(expr = ma or expr = ma.getQualifier())
153+
or
154+
(
155+
ma.getMethod().getDeclaringType().getASupertype*().hasQualifiedName("java.util", "Map") and
156+
ma.getMethod().hasName(["get", "getOrDefault"])
157+
) and
158+
(expr = ma or expr = ma.getAnArgument())
159+
}
160+
161+
private class VirtualMethodSanitizer extends DataFlow::Node {
162+
VirtualMethodSanitizer() { exists(MethodAccess ma | isVirtualMethod(ma, this.asExpr())) }
163+
}
164+
148165
class UnsafeUrlForwardFlowConfig extends TaintTracking::Configuration {
149166
UnsafeUrlForwardFlowConfig() { this = "UnsafeUrlForwardFlowConfig" }
150167

@@ -166,7 +183,8 @@ class UnsafeUrlForwardFlowConfig extends TaintTracking::Configuration {
166183
node instanceof UnsafeUrlForwardSanitizer or
167184
node instanceof PathMatchSanitizer or
168185
node instanceof StringOperationSanitizer or
169-
node instanceof NullOrEmptyCheckSanitizer
186+
node instanceof NullOrEmptyCheckSanitizer or
187+
node instanceof VirtualMethodSanitizer
170188
}
171189
}
172190

0 commit comments

Comments
 (0)