1616 */
1717
1818import java
19+ import semmle.code.java.dataflow.TaintTracking
1920import semmle.code.java.dataflow.FlowSources
2021import semmle.code.java.dataflow.ExternalFlow
21- import DataFlow :: PathGraph
22+ import Log4jInjectionFlow :: PathGraph
2223
2324private class ActivateModels extends ActiveExperimentalModels {
2425 ActivateModels ( ) { this = "log4j-injection" }
@@ -41,17 +42,20 @@ class Log4jInjectionSanitizer extends DataFlow::Node {
4142/**
4243 * A taint-tracking configuration for tracking untrusted user input used in log entries.
4344 */
44- class Log4jInjectionConfiguration extends TaintTracking :: Configuration {
45- Log4jInjectionConfiguration ( ) { this = "Log4jInjectionConfiguration" }
45+ module Log4jInjectionConfig implements DataFlow :: ConfigSig {
46+ predicate isSource ( DataFlow :: Node source ) { source instanceof RemoteFlowSource }
4647
47- override predicate isSource ( DataFlow:: Node source ) { source instanceof RemoteFlowSource }
48+ predicate isSink ( DataFlow:: Node sink ) { sink instanceof Log4jInjectionSink }
4849
49- override predicate isSink ( DataFlow:: Node sink ) { sink instanceof Log4jInjectionSink }
50-
51- override predicate isSanitizer ( DataFlow:: Node node ) { node instanceof Log4jInjectionSanitizer }
50+ predicate isBarrier ( DataFlow:: Node node ) { node instanceof Log4jInjectionSanitizer }
5251}
5352
54- from Log4jInjectionConfiguration cfg , DataFlow:: PathNode source , DataFlow:: PathNode sink
55- where cfg .hasFlowPath ( source , sink )
53+ /**
54+ * Taint-tracking flow for tracking untrusted user input used in log entries.
55+ */
56+ module Log4jInjectionFlow = TaintTracking:: Global< Log4jInjectionConfig > ;
57+
58+ from Log4jInjectionFlow:: PathNode source , Log4jInjectionFlow:: PathNode sink
59+ where Log4jInjectionFlow:: flowPath ( source , sink )
5660select sink .getNode ( ) , source , sink , "Log4j log entry depends on a $@." , source .getNode ( ) ,
5761 "user-provided value"
0 commit comments