Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 77208bc

Browse files
haby0haby0
committed
Fix the error that there is no VerificationMethodToIfFlowConfig
1 parent e2ed0d0 commit 77208bc

1 file changed

Lines changed: 28 additions & 16 deletions

File tree

java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll

Lines changed: 28 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -7,37 +7,49 @@ import semmle.code.java.dataflow.DataFlow3
77
import semmle.code.java.dataflow.FlowSources
88
import semmle.code.java.frameworks.spring.SpringController
99

10+
/** A data flow configuration tracing flow from the result of a method whose name includes token/auth/referer/origin to an if-statement condition. */
11+
class VerificationMethodToIfFlowConfig extends DataFlow3::Configuration {
12+
VerificationMethodToIfFlowConfig() { this = "VerificationMethodToIfFlowConfig" }
13+
14+
override predicate isSource(DataFlow::Node src) {
15+
exists(MethodAccess ma | ma instanceof BarrierGuard |
16+
(
17+
ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
18+
or
19+
ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
20+
) and
21+
ma = src.asExpr()
22+
)
23+
}
24+
25+
override predicate isSink(DataFlow::Node sink) {
26+
exists(IfStmt is | is.getCondition() = sink.asExpr())
27+
}
28+
}
29+
1030
/**
1131
* Taint-tracking configuration tracing flow from untrusted inputs to an argument of a function whose result is used as an if-statement condition.
1232
*
1333
* For example, in the context `String userControlled = request.getHeader("xyz"); boolean isGood = checkToken(userControlled); if(isGood) { ...`,
14-
* the flow from `getHeader(...)` to the argument to `checkToken`, and then the flow from `checkToken`'s result to the condition of `if(isGood)`.
34+
* the flow from `checkToken`'s result to the condition of `if(isGood)` matches the configuration `VerificationMethodToIfFlowConfig` above,
35+
* and so the flow from `getHeader(...)` to the argument to `checkToken` matches this configuration.
1536
*/
1637
class VerificationMethodFlowConfig extends TaintTracking2::Configuration {
1738
VerificationMethodFlowConfig() { this = "VerificationMethodFlowConfig" }
1839

1940
override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
2041

2142
override predicate isSink(DataFlow::Node sink) {
22-
exists(IfStmt is, Method m | is.getEnclosingCallable() = m |
23-
(
24-
not m.getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
25-
or
26-
not m.getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
27-
) and
28-
sink.asExpr() = is.getCondition()
29-
)
30-
}
31-
32-
override predicate isAdditionalTaintStep(DataFlow::Node prod, DataFlow::Node succ) {
33-
exists(MethodAccess ma |
43+
exists(MethodAccess ma, int i, VerificationMethodToIfFlowConfig vmtifc |
44+
ma instanceof BarrierGuard
45+
|
3446
(
35-
ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
47+
ma.getMethod().getParameter(i).getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
3648
or
3749
ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
3850
) and
39-
ma.getAnArgument() = prod.asExpr() and
40-
ma = succ.asExpr()
51+
ma.getArgument(i) = sink.asExpr() and
52+
vmtifc.hasFlow(exprNode(ma), _)
4153
)
4254
}
4355
}

0 commit comments

Comments
 (0)