@@ -20,11 +20,11 @@ class JexlInjectionConfig extends TaintTracking::Configuration {
2020 override predicate isSink ( DataFlow:: Node sink ) { sink instanceof JexlEvaluationSink }
2121
2222 override predicate isAdditionalTaintStep ( DataFlow:: Node node1 , DataFlow:: Node node2 ) {
23- creatingTaintedJexlExpression ( node1 , node2 ) or
24- creatingTaintedJexlTemplate ( node1 , node2 ) or
25- creatingTaintedJexlScript ( node1 , node2 ) or
26- creatingTaintedJexlCallable ( node1 , node2 ) or
27- returningTaintedDataFromBean ( node1 , node2 )
23+ createsJexlExpression ( node1 , node2 ) or
24+ createsJexlTemplate ( node1 , node2 ) or
25+ createsJexlScript ( node1 , node2 ) or
26+ createsJexlCallable ( node1 , node2 ) or
27+ returnsDataFromBean ( node1 , node2 )
2828 }
2929}
3030
@@ -55,7 +55,7 @@ class JexlEvaluationSink extends DataFlow::ExprNode {
5555/**
5656 * Holds if `node1` to `node2` is a dataflow step that creates a Jexl expression.
5757 */
58- predicate creatingTaintedJexlExpression ( DataFlow:: Node node1 , DataFlow:: Node node2 ) {
58+ predicate createsJexlExpression ( DataFlow:: Node node1 , DataFlow:: Node node2 ) {
5959 exists ( MethodAccess ma , Method m | ma .getMethod ( ) = m |
6060 (
6161 m instanceof JxltEngineCreateExpressionMethod or
@@ -68,49 +68,38 @@ predicate creatingTaintedJexlExpression(DataFlow::Node node1, DataFlow::Node nod
6868 )
6969}
7070
71- /**
72- * Holds if `node1` to `node2` is a dataflow step that creates a Jexl expression.
73- */
74- predicate creatingTaintedJxltEngineExpression ( DataFlow:: Node node1 , DataFlow:: Node node2 ) {
75- exists ( MethodAccess ma , Method m | ma .getMethod ( ) = m |
76- ( m instanceof JxltEngineCreateExpressionMethod or m instanceof UnifiedJexlParseMethod ) and
77- ma .getAnArgument ( ) .getType ( ) instanceof TypeString and
78- ma .getAnArgument ( ) = node1 .asExpr ( ) and
79- node2 .asExpr ( ) = ma
80- )
81- }
82-
8371/**
8472 * Holds if `node1` to `node2` is a dataflow step that creates a Jexl template.
8573 */
86- predicate creatingTaintedJexlTemplate ( DataFlow:: Node node1 , DataFlow:: Node node2 ) {
74+ predicate createsJexlTemplate ( DataFlow:: Node node1 , DataFlow:: Node node2 ) {
8775 exists ( MethodAccess ma , Method m | ma .getMethod ( ) = m |
8876 ( m instanceof JxltEngineCreateTemplateMethod or m instanceof UnifiedJexlCreateTemplateMethod ) and
8977 (
90- isCreateTemplateSourceArg ( ma , 0 , node1 .asExpr ( ) ) or
91- isCreateTemplateSourceArg ( ma , 1 , node1 .asExpr ( ) )
78+ node1 .asExpr ( ) . getType ( ) instanceof TypeString or
79+ node1 .asExpr ( ) . getType ( ) instanceof Reader
9280 ) and
81+ ma .getArgument ( [ 0 , 1 ] ) = node1 .asExpr ( ) and
9382 node2 .asExpr ( ) = ma
9483 )
9584}
9685
9786/**
9887 * Holds if:
99- * - `expr` is an argument with the `index `
88+ * - `expr` is the `index`th argument to `ma `
10089 * - `expr` is a string or an instance of `Reader`
10190 */
102- predicate isCreateTemplateSourceArg ( MethodAccess ma , int index , Expr expr ) {
91+ predicate toberemoved ( MethodAccess ma , int index , Expr expr ) {
10392 (
104- ma . getArgument ( index ) .getType ( ) instanceof TypeString or
105- ma . getArgument ( index ) .getType ( ) instanceof Reader
93+ expr .getType ( ) instanceof TypeString or
94+ expr .getType ( ) instanceof Reader
10695 ) and
10796 ma .getArgument ( index ) = expr
10897}
10998
11099/**
111100 * Holds if `node1` to `node2` is a dataflow step that creates a Jexl script.
112101 */
113- predicate creatingTaintedJexlScript ( DataFlow:: Node node1 , DataFlow:: Node node2 ) {
102+ predicate createsJexlScript ( DataFlow:: Node node1 , DataFlow:: Node node2 ) {
114103 exists ( MethodAccess ma , Method m | ma .getMethod ( ) = m |
115104 m instanceof JexlEngineCreateScriptMethod and
116105 ma .getArgument ( 0 ) .getType ( ) instanceof TypeString and
@@ -123,7 +112,7 @@ predicate creatingTaintedJexlScript(DataFlow::Node node1, DataFlow::Node node2)
123112 * Holds if `node1` to `node2` is a dataflow step
124113 * that creates a callable from a Jexl expression or script.
125114 */
126- predicate creatingTaintedJexlCallable ( DataFlow:: Node node1 , DataFlow:: Node node2 ) {
115+ predicate createsJexlCallable ( DataFlow:: Node node1 , DataFlow:: Node node2 ) {
127116 exists ( MethodAccess ma , Method m | ma .getMethod ( ) = m |
128117 ( m instanceof JexlExpressionCallableMethod or m instanceof JexlScriptCallableMethod ) and
129118 ma .getQualifier ( ) = node1 .asExpr ( ) and
@@ -135,7 +124,7 @@ predicate creatingTaintedJexlCallable(DataFlow::Node node1, DataFlow::Node node2
135124 * Holds if `node1` to `node2` is a dataflow step that returns data from
136125 * a tainted bean by calling one of its getters.
137126 */
138- predicate returningTaintedDataFromBean ( DataFlow:: Node node1 , DataFlow:: Node node2 ) {
127+ predicate returnsDataFromBean ( DataFlow:: Node node1 , DataFlow:: Node node2 ) {
139128 exists ( MethodAccess ma , Method m | ma .getMethod ( ) = m |
140129 m instanceof GetterMethod and
141130 ma .getQualifier ( ) = node1 .asExpr ( ) and
@@ -144,7 +133,7 @@ predicate returningTaintedDataFromBean(DataFlow::Node node1, DataFlow::Node node
144133}
145134
146135/**
147- * Holds if `expr` is a call to one of the methods that execute a Jexl script.
136+ * Holds if `expr` calls one of the methods that execute a Jexl script against qualifier `expr` .
148137 */
149138predicate isJexlScriptExecuteCall ( Expr expr ) {
150139 exists ( MethodAccess ma , Method m | m = ma .getMethod ( ) |
@@ -154,7 +143,8 @@ predicate isJexlScriptExecuteCall(Expr expr) {
154143}
155144
156145/**
157- * Holds if `expr` is a call of the `Callable.call()` method.
146+ * Holds if `expr` is the qualifier when calling the `Callable.call()` method
147+ * such as `expr.call()`.
158148 */
159149predicate isCallableCall ( Expr expr ) {
160150 exists ( MethodAccess ma , Method m | m = ma .getMethod ( ) |
0 commit comments