Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 8d701e6

Browse files
artem-smotrakovartem-smotrakov
committed
Simplified JexlInjectionLib.qll
- Merged multiple method definitions to DirectJexlEvaluationMethod - Don't use TaintPropagatingJexlMethodCall field in JexlInjectionConfig - Better variable names in JexlEvaluationSink
1 parent 71e5cb4 commit 8d701e6

1 file changed

Lines changed: 17 additions & 73 deletions

File tree

java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll

Lines changed: 17 additions & 73 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,6 @@ import semmle.code.java.dataflow.TaintTracking
88
* It supports both Jexl2 and Jexl3.
99
*/
1010
class JexlInjectionConfig extends TaintTracking::Configuration {
11-
TaintPropagatingJexlMethodCall taintPropagatingJexlMethodCall;
12-
1311
JexlInjectionConfig() { this = "JexlInjectionConfig" }
1412

1513
override predicate isSource(DataFlow::Node source) {
@@ -21,7 +19,7 @@ class JexlInjectionConfig extends TaintTracking::Configuration {
2119
override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }
2220

2321
override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
24-
taintPropagatingJexlMethodCall.taintFlow(fromNode, toNode) or
22+
any(TaintPropagatingJexlMethodCall c).taintFlow(fromNode, toNode) or
2523
returnsDataFromBean(fromNode, toNode)
2624
}
2725
}
@@ -42,14 +40,16 @@ private class TaintedSpringRequestBody extends DataFlow::Node {
4240
*/
4341
private class JexlEvaluationSink extends DataFlow::ExprNode {
4442
JexlEvaluationSink() {
45-
exists(MethodAccess ma, Method m, Expr tainted | ma.getMethod() = m and tainted = asExpr() |
46-
m instanceof DirectJexlEvaluationMethod and ma.getQualifier() = tainted
43+
exists(MethodAccess ma, Method m, Expr taintFrom |
44+
ma.getMethod() = m and taintFrom = this.asExpr()
45+
|
46+
m instanceof DirectJexlEvaluationMethod and ma.getQualifier() = taintFrom
4747
or
48-
m instanceof CallableCallMethod and ma.getQualifier() = tainted
48+
m instanceof CallableCallMethod and ma.getQualifier() = taintFrom
4949
or
5050
m instanceof JexlEngineGetSetPropertyMethod and
5151
ma.getAnArgument().getType() instanceof TypeString and
52-
ma.getAnArgument() = tainted
52+
ma.getAnArgument() = taintFrom
5353
)
5454
}
5555
}
@@ -117,74 +117,18 @@ private class JexlEngineGetSetPropertyMethod extends Method {
117117
/**
118118
* Defines methods that triggers direct evaluation of Jexl expressions.
119119
*/
120-
abstract private class DirectJexlEvaluationMethod extends Method { }
121-
122-
/**
123-
* A method in the `JexlExpression` class that evaluates a Jexl expression.
124-
*/
125-
private class JexlExpressionEvaluateMethod extends DirectJexlEvaluationMethod {
126-
JexlExpressionEvaluateMethod() {
120+
private class DirectJexlEvaluationMethod extends Method {
121+
DirectJexlEvaluationMethod() {
127122
getDeclaringType() instanceof JexlExpression and hasName("evaluate")
128-
}
129-
}
130-
131-
/**
132-
* A method in the `JexlScript` class that executes a Jexl script.
133-
*/
134-
private class JexlScriptExecuteMethod extends DirectJexlEvaluationMethod {
135-
JexlScriptExecuteMethod() { getDeclaringType() instanceof JexlScript and hasName("execute") }
136-
}
137-
138-
/**
139-
* A method in the `JxltEngine.Expression` class that evaluates an expression.
140-
*/
141-
private class JxltEngineExpressionEvaluateMethod extends DirectJexlEvaluationMethod {
142-
JxltEngineExpressionEvaluateMethod() {
143-
getDeclaringType() instanceof JxltEngineExpression and hasName("evaluate")
144-
}
145-
}
146-
147-
/**
148-
* A method in the `JxltEngine.Expression` class that evaluates the immediate sub-expressions.
149-
*/
150-
private class JxltEngineExpressionPrepareMethod extends DirectJexlEvaluationMethod {
151-
JxltEngineExpressionPrepareMethod() {
152-
getDeclaringType() instanceof JxltEngineExpression and hasName("prepare")
153-
}
154-
}
155-
156-
/**
157-
* A method in the `JxltEngine.Template` class that evaluates a template.
158-
*/
159-
private class JxltEngineTemplateEvaluateMethod extends DirectJexlEvaluationMethod {
160-
JxltEngineTemplateEvaluateMethod() {
123+
or
124+
getDeclaringType() instanceof JexlScript and hasName("execute")
125+
or
126+
getDeclaringType() instanceof JxltEngineExpression and hasName(["evaluate", "prepare"])
127+
or
161128
getDeclaringType() instanceof JxltEngineTemplate and hasName("evaluate")
162-
}
163-
}
164-
165-
/**
166-
* A method in the `UnifiedJEXL.Expression` class that evaluates a template.
167-
*/
168-
private class UnifiedJexlExpressionEvaluateMethod extends DirectJexlEvaluationMethod {
169-
UnifiedJexlExpressionEvaluateMethod() {
170-
getDeclaringType() instanceof UnifiedJexlExpression and hasName("evaluate")
171-
}
172-
}
173-
174-
/**
175-
* A method in the `UnifiedJEXL.Expression` class that evaluates the immediate sub-expressions.
176-
*/
177-
private class UnifiedJexlExpressionPrepareMethod extends DirectJexlEvaluationMethod {
178-
UnifiedJexlExpressionPrepareMethod() {
179-
getDeclaringType() instanceof UnifiedJexlExpression and hasName("prepare")
180-
}
181-
}
182-
183-
/**
184-
* A method in the `UnifiedJEXL.Template` class that evaluates a template.
185-
*/
186-
private class UnifiedJexlTemplateEvaluateMethod extends DirectJexlEvaluationMethod {
187-
UnifiedJexlTemplateEvaluateMethod() {
129+
or
130+
getDeclaringType() instanceof UnifiedJexlExpression and hasName(["evaluate", "prepare"])
131+
or
188132
getDeclaringType() instanceof UnifiedJexlTemplate and hasName("evaluate")
189133
}
190134
}

0 commit comments

Comments
 (0)