Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 93d1393

Browse files
luchua-bcluchua-bc
committed
Add error-page check
1 parent a61f814 commit 93d1393

4 files changed

Lines changed: 62 additions & 2 deletions

File tree

java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.qhelp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ Even though the signatures for methods in a servlet include <code>throws IOExcep
1010

1111
<recommendation>
1212
<p>
13-
Handle method calls that throw IOExceptions and/or RuntimeExceptions and display custom error messages without stack traces and sensitive information.
13+
Handle method calls that throw IOExceptions and/or RuntimeExceptions and display custom error messages without stack traces and sensitive information, or configure an <code>error-page</code> in web.xml to display a generic user-friendly message for any uncaught exception.
1414
</p>
1515
</recommendation>
1616

java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ import java
1111
import semmle.code.java.dataflow.FlowSources
1212
import semmle.code.java.dataflow.TaintTracking
1313
import semmle.code.java.frameworks.Servlets
14+
import semmle.code.xml.WebXML
1415
import DataFlow::PathGraph
1516

1617
/** The type `java.io.IOException`. */
@@ -44,6 +45,11 @@ private predicate isServletMethod(Callable c) {
4445
)
4546
}
4647

48+
/** Holds if `web.xml` has an error page configured. */
49+
private predicate hasErrorPage() {
50+
exists(WebErrorPage wep | wep.getPageLocation().getValue() != "")
51+
}
52+
4753
/** Sink of uncaught IO exceptions or runtime exceptions since other exception types must be explicitly caught. */
4854
class UncaughtServletExceptionSink extends DataFlow::ExprNode {
4955
UncaughtServletExceptionSink() {
@@ -74,6 +80,6 @@ class UncaughtServletExceptionConfiguration extends TaintTracking::Configuration
7480
}
7581

7682
from DataFlow::PathNode source, DataFlow::PathNode sink, UncaughtServletExceptionConfiguration c
77-
where c.hasFlowPath(source, sink)
83+
where c.hasFlowPath(source, sink) and not hasErrorPage()
7884
select sink.getNode(), source, sink, "$@ flows to here and can throw uncaught exception.",
7985
source.getNode(), "User-provided value"

java/ql/src/semmle/code/xml/WebXML.qll

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -130,3 +130,40 @@ class WebListenerClass extends WebXMLElement {
130130
*/
131131
Class getClass() { result.getQualifiedName() = getValue() }
132132
}
133+
134+
/**
135+
* An `<error-page>` element in a `web.xml` file.
136+
*/
137+
class WebErrorPage extends WebXMLElement {
138+
WebErrorPage() { this.getName() = "error-page" }
139+
140+
/**
141+
* Gets the `<exception-type>` element of this `<error-page>`.
142+
*/
143+
WebErrorPageType getPageType() { result = getAChild() }
144+
145+
/**
146+
* Gets the `<location>` element of this `<error-page>`.
147+
*/
148+
WebErrorPageLocation getPageLocation() { result = getAChild() }
149+
}
150+
151+
/**
152+
* An `<exception-type>` element in a `web.xml` file, nested under an `<error-page>` element.
153+
*/
154+
class WebErrorPageType extends WebXMLElement {
155+
WebErrorPageType() {
156+
getName() = "exception-type" and
157+
getParent() instanceof WebErrorPage
158+
}
159+
}
160+
161+
/**
162+
* A `<location>` element in a `web.xml` file, nested under an `<error-page>` element.
163+
*/
164+
class WebErrorPageLocation extends WebXMLElement {
165+
WebErrorPageLocation() {
166+
getName() = "location" and
167+
getParent() instanceof WebErrorPage
168+
}
169+
}

java/ql/test/experimental/query-tests/security/CWE-600/web.xml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
3+
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
4+
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
5+
id="myapp" version="3.0">
6+
7+
<display-name>myapp</display-name>
8+
9+
<welcome-file-list>
10+
<welcome-file>index.jsp</welcome-file>
11+
<welcome-file>index.xhtml</welcome-file>
12+
</welcome-file-list>
13+
14+
<!-- error-page>
15+
<location>/index.jsp</location>
16+
</error-page -->
17+
</web-app>

0 commit comments

Comments
 (0)