github
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-352/JsonStringLib.qll‎
Lines changed: 1 addition & 1 deletion b/‎java/ql/src/experimental/Security/CWE/CWE-352/JsonStringLib.qll‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java‎
Lines changed: 73 additions & 40 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java‎
Lines changed: 73 additions & 40 deletions
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp‎
Lines changed: 7 additions & 4 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp‎
Lines changed: 7 additions & 4 deletions
diff --git a/‎java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql‎
Lines changed: 13 additions & 11 deletions b/‎java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql‎
Lines changed: 13 additions & 11 deletions
@@ -3,7 +3,7 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
 import DataFlow::PathGraph
 
-/** Json string type data */
+/** Json string type data. */
 abstract class JsonpStringSource extends DataFlow::Node { }
 
 /** Convert to String using Gson library. */
 
@@ -1,31 +1,39 @@
 import com.alibaba.fastjson.JSONObject;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.gson.Gson;
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
 import java.io.PrintWriter;
 import java.util.HashMap;
-import java.util.Random;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.multipart.MultipartFile;
 
 @Controller
 public class JsonpInjection {
-private static HashMap hashMap = new HashMap();
+
+    private static HashMap hashMap = new HashMap();
 
     static {
         hashMap.put("username","admin");
         hashMap.put("password","123456");
     }
 
+    private String name = null;
+
 
     @GetMapping(value = "jsonp1")
     @ResponseBody
     public String bad1(HttpServletRequest request) {
         String resultStr = null;
         String jsonpCallback = request.getParameter("jsonpCallback");
-
         Gson gson = new Gson();
         String result = gson.toJson(hashMap);
         resultStr = jsonpCallback + "(" + result + ")";
@@ -37,9 +45,7 @@ public String bad1(HttpServletRequest request) {
     public String bad2(HttpServletRequest request) {
         String resultStr = null;
         String jsonpCallback = request.getParameter("jsonpCallback");
-
         resultStr = jsonpCallback + "(" + JSONObject.toJSONString(hashMap) + ")";
-
         return resultStr;
     }
 
@@ -67,7 +73,6 @@ public String bad4(HttpServletRequest request) {
     @ResponseBody
     public void bad5(HttpServletRequest request,
             HttpServletResponse response) throws Exception {
-        response.setContentType("application/json");
         String jsonpCallback = request.getParameter("jsonpCallback");
         PrintWriter pw = null;
         Gson gson = new Gson();
@@ -83,7 +88,6 @@ public void bad5(HttpServletRequest request,
     @ResponseBody
     public void bad6(HttpServletRequest request,
             HttpServletResponse response) throws Exception {
-        response.setContentType("application/json");
         String jsonpCallback = request.getParameter("jsonpCallback");
         PrintWriter pw = null;
         ObjectMapper mapper = new ObjectMapper();
@@ -94,60 +98,96 @@ public void bad6(HttpServletRequest request,
         pw.println(resultStr);
     }
 
-    @GetMapping(value = "jsonp7")
+    @RequestMapping(value = "jsonp7", method = RequestMethod.GET)
     @ResponseBody
-    public String good(HttpServletRequest request) {
+    public String bad7(HttpServletRequest request) {
         String resultStr = null;
         String jsonpCallback = request.getParameter("jsonpCallback");
-
-        String val = "";
-        Random random = new Random();
-        for (int i = 0; i < 10; i++) {
-            val += String.valueOf(random.nextInt(10));
-        }
-        // good
-        jsonpCallback = jsonpCallback + "_" + val;
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+        resultStr = jsonpCallback + "(" + result + ")";
         return resultStr;
     }
 
+
     @GetMapping(value = "jsonp8")
     @ResponseBody
     public String good1(HttpServletRequest request) {
         String resultStr = null;
-        String jsonpCallback = request.getParameter("jsonpCallback");
-
         String token = request.getParameter("token");
-
-        // good
         if (verifToken(token)){
-            System.out.println(token);
+            String jsonpCallback = request.getParameter("jsonpCallback");
             String jsonStr = getJsonStr(hashMap);
             resultStr = jsonpCallback + "(" + jsonStr + ")";
             return resultStr;
         }
-
         return "error";
     }
 
+
     @GetMapping(value = "jsonp9")
     @ResponseBody
     public String good2(HttpServletRequest request) {
         String resultStr = null;
+        String token = request.getParameter("token");
+        boolean result = verifToken(token);
+        if (result){
+            return "";
+        }
         String jsonpCallback = request.getParameter("jsonpCallback");
+        String jsonStr = getJsonStr(hashMap);
+        resultStr = jsonpCallback + "(" + jsonStr + ")";
+        return resultStr;
+    }
 
-        String referer = request.getHeader("Referer");
+    @RequestMapping(value = "jsonp10")
+    @ResponseBody
+    public String good3(HttpServletRequest request) {
+        JSONObject parameterObj = readToJSONObect(request);
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
 
-        boolean result = verifReferer(referer);
-        // good
-        if (result){
-            String jsonStr = getJsonStr(hashMap);
-            resultStr = jsonpCallback + "(" + jsonStr + ")";
-            return resultStr;
+    @RequestMapping(value = "jsonp11")
+    @ResponseBody
+    public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
+        if(null == file){
+            return "upload file error";
         }
+        String fileName = file.getOriginalFilename();
+        System.out.println("file operations");
+        String resultStr = null;
+        String jsonpCallback = request.getParameter("jsonpCallback");
+        String restr = JSONObject.toJSONString(hashMap);
+        resultStr = jsonpCallback + "(" + restr + ");";
+        return resultStr;
+    }
 
-        return "error";
+    public static JSONObject readToJSONObect(HttpServletRequest request){
+        String jsonText = readPostContent(request);
+        JSONObject jsonObj = JSONObject.parseObject(jsonText, JSONObject.class);
+        return jsonObj;
+    }
+
+    public static String readPostContent(HttpServletRequest request){
+        BufferedReader in= null;
+        String content = null;
+        String line = null;
+        try {
+            in = new BufferedReader(new InputStreamReader(request.getInputStream(),"UTF-8"));
+            StringBuilder buf = new StringBuilder();
+            while ((line = in.readLine()) != null) {
+                buf.append(line);
+            }
+            content = buf.toString();
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+        String uri = request.getRequestURI();
+        return content;
     }
 
     public static String getJsonStr(Object result) {
@@ -160,11 +200,4 @@ public static boolean verifToken(String token){
         }
         return true;
     }
-
-    public static boolean verifReferer(String referer){
-        if (!referer.startsWith("http://test.com/")){
-            return false;
-        }
-        return true;
-    }
 }
@@ -3,18 +3,21 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>The software uses external input as the function name to wrap JSON data and return it to the client as a request response. When there is a cross-domain problem, 
-there is a problem of sensitive information leakage.</p>
+<p>The software uses external input as the function name to wrap JSON data and returns it to the client as a request response. 
+When there is a cross-domain problem, the problem of sensitive information leakage may occur.</p>
 
 </overview>
 <recommendation>
 
-<p>Adding `Referer` or random `token` verification processing can effectively prevent the leakage of sensitive information.</p>
+<p>Adding <code>Referer</code>/<code>Origin</code> or random <code>token</code> verification processing can effectively prevent the leakage of sensitive information.</p>
 
 </recommendation>
 <example>
 
-<p>The following example shows the case of no verification processing and verification processing for the external input function name.</p>
+<p>The following examples show the bad case and the good case respectively. Bad case, such as <code>bad1</code> to <code>bad7</code>, 
+will cause information leakage problems when there are cross-domain problems. In a good case, for example, in the <code>good1</code> 
+method and the <code>good2</code> method, use the <code>verifToken</code> method to do the random <code>token</code> Verification can 
+solve the problem of information leakage caused by cross-domain.</p>
 
 <sample src="JsonpInjection.java" />
 
 
@@ -14,39 +14,41 @@ import java
 import JsonpInjectionLib
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.deadcode.WebEntryPoints
-import semmle.code.java.security.XSS
 import DataFlow::PathGraph
 
 /** Determine whether there is a verification method for the remote streaming source data flow path method. */
 predicate existsFilterVerificationMethod() {
-  exists(MethodAccess ma,Node existsNode, Method m|
+  exists(MethodAccess ma, Node existsNode, Method m |
     ma.getMethod() instanceof VerificationMethodClass and
     existsNode.asExpr() = ma and
-    m = getAnMethod(existsNode.getEnclosingCallable()) and
+    m = getACallingCallableOrSelf(existsNode.getEnclosingCallable()) and
     isDoFilterMethod(m)
   )
 }
 
 /** Determine whether there is a verification method for the remote streaming source data flow path method. */
 predicate existsServletVerificationMethod(Node checkNode) {
-  exists(MethodAccess ma,Node existsNode|
+  exists(MethodAccess ma, Node existsNode |
     ma.getMethod() instanceof VerificationMethodClass and
     existsNode.asExpr() = ma and
-    getAnMethod(existsNode.getEnclosingCallable()) = getAnMethod(checkNode.getEnclosingCallable())
+    getACallingCallableOrSelf(existsNode.getEnclosingCallable()) =
+      getACallingCallableOrSelf(checkNode.getEnclosingCallable())
   )
 }
 
 /** Taint-tracking configuration tracing flow from get method request sources to output jsonp data. */
 class RequestResponseFlowConfig extends TaintTracking::Configuration {
   RequestResponseFlowConfig() { this = "RequestResponseFlowConfig" }
 
-  override predicate isSource(DataFlow::Node source) {
-    source instanceof RemoteFlowSource and
-    getAnMethod(source.getEnclosingCallable()) instanceof RequestGetMethod
-  }
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
 
+  /** Eliminate the method of calling the node is not the get method. */
+  override predicate isSanitizer(DataFlow::Node node) {
+    not getACallingCallableOrSelf(node.getEnclosingCallable()) instanceof RequestGetMethod 
+  }
+
   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
     exists(MethodAccess ma |
       isRequestGetParamMethod(ma) and pred.asExpr() = ma.getQualifier() and succ.asExpr() = ma
@@ -60,5 +62,5 @@ where
   not existsFilterVerificationMethod() and
   conf.hasFlowPath(source, sink) and
   exists(JsonpInjectionFlowConfig jhfc | jhfc.hasFlowTo(sink.getNode()))
-select sink.getNode(), source, sink, "Jsonp Injection query might include code from $@.",
-  source.getNode(), "this user input"
+select sink.getNode(), source, sink, "Jsonp response might include code from $@.", source.getNode(),
+  "this user input"