@@ -38,15 +38,19 @@ private class TaintedSpringRequestBody extends DataFlow::Node {
3838
3939/**
4040 * A sink for Expresssion Language injection vulnerabilities via Jexl,
41- * i.e. methods that run evaluation of a Jexl expression.
41+ * i.e. method calls that run evaluation of a Jexl expression.
4242 */
4343private class JexlEvaluationSink extends DataFlow:: ExprNode {
4444 JexlEvaluationSink ( ) {
45- isJexlExpressionEvaluationCall ( asExpr ( ) ) or
46- isJexlTemplateEvaluationCall ( asExpr ( ) ) or
47- isJexlScriptExecuteCall ( asExpr ( ) ) or
48- isJexlGetSetPropertyCall ( asExpr ( ) ) or
49- isCallableCall ( asExpr ( ) )
45+ exists ( MethodAccess ma , Method m , Expr tainted | ma .getMethod ( ) = m and tainted = asExpr ( ) |
46+ m instanceof DirectJexlEvaluationMethod and ma .getQualifier ( ) = tainted
47+ or
48+ m instanceof CallableCallMethod and ma .getQualifier ( ) = tainted
49+ or
50+ m instanceof JexlEngineGetSetPropertyMethod and
51+ ma .getAnArgument ( ) .getType ( ) instanceof TypeString and
52+ ma .getAnArgument ( ) = tainted
53+ )
5054 }
5155}
5256
@@ -137,121 +141,44 @@ private predicate returnsDataFromBean(DataFlow::Node fromNode, DataFlow::Node to
137141}
138142
139143/**
140- * Holds if `expr` calls one of the methods that execute a Jexl script against qualifier `expr`.
141- */
142- private predicate isJexlScriptExecuteCall ( Expr expr ) {
143- exists ( MethodAccess ma , Method m | m = ma .getMethod ( ) |
144- m instanceof JexlScriptExecuteMethod and
145- ma .getQualifier ( ) = expr
146- )
147- }
148-
149- /**
150- * Holds if `expr` is the qualifier when calling the `Callable.call()` method
151- * such as `expr.call()`.
152- */
153- private predicate isCallableCall ( Expr expr ) {
154- exists ( MethodAccess ma , Method m | m = ma .getMethod ( ) |
155- m instanceof CallableCallMethod and
156- ma .getQualifier ( ) = expr
157- )
158- }
159-
160- /**
161- * Holds if `expr` is an argument in a call to one of the methods
162- * that get or set a property via a Jexl expression.
163- */
164- private predicate isJexlGetSetPropertyCall ( Expr expr ) {
165- exists ( MethodAccess ma , Method m | m = ma .getMethod ( ) |
166- ( m instanceof JexlEngineGetPropertyMethod or m instanceof JexlEngineSetPropertyMethod ) and
167- ma .getAnArgument ( ) .getType ( ) instanceof TypeString and
168- ma .getAnArgument ( ) = expr
169- )
170- }
171-
172- /**
173- * Holds if `expr` is a call to one of the methods that trigger evaluation of a Jexl expression.
144+ * Method in the `JexlEngine` class that get or set a property with a Jexl expression.
174145 */
175- private predicate isJexlExpressionEvaluationCall ( Expr expr ) {
176- exists ( MethodAccess ma , Method m | m = ma .getMethod ( ) |
177- (
178- m instanceof JexlExpressionEvaluateMethod or
179- m instanceof JxltEngineExpressionEvaluateMethod or
180- m instanceof JxltEngineExpressionPrepareMethod or
181- m instanceof UnifiedJexlExpressionEvaluateMethod or
182- m instanceof UnifiedJexlExpressionPrepareMethod
183- ) and
184- ma .getQualifier ( ) = expr
185- )
146+ private class JexlEngineGetSetPropertyMethod extends Method {
147+ JexlEngineGetSetPropertyMethod ( ) {
148+ getDeclaringType ( ) instanceof JexlEngine and
149+ hasName ( [ "getProperty" , "setProperty" ] )
150+ }
186151}
187152
188153/**
189- * Holds if `expr` is a call to one of the methods that evaluates a Jexl template .
154+ * Defines methods that triggers direct evaluation of Jexl expressions .
190155 */
191- private predicate isJexlTemplateEvaluationCall ( Expr expr ) {
192- exists ( MethodAccess ma , Method m | m = ma .getMethod ( ) |
193- (
194- m instanceof JxltEngineTemplateEvaluateMethod or
195- m instanceof UnifiedJexlTemplateEvaluateMethod
196- ) and
197- ma .getQualifier ( ) = expr
198- )
199- }
156+ abstract private class DirectJexlEvaluationMethod extends Method { }
200157
201158/**
202159 * A method in the `JexlExpression` class that evaluates a Jexl expression.
203160 */
204- private class JexlExpressionEvaluateMethod extends Method {
161+ private class JexlExpressionEvaluateMethod extends DirectJexlEvaluationMethod {
205162 JexlExpressionEvaluateMethod ( ) {
206163 getDeclaringType ( ) instanceof JexlExpression and
207164 hasName ( "evaluate" )
208165 }
209166}
210167
211- /**
212- * A method in the `JexlEngine` class that gets a property with a Jexl expression.
213- */
214- private class JexlEngineGetPropertyMethod extends Method {
215- JexlEngineGetPropertyMethod ( ) {
216- getDeclaringType ( ) instanceof JexlEngine and
217- hasName ( "getProperty" )
218- }
219- }
220-
221- /**
222- * A method in the `JexlEngine` class that sets a property with a Jexl expression.
223- */
224- private class JexlEngineSetPropertyMethod extends Method {
225- JexlEngineSetPropertyMethod ( ) {
226- getDeclaringType ( ) instanceof JexlEngine and
227- hasName ( "setProperty" )
228- }
229- }
230-
231168/**
232169 * A method in the `JexlScript` class that executes a Jexl script.
233170 */
234- private class JexlScriptExecuteMethod extends Method {
171+ private class JexlScriptExecuteMethod extends DirectJexlEvaluationMethod {
235172 JexlScriptExecuteMethod ( ) {
236173 getDeclaringType ( ) instanceof JexlScript and
237174 hasName ( "execute" )
238175 }
239176}
240177
241- /**
242- * A method in the `Callable` class that executes the `Callable`.
243- */
244- private class CallableCallMethod extends Method {
245- CallableCallMethod ( ) {
246- getDeclaringType ( ) instanceof CallableInterface and
247- hasName ( "call" )
248- }
249- }
250-
251178/**
252179 * A method in the `JxltEngine.Expression` class that evaluates an expression.
253180 */
254- private class JxltEngineExpressionEvaluateMethod extends Method {
181+ private class JxltEngineExpressionEvaluateMethod extends DirectJexlEvaluationMethod {
255182 JxltEngineExpressionEvaluateMethod ( ) {
256183 getDeclaringType ( ) instanceof JxltEngineExpression and
257184 hasName ( "evaluate" )
@@ -261,7 +188,7 @@ private class JxltEngineExpressionEvaluateMethod extends Method {
261188/**
262189 * A method in the `JxltEngine.Expression` class that evaluates the immediate sub-expressions.
263190 */
264- private class JxltEngineExpressionPrepareMethod extends Method {
191+ private class JxltEngineExpressionPrepareMethod extends DirectJexlEvaluationMethod {
265192 JxltEngineExpressionPrepareMethod ( ) {
266193 getDeclaringType ( ) instanceof JxltEngineExpression and
267194 hasName ( "prepare" )
@@ -271,7 +198,7 @@ private class JxltEngineExpressionPrepareMethod extends Method {
271198/**
272199 * A method in the `JxltEngine.Template` class that evaluates a template.
273200 */
274- private class JxltEngineTemplateEvaluateMethod extends Method {
201+ private class JxltEngineTemplateEvaluateMethod extends DirectJexlEvaluationMethod {
275202 JxltEngineTemplateEvaluateMethod ( ) {
276203 getDeclaringType ( ) instanceof JxltEngineTemplate and
277204 hasName ( "evaluate" )
@@ -281,7 +208,7 @@ private class JxltEngineTemplateEvaluateMethod extends Method {
281208/**
282209 * A method in the `UnifiedJEXL.Expression` class that evaluates a template.
283210 */
284- private class UnifiedJexlExpressionEvaluateMethod extends Method {
211+ private class UnifiedJexlExpressionEvaluateMethod extends DirectJexlEvaluationMethod {
285212 UnifiedJexlExpressionEvaluateMethod ( ) {
286213 getDeclaringType ( ) instanceof UnifiedJexlExpression and
287214 hasName ( "evaluate" )
@@ -291,7 +218,7 @@ private class UnifiedJexlExpressionEvaluateMethod extends Method {
291218/**
292219 * A method in the `UnifiedJEXL.Expression` class that evaluates the immediate sub-expressions.
293220 */
294- private class UnifiedJexlExpressionPrepareMethod extends Method {
221+ private class UnifiedJexlExpressionPrepareMethod extends DirectJexlEvaluationMethod {
295222 UnifiedJexlExpressionPrepareMethod ( ) {
296223 getDeclaringType ( ) instanceof UnifiedJexlExpression and
297224 hasName ( "prepare" )
@@ -301,13 +228,23 @@ private class UnifiedJexlExpressionPrepareMethod extends Method {
301228/**
302229 * A method in the `UnifiedJEXL.Template` class that evaluates a template.
303230 */
304- private class UnifiedJexlTemplateEvaluateMethod extends Method {
231+ private class UnifiedJexlTemplateEvaluateMethod extends DirectJexlEvaluationMethod {
305232 UnifiedJexlTemplateEvaluateMethod ( ) {
306233 getDeclaringType ( ) instanceof UnifiedJexlTemplate and
307234 hasName ( "evaluate" )
308235 }
309236}
310237
238+ /**
239+ * A method in the `Callable` class that executes the `Callable`.
240+ */
241+ private class CallableCallMethod extends Method {
242+ CallableCallMethod ( ) {
243+ getDeclaringType ( ) instanceof CallableInterface and
244+ hasName ( "call" )
245+ }
246+ }
247+
311248private class JexlExpression extends RefType {
312249 JexlExpression ( ) {
313250 hasQualifiedName ( "org.apache.commons.jexl3" , "JexlExpression" ) or
0 commit comments