Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit b05a904

Browse files
tamasvajktamasvajk
committed
Java: Convert SpringWebRequestGetMethod to CSV based flow source
1 parent 09bcf87 commit b05a904

2 files changed

Lines changed: 11 additions & 18 deletions

File tree

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -119,7 +119,17 @@ private predicate sourceModelCsv(string row) {
119119
"javax.servlet.http;HttpServletRequest;false;getPathInfo;();;ReturnValue;remote",
120120
"javax.servlet.http;HttpServletRequest;false;getRequestURI;();;ReturnValue;remote",
121121
"javax.servlet.http;HttpServletRequest;false;getRequestURL;();;ReturnValue;remote",
122-
"javax.servlet.http;HttpServletRequest;false;getRemoteUser;();;ReturnValue;remote"
122+
"javax.servlet.http;HttpServletRequest;false;getRemoteUser;();;ReturnValue;remote",
123+
// SpringWebRequestGetMethod
124+
"org.springframework.web.context.request;WebRequest;false;getDescription;;;ReturnValue;remote",
125+
"org.springframework.web.context.request;WebRequest;false;getHeader;;;ReturnValue;remote",
126+
"org.springframework.web.context.request;WebRequest;false;getHeaderNames;;;ReturnValue;remote",
127+
"org.springframework.web.context.request;WebRequest;false;getHeaderValues;;;ReturnValue;remote",
128+
"org.springframework.web.context.request;WebRequest;false;getParameter;;;ReturnValue;remote",
129+
"org.springframework.web.context.request;WebRequest;false;getParameterMap;;;ReturnValue;remote",
130+
"org.springframework.web.context.request;WebRequest;false;getParameterNames;;;ReturnValue;remote",
131+
"org.springframework.web.context.request;WebRequest;false;getParameterValues;;;ReturnValue;remote"
132+
// TODO consider org.springframework.web.context.request.WebRequest.getRemoteUser
123133
]
124134
}
125135

java/ql/src/semmle/code/java/dataflow/FlowSources.qll

Lines changed: 0 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -215,7 +215,6 @@ class DatabaseInput extends LocalUserInput {
215215
private class RemoteTaintedMethod extends Method {
216216
RemoteTaintedMethod() {
217217
this instanceof PlayRequestGetMethod or
218-
this instanceof SpringWebRequestGetMethod or
219218
this instanceof SpringRestTemplateResponseEntityMethod or
220219
this instanceof ServletRequestGetBodyMethod or
221220
this instanceof CookieGetValueMethod or
@@ -239,22 +238,6 @@ private class PlayRequestGetMethod extends Method {
239238
}
240239
}
241240

242-
private class SpringWebRequestGetMethod extends Method {
243-
SpringWebRequestGetMethod() {
244-
exists(SpringWebRequest swr | this = swr.getAMethod() |
245-
this.hasName("getDescription") or
246-
this.hasName("getHeader") or
247-
this.hasName("getHeaderNames") or
248-
this.hasName("getHeaderValues") or
249-
this.hasName("getParameter") or
250-
this.hasName("getParameterMap") or
251-
this.hasName("getParameterNames") or
252-
this.hasName("getParameterValues")
253-
// TODO consider getRemoteUser
254-
)
255-
}
256-
}
257-
258241
/** A method that reads from the environment, such as `System.getProperty` or `System.getenv`. */
259242
class EnvReadMethod extends Method {
260243
EnvReadMethod() {

0 commit comments

Comments
 (0)