Change the class name and comment,Use .(CompileTimeConstantExpr).getStringValue()

haby0 · haby0 · commit be39883166a4 · 2021-04-13T14:10:10.000+08:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonStringLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonStringLib.qll
@@ -4,10 +4,15 @@ import semmle.code.java.dataflow.FlowSources
 import DataFlow::PathGraph
 
 /** Json string type data. */
-abstract class JsonpStringSource extends DataFlow::Node { }
+abstract class JsonStringSource extends DataFlow::Node { }
 
-/** Convert to String using Gson library. */
-private class GsonString extends JsonpStringSource {
+/**
+ * Convert to String using Gson library. *
+ *
+ * For example, in the method access `Gson.toJson(...)`,
+ * the `Object` type data is converted to the `String` type data.
+ */
+private class GsonString extends JsonStringSource {
   GsonString() {
     exists(MethodAccess ma, Method m | ma.getMethod() = m |
       m.hasName("toJson") and
@@ -17,8 +22,13 @@ private class GsonString extends JsonpStringSource {
   }
 }
 
-/** Convert to String using Fastjson library. */
-private class FastjsonString extends JsonpStringSource {
+/**
+ * Convert to String using Fastjson library.
+ *
+ * For example, in the method access `JSON.toJSONString(...)`,
+ * the `Object` type data is converted to the `String` type data.
+ */
+private class FastjsonString extends JsonStringSource {
   FastjsonString() {
     exists(MethodAccess ma, Method m | ma.getMethod() = m |
       m.hasName("toJSONString") and
@@ -28,8 +38,13 @@ private class FastjsonString extends JsonpStringSource {
   }
 }
 
-/** Convert to String using Jackson library. */
-private class JacksonString extends JsonpStringSource {
+/**
+ * Convert to String using Jackson library.
+ *
+ * For example, in the method access `ObjectMapper.writeValueAsString(...)`,
+ * the `Object` type data is converted to the `String` type data.
+ */
+private class JacksonString extends JsonStringSource {
   JacksonString() {
     exists(MethodAccess ma, Method m | ma.getMethod() = m |
       m.hasName("writeValueAsString") and
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
@@ -69,4 +69,4 @@ where
   conf.hasFlowPath(source, sink) and
   exists(JsonpInjectionFlowConfig jhfc | jhfc.hasFlowTo(sink.getNode()))
 select sink.getNode(), source, sink, "Jsonp response might include code from $@.", source.getNode(),
-  "this user input"
+  "this user input"
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -86,17 +86,21 @@ class SpringControllerRequestMappingGetMethod extends SpringControllerGetMethod
   }
 }
 
-/** A concatenate expression using `(` and `)` or `);`. */
+/**
+ * A concatenate expression using `(` and `)` or `);`.
+ *
+ * E.g: `functionName + "(" + json + ")"` or `functionName + "(" + json + ");"`
+ */
 class JsonpBuilderExpr extends AddExpr {
   JsonpBuilderExpr() {
-    getRightOperand().toString().regexpMatch("\"\\);?\"") and
+    getRightOperand().(CompileTimeConstantExpr).getStringValue().regexpMatch("\\);?") and
     getLeftOperand()
         .(AddExpr)
         .getLeftOperand()
         .(AddExpr)
         .getRightOperand()
-        .toString()
-        .regexpMatch("\"\\(\"")
+        .(CompileTimeConstantExpr)
+        .getStringValue() = "("
   }
 
   /** Get the jsonp function name of this expression. */
@@ -123,7 +127,7 @@ class RemoteFlowConfig extends DataFlow2::Configuration {
 class JsonDataFlowConfig extends DataFlow2::Configuration {
   JsonDataFlowConfig() { this = "JsonDataFlowConfig" }
 
-  override predicate isSource(DataFlow::Node src) { src instanceof JsonpStringSource }
+  override predicate isSource(DataFlow::Node src) { src instanceof JsonStringSource }
 
   override predicate isSink(DataFlow::Node sink) {
     exists(JsonpBuilderExpr jhe | jhe.getJsonExpr() = sink.asExpr())
