Use LocalUserInput when looking for JEXL injections

artem-smotrakov · artem-smotrakov · commit ee6d28b5625b · 2021-01-21T22:46:18.000+01:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
@@ -13,8 +13,7 @@ class JexlInjectionConfig extends TaintTracking::Configuration {
   override predicate isSource(DataFlow::Node source) {
     source instanceof TaintedSpringRequestBody or
     source instanceof RemoteFlowSource or
-    source instanceof UserInput or
-    source instanceof EnvInput
+    source instanceof LocalUserInput
   }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }

Original file line number	Diff line number	Diff line change
`@@ -13,8 +13,7 @@ class JexlInjectionConfig extends TaintTracking::Configuration {`
`13`	`13`	`override predicate isSource(DataFlow::Node source) {`
`14`	`14`	`source instanceof TaintedSpringRequestBody or`
`15`	`15`	`source instanceof RemoteFlowSource or`
`16`		`- source instanceof UserInput or`
`17`		`- source instanceof EnvInput`
	`16`	`+ source instanceof LocalUserInput`
`18`	`17`	`}`
`19`	`18`
`20`	`19`	`override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }`