Merge pull request #9659 from smowton/smowton/admin/invert-java-log-injection-query

Java: Report log-injection at the source rather than the sink
2026-04-28 18:25:24 +02:00 · 2022-06-22 14:27:50 +01:00
parent d13d4c6cd1 1f9f6d7c33
commit 00b4070866
2 changed files with 6 additions and 2 deletions
--- a/java/ql/src/Security/CWE/CWE-117/LogInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-117/LogInjection.ql
@@ -17,5 +17,5 @@ import DataFlow::PathGraph

 from LogInjectionConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "This $@ flows to a log entry.", source.getNode(),
-  "user-provided value"
+select source.getNode(), source, sink, "This user-provided value flows to a $@.", sink.getNode(),
+  "log entry"
--- a/java/ql/src/change-notes/2022-06-22-log-injection-location.md
+++ b/java/ql/src/change-notes/2022-06-22-log-injection-location.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `java/log-injection` now reports problems at the source (user-controlled data) instead of at the ultimate logging call. This was changed because user functions that wrap the ultimate logging call could result in most alerts being reported in an uninformative location.