Java: create UrlDecodeMethod

2026-02-27 20:33:42 +01:00 · 2024-03-10 15:54:11 -04:00
parent d220b3a298
commit 052452b186
2 changed files with 15 additions and 5 deletions
--- a/java/ql/lib/semmle/code/java/frameworks/Networking.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/Networking.qll
@@ -24,6 +24,11 @@ class TypeUrl extends RefType {
  TypeUrl() { this.hasQualifiedName("java.net", "URL") }
 }

+/** The type `java.net.URLDecoder`. */
+class TypeUrlDecoder extends RefType {
+  TypeUrlDecoder() { this.hasQualifiedName("java.net", "URLDecoder") }
+}
+
 /** The type `java.net.URI`. */
 class TypeUri extends RefType {
  TypeUri() { this.hasQualifiedName("java.net", "URI") }
@@ -157,6 +162,14 @@ class UrlOpenConnectionMethod extends Method {
  }
 }

+/** The method `java.net.URLDecoder::decode`. */
+class UrlDecodeMethod extends Method {
+  UrlDecodeMethod() {
+    this.getDeclaringType() instanceof TypeUrlDecoder and
+    this.getName() = "decode"
+  }
+}
+
 /** The method `javax.net.SocketFactory::createSocket`. */
 class CreateSocketMethod extends Method {
  CreateSocketMethod() {
--- a/java/ql/lib/semmle/code/java/security/UrlForward.qll
+++ b/java/ql/lib/semmle/code/java/security/UrlForward.qll
@@ -41,8 +41,6 @@ abstract class UrlForwardBarrier extends DataFlow::Node { }

 private class PrimitiveBarrier extends UrlForwardBarrier instanceof SimpleTypeSanitizer { }

-// TODO: should this also take URL encoding/decoding into account?
-// TODO: and PathSanitization in general?
 private class FollowsBarrierPrefix extends UrlForwardBarrier {
  FollowsBarrierPrefix() { this.asExpr() = any(BarrierPrefix fp).getAnAppendedExpression() }
 }
@@ -58,9 +56,8 @@ private class BarrierPrefix extends InterestingPrefix {

 private class UrlPathBarrier extends UrlForwardBarrier instanceof PathInjectionSanitizer {
  UrlPathBarrier() {
-    this instanceof ExactPathMatchSanitizer //TODO: still need a better solution for this edge case...
+    this instanceof ExactPathMatchSanitizer
    or
-    // TODO: these don't enforce order of checks and PathSanitization... make bypass test cases.
    this instanceof NoEncodingBarrier
    or
    this instanceof FullyDecodesBarrier
@@ -71,7 +68,7 @@ abstract class UrlDecodeCall extends MethodCall { }

 private class DefaultUrlDecodeCall extends UrlDecodeCall {
  DefaultUrlDecodeCall() {
-    this.getMethod().hasQualifiedName("java.net", "URLDecoder", "decode") or // TODO: reuse existing class? Or make this a class?
+    this.getMethod() instanceof UrlDecodeMethod or
    this.getMethod().hasQualifiedName("org.eclipse.jetty.util.URIUtil", "URIUtil", "decodePath")
  }
 }