hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 09:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Adjust review findings

Browse Source
This commit is contained in:
Tamas Vajk
2021-09-16 09:42:38 +02:00
parent abe6c90829
commit 05dd3fa0e7
1 changed files with 5 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
csharp/ql/lib/semmle/code/csharp/frameworks/ServiceStack.qll
View File

@@ -12,7 +12,7 @@ private import semmle.code.csharp.dataflow.ExternalFlow
private class ServiceClass extends Class {
ServiceClass() {
this.getBaseClass+().hasQualifiedName("ServiceStack", "Service") or
this.getABaseInterface+().hasQualifiedName("ServiceStack", "IService")
this.getABaseType*().getABaseInterface().hasQualifiedName("ServiceStack", "IService")
}
/** Get a method that handles incoming requests */
@@ -26,7 +26,9 @@ private class ServiceClass extends Class {
/** Top-level Request DTO types */
private class RequestDTO extends Class {
RequestDTO() { this.getABaseInterface+().hasQualifiedName("ServiceStack", "IReturn") }
RequestDTO() {
this.getABaseType*().getABaseInterface().hasQualifiedName("ServiceStack", "IReturn")
}
}
/** Flow sources for the ServiceStack framework */
@@ -308,14 +310,7 @@ module XSS {
exists(ServiceClass service, Method m, Expr e |
service.getARequestMethod() = m and
this.asExpr() = e and
(
exists(ReturnStmt r |
e = r.getExpr() and
r.getEnclosingCallable() = m
)
or
e = m.getExpressionBody()
) and
m.canReturn(e) and
(
e.getType() instanceof StringType or
e.getType().hasQualifiedName("ServiceStack", "HttpResult")