hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 02:35:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

update VerificationMethodFlowConfig, add if test

Browse Source
This commit is contained in:
haby0
2021-03-29 12:02:37 +08:00
parent 3df23eecb6
commit 0775d35591
10 changed files with 362 additions and 293 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java
View File

@@ -26,9 +26,6 @@ public class JsonpInjection {
hashMap.put("password","123456");
}
private String name = null;
@GetMapping(value = "jsonp1")
@ResponseBody
public String bad1(HttpServletRequest request) {
@@ -77,7 +74,6 @@ public class JsonpInjection {
PrintWriter pw = null;
Gson gson = new Gson();
String result = gson.toJson(hashMap);
String resultStr = null;
pw = response.getWriter();
resultStr = jsonpCallback + "(" + result + ")";
@@ -109,13 +105,25 @@ public class JsonpInjection {
return resultStr;
}
@GetMapping(value = "jsonp8")
@ResponseBody
public String bad8(HttpServletRequest request) {
String resultStr = null;
String token = request.getParameter("token");
boolean result = verifToken(token); //Just check.
String jsonpCallback = request.getParameter("jsonpCallback");
String jsonStr = getJsonStr(hashMap);
resultStr = jsonpCallback + "(" + jsonStr + ")";
return resultStr;
}
@GetMapping(value = "jsonp9")
@ResponseBody
public String good1(HttpServletRequest request) {
String resultStr = null;
String token = request.getParameter("token");
if (verifToken(token)){
String referer = request.getParameter("referer");
if (verifReferer(referer)){
String jsonpCallback = request.getParameter("jsonpCallback");
String jsonStr = getJsonStr(hashMap);
resultStr = jsonpCallback + "(" + jsonStr + ")";
@@ -125,7 +133,7 @@ public class JsonpInjection {
}
@GetMapping(value = "jsonp9")
@GetMapping(value = "jsonp10")
@ResponseBody
public String good2(HttpServletRequest request) {
String resultStr = null;
@@ -140,7 +148,7 @@ public class JsonpInjection {
return resultStr;
}
@RequestMapping(value = "jsonp10")
@RequestMapping(value = "jsonp11")
@ResponseBody
public String good3(HttpServletRequest request) {
JSONObject parameterObj = readToJSONObect(request);
@@ -151,7 +159,7 @@ public class JsonpInjection {
return resultStr;
}
@RequestMapping(value = "jsonp11")
@RequestMapping(value = "jsonp12")
@ResponseBody
public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
if(null == file){
@@ -200,4 +208,11 @@ public class JsonpInjection {
}
return true;
}
public static boolean verifReferer(String str){
if (str != "xxxx"){
return false;
}
return true;
}
}

2
java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp
View File

@@ -14,7 +14,7 @@ When there is a cross-domain problem, the problem of sensitive information leaka
</recommendation>
<example>
<p>The following examples show the bad case and the good case respectively. Bad case, such as <code>bad1</code> to <code>bad7</code>,
<p>The following examples show the bad case and the good case respectively. Bad case, such as <code>bad1</code> to <code>bad8</code>,
will cause information leakage problems when there are cross-domain problems. In a good case, for example, in the <code>good1</code>
method and the <code>good2</code> method, use the <code>verifToken</code> method to do the random <code>token</code> Verification can
solve the problem of information leakage caused by cross-domain.</p>

27
java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
View File

@@ -18,20 +18,18 @@ import DataFlow::PathGraph
/** Determine whether there is a verification method for the remote streaming source data flow path method. */
predicate existsFilterVerificationMethod() {
exists(MethodAccess ma, Node existsNode, Method m |
ma.getMethod() instanceof VerificationMethodClass and
existsNode.asExpr() = ma and
m = getACallingCallableOrSelf(existsNode.getEnclosingCallable()) and
exists(DataFlow::Node source, DataFlow::Node sink, VerificationMethodFlowConfig vmfc, Method m |
vmfc.hasFlow(source, sink) and
m = getACallingCallableOrSelf(source.getEnclosingCallable()) and
isDoFilterMethod(m)
)
}
/** Determine whether there is a verification method for the remote streaming source data flow path method. */
predicate existsServletVerificationMethod(Node checkNode) {
exists(MethodAccess ma, Node existsNode |
ma.getMethod() instanceof VerificationMethodClass and
existsNode.asExpr() = ma and
getACallingCallableOrSelf(existsNode.getEnclosingCallable()) =
exists(DataFlow::Node source, DataFlow::Node sink, VerificationMethodFlowConfig vmfc |
vmfc.hasFlow(source, sink) and
getACallingCallableOrSelf(source.getEnclosingCallable()) =
getACallingCallableOrSelf(checkNode.getEnclosingCallable())
)
}
@@ -40,13 +38,14 @@ predicate existsServletVerificationMethod(Node checkNode) {
class RequestResponseFlowConfig extends TaintTracking::Configuration {
RequestResponseFlowConfig() { this = "RequestResponseFlowConfig" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSource(DataFlow::Node source) {
source instanceof RemoteFlowSource and
getACallingCallableOrSelf(source.getEnclosingCallable()) instanceof RequestGetMethod
}
override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
/** Eliminate the method of calling the node is not the get method. */
override predicate isSanitizer(DataFlow::Node node) {
not getACallingCallableOrSelf(node.getEnclosingCallable()) instanceof RequestGetMethod
override predicate isSink(DataFlow::Node sink) {
sink instanceof XssSink and
getACallingCallableOrSelf(sink.getEnclosingCallable()) instanceof RequestGetMethod
}
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {

47
java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
View File

@@ -3,30 +3,47 @@ import DataFlow
import JsonStringLib
import semmle.code.java.security.XSS
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.DataFlow3
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.frameworks.spring.SpringController
/** A data flow configuration is tracing flow from the access to the authentication method of token/auth/referer/origin to if condition. */
class VerificationMethodToIfFlowConfig extends DataFlow3::Configuration {
VerificationMethodToIfFlowConfig() { this = "VerificationMethodToIfFlowConfig" }
override predicate isSource(DataFlow::Node src) {
exists(MethodAccess ma, BarrierGuard bg | ma = bg |
(
ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
or
ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
) and
ma = src.asExpr()
)
}
override predicate isSink(DataFlow::Node sink) {
exists(IfStmt is | is.getCondition() = sink.asExpr())
}
}
/** Taint-tracking configuration tracing flow from untrusted inputs to verification of remote user input. */
class VerificationMethodFlowConfig extends TaintTracking::Configuration {
class VerificationMethodFlowConfig extends TaintTracking2::Configuration {
VerificationMethodFlowConfig() { this = "VerificationMethodFlowConfig" }
override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) {
exists(MethodAccess ma |
ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*") and
ma.getAnArgument() = sink.asExpr()
)
}
}
/** The parameter names of this method are token/auth/referer/origin. */
class VerificationMethodClass extends Method {
VerificationMethodClass() {
exists(MethodAccess ma, VerificationMethodFlowConfig vmfc, Node node |
this = ma.getMethod() and
node.asExpr() = ma.getAnArgument() and
vmfc.hasFlowTo(node)
exists(MethodAccess ma, BarrierGuard bg, int i, VerificationMethodToIfFlowConfig vmtifc |
ma = bg
|
(
ma.getMethod().getParameter(i).getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
or
ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
) and
ma.getArgument(i) = sink.asExpr() and
vmtifc.hasFlow(exprNode(ma), _)
)
}
}

35
java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpController.java
View File

@@ -26,9 +26,6 @@ public class JsonpController {
hashMap.put("password","123456");
}
private String name = null;
@GetMapping(value = "jsonp1")
@ResponseBody
public String bad1(HttpServletRequest request) {
@@ -77,7 +74,6 @@ public class JsonpController {
PrintWriter pw = null;
Gson gson = new Gson();
String result = gson.toJson(hashMap);
String resultStr = null;
pw = response.getWriter();
resultStr = jsonpCallback + "(" + result + ")";
@@ -109,13 +105,25 @@ public class JsonpController {
return resultStr;
}
@GetMapping(value = "jsonp8")
@ResponseBody
public String bad8(HttpServletRequest request) {
String resultStr = null;
String token = request.getParameter("token");
boolean result = verifToken(token); //Just check.
String jsonpCallback = request.getParameter("jsonpCallback");
String jsonStr = getJsonStr(hashMap);
resultStr = jsonpCallback + "(" + jsonStr + ")";
return resultStr;
}
@GetMapping(value = "jsonp9")
@ResponseBody
public String good1(HttpServletRequest request) {
String resultStr = null;
String token = request.getParameter("token");
if (verifToken(token)){
String referer = request.getParameter("referer");
if (verifReferer(referer)){
String jsonpCallback = request.getParameter("jsonpCallback");
String jsonStr = getJsonStr(hashMap);
resultStr = jsonpCallback + "(" + jsonStr + ")";
@@ -125,7 +133,7 @@ public class JsonpController {
}
@GetMapping(value = "jsonp9")
@GetMapping(value = "jsonp10")
@ResponseBody
public String good2(HttpServletRequest request) {
String resultStr = null;
@@ -140,7 +148,7 @@ public class JsonpController {
return resultStr;
}
@RequestMapping(value = "jsonp10")
@RequestMapping(value = "jsonp11")
@ResponseBody
public String good3(HttpServletRequest request) {
JSONObject parameterObj = readToJSONObect(request);
@@ -151,7 +159,7 @@ public class JsonpController {
return resultStr;
}
@RequestMapping(value = "jsonp11")
@RequestMapping(value = "jsonp12")
@ResponseBody
public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
if(null == file){
@@ -200,4 +208,11 @@ public class JsonpController {
}
return true;
}
public static boolean verifReferer(String str){
if (str != "xxxx"){
return false;
}
return true;
}
}

138
java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithFilter/JsonpInjection.expected
View File

@@ -1,80 +1,76 @@
edges
| JsonpController.java:36:32:36:68 | getParameter(...) : String | JsonpController.java:40:16:40:24 | resultStr |
| JsonpController.java:39:21:39:54 | ... + ... : String | JsonpController.java:40:16:40:24 | resultStr |
| JsonpController.java:47:32:47:68 | getParameter(...) : String | JsonpController.java:49:16:49:24 | resultStr |
| JsonpController.java:48:21:48:80 | ... + ... : String | JsonpController.java:49:16:49:24 | resultStr |
| JsonpController.java:56:32:56:68 | getParameter(...) : String | JsonpController.java:59:16:59:24 | resultStr |
| JsonpController.java:58:21:58:55 | ... + ... : String | JsonpController.java:59:16:59:24 | resultStr |
| JsonpController.java:66:32:66:68 | getParameter(...) : String | JsonpController.java:69:16:69:24 | resultStr |
| JsonpController.java:68:21:68:54 | ... + ... : String | JsonpController.java:69:16:69:24 | resultStr |
| JsonpController.java:76:32:76:68 | getParameter(...) : String | JsonpController.java:84:20:84:28 | resultStr |
| JsonpController.java:83:21:83:54 | ... + ... : String | JsonpController.java:84:20:84:28 | resultStr |
| JsonpController.java:91:32:91:68 | getParameter(...) : String | JsonpController.java:98:20:98:28 | resultStr |
| JsonpController.java:97:21:97:54 | ... + ... : String | JsonpController.java:98:20:98:28 | resultStr |
| JsonpController.java:105:32:105:68 | getParameter(...) : String | JsonpController.java:109:16:109:24 | resultStr |
| JsonpController.java:108:21:108:54 | ... + ... : String | JsonpController.java:109:16:109:24 | resultStr |
| JsonpController.java:117:24:117:52 | getParameter(...) : String | JsonpController.java:118:24:118:28 | token |
| JsonpController.java:119:36:119:72 | getParameter(...) : String | JsonpController.java:122:20:122:28 | resultStr |
| JsonpController.java:121:25:121:59 | ... + ... : String | JsonpController.java:122:20:122:28 | resultStr |
| JsonpController.java:132:24:132:52 | getParameter(...) : String | JsonpController.java:133:37:133:41 | token |
| JsonpController.java:137:32:137:68 | getParameter(...) : String | JsonpController.java:140:16:140:24 | resultStr |
| JsonpController.java:139:21:139:55 | ... + ... : String | JsonpController.java:140:16:140:24 | resultStr |
| JsonpController.java:150:21:150:54 | ... + ... : String | JsonpController.java:151:16:151:24 | resultStr |
| JsonpController.java:165:21:165:54 | ... + ... : String | JsonpController.java:166:16:166:24 | resultStr |
| JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr |
| JsonpController.java:36:21:36:54 | ... + ... : String | JsonpController.java:37:16:37:24 | resultStr |
| JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr |
| JsonpController.java:45:21:45:80 | ... + ... : String | JsonpController.java:46:16:46:24 | resultStr |
| JsonpController.java:53:32:53:68 | getParameter(...) : String | JsonpController.java:56:16:56:24 | resultStr |
| JsonpController.java:55:21:55:55 | ... + ... : String | JsonpController.java:56:16:56:24 | resultStr |
| JsonpController.java:63:32:63:68 | getParameter(...) : String | JsonpController.java:66:16:66:24 | resultStr |
| JsonpController.java:65:21:65:54 | ... + ... : String | JsonpController.java:66:16:66:24 | resultStr |
| JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr |
| JsonpController.java:79:21:79:54 | ... + ... : String | JsonpController.java:80:20:80:28 | resultStr |
| JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr |
| JsonpController.java:93:21:93:54 | ... + ... : String | JsonpController.java:94:20:94:28 | resultStr |
| JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr |
| JsonpController.java:104:21:104:54 | ... + ... : String | JsonpController.java:105:16:105:24 | resultStr |
| JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr |
| JsonpController.java:116:21:116:55 | ... + ... : String | JsonpController.java:117:16:117:24 | resultStr |
| JsonpController.java:127:36:127:72 | getParameter(...) : String | JsonpController.java:130:20:130:28 | resultStr |
| JsonpController.java:129:25:129:59 | ... + ... : String | JsonpController.java:130:20:130:28 | resultStr |
| JsonpController.java:145:32:145:68 | getParameter(...) : String | JsonpController.java:148:16:148:24 | resultStr |
| JsonpController.java:147:21:147:55 | ... + ... : String | JsonpController.java:148:16:148:24 | resultStr |
| JsonpController.java:158:21:158:54 | ... + ... : String | JsonpController.java:159:16:159:24 | resultStr |
| JsonpController.java:173:21:173:54 | ... + ... : String | JsonpController.java:174:16:174:24 | resultStr |
| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | JsonpInjectionServlet1.java:38:39:38:45 | referer |
| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
| RefererFilter.java:22:26:22:53 | getHeader(...) : String | RefererFilter.java:23:39:23:45 | refefer |
nodes
| JsonpController.java:36:32:36:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:39:21:39:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:47:32:47:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:48:21:48:80 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:56:32:56:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:58:21:58:55 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:66:32:66:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:68:21:68:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:76:32:76:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:83:21:83:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:91:32:91:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:97:21:97:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:105:32:105:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:108:21:108:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:117:24:117:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:118:24:118:28 | token | semmle.label | token |
| JsonpController.java:119:36:119:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:121:25:121:59 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:132:24:132:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:133:37:133:41 | token | semmle.label | token |
| JsonpController.java:137:32:137:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:139:21:139:55 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:150:21:150:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:151:16:151:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:165:21:165:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:166:16:166:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:33:32:33:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:36:21:36:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:37:16:37:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:37:16:37:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:44:32:44:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:45:21:45:80 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:46:16:46:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:46:16:46:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:53:32:53:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:55:21:55:55 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:56:16:56:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:56:16:56:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:63:32:63:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:65:21:65:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:66:16:66:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:66:16:66:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:73:32:73:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:79:21:79:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:80:20:80:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:80:20:80:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:87:32:87:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:93:21:93:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:94:20:94:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:94:20:94:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:101:32:101:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:104:21:104:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:114:32:114:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:116:21:116:55 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:127:36:127:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:129:25:129:59 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:145:32:145:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:147:21:147:55 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:158:21:158:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:159:16:159:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:173:21:173:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:174:16:174:24 | resultStr | semmle.label | resultStr |
| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | semmle.label | getHeader(...) : String |
| JsonpInjectionServlet1.java:38:39:38:45 | referer | semmle.label | referer |
| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
@@ -82,6 +78,4 @@ nodes
| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
| RefererFilter.java:22:26:22:53 | getHeader(...) : String | semmle.label | getHeader(...) : String |
| RefererFilter.java:23:39:23:45 | refefer | semmle.label | refefer |
#select

37
java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpController.java
View File

@@ -26,9 +26,6 @@ public class JsonpController {
hashMap.put("password","123456");
}
private String name = null;
@GetMapping(value = "jsonp1")
@ResponseBody
public String bad1(HttpServletRequest request) {
@@ -77,7 +74,6 @@ public class JsonpController {
PrintWriter pw = null;
Gson gson = new Gson();
String result = gson.toJson(hashMap);
String resultStr = null;
pw = response.getWriter();
resultStr = jsonpCallback + "(" + result + ")";
@@ -109,13 +105,25 @@ public class JsonpController {
return resultStr;
}
@GetMapping(value = "jsonp8")
@ResponseBody
public String bad8(HttpServletRequest request) {
String resultStr = null;
String token = request.getParameter("token");
boolean result = verifToken(token); //Just check.
String jsonpCallback = request.getParameter("jsonpCallback");
String jsonStr = getJsonStr(hashMap);
resultStr = jsonpCallback + "(" + jsonStr + ")";
return resultStr;
}
@GetMapping(value = "jsonp9")
@ResponseBody
public String good1(HttpServletRequest request) {
String resultStr = null;
String token = request.getParameter("token");
if (verifToken(token)){
String referer = request.getParameter("referer");
if (verifReferer(referer)){
String jsonpCallback = request.getParameter("jsonpCallback");
String jsonStr = getJsonStr(hashMap);
resultStr = jsonpCallback + "(" + jsonStr + ")";
@@ -125,7 +133,7 @@ public class JsonpController {
}
@GetMapping(value = "jsonp9")
@GetMapping(value = "jsonp10")
@ResponseBody
public String good2(HttpServletRequest request) {
String resultStr = null;
@@ -140,7 +148,7 @@ public class JsonpController {
return resultStr;
}
@RequestMapping(value = "jsonp10")
@RequestMapping(value = "jsonp11")
@ResponseBody
public String good3(HttpServletRequest request) {
JSONObject parameterObj = readToJSONObect(request);
@@ -151,7 +159,7 @@ public class JsonpController {
return resultStr;
}
@RequestMapping(value = "jsonp11")
@RequestMapping(value = "jsonp12")
@ResponseBody
public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
if(null == file){
@@ -200,4 +208,11 @@ public class JsonpController {
}
return true;
}
}
public static boolean verifReferer(String str){
if (str != "xxxx"){
return false;
}
return true;
}
}

147
java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected
View File

@@ -1,76 +1,77 @@
edges
| JsonpController.java:36:32:36:68 | getParameter(...) : String | JsonpController.java:40:16:40:24 | resultStr |
| JsonpController.java:39:21:39:54 | ... + ... : String | JsonpController.java:40:16:40:24 | resultStr |
| JsonpController.java:47:32:47:68 | getParameter(...) : String | JsonpController.java:49:16:49:24 | resultStr |
| JsonpController.java:48:21:48:80 | ... + ... : String | JsonpController.java:49:16:49:24 | resultStr |
| JsonpController.java:56:32:56:68 | getParameter(...) : String | JsonpController.java:59:16:59:24 | resultStr |
| JsonpController.java:58:21:58:55 | ... + ... : String | JsonpController.java:59:16:59:24 | resultStr |
| JsonpController.java:66:32:66:68 | getParameter(...) : String | JsonpController.java:69:16:69:24 | resultStr |
| JsonpController.java:68:21:68:54 | ... + ... : String | JsonpController.java:69:16:69:24 | resultStr |
| JsonpController.java:76:32:76:68 | getParameter(...) : String | JsonpController.java:84:20:84:28 | resultStr |
| JsonpController.java:83:21:83:54 | ... + ... : String | JsonpController.java:84:20:84:28 | resultStr |
| JsonpController.java:91:32:91:68 | getParameter(...) : String | JsonpController.java:98:20:98:28 | resultStr |
| JsonpController.java:97:21:97:54 | ... + ... : String | JsonpController.java:98:20:98:28 | resultStr |
| JsonpController.java:105:32:105:68 | getParameter(...) : String | JsonpController.java:109:16:109:24 | resultStr |
| JsonpController.java:108:21:108:54 | ... + ... : String | JsonpController.java:109:16:109:24 | resultStr |
| JsonpController.java:117:24:117:52 | getParameter(...) : String | JsonpController.java:118:24:118:28 | token |
| JsonpController.java:119:36:119:72 | getParameter(...) : String | JsonpController.java:122:20:122:28 | resultStr |
| JsonpController.java:121:25:121:59 | ... + ... : String | JsonpController.java:122:20:122:28 | resultStr |
| JsonpController.java:132:24:132:52 | getParameter(...) : String | JsonpController.java:133:37:133:41 | token |
| JsonpController.java:137:32:137:68 | getParameter(...) : String | JsonpController.java:140:16:140:24 | resultStr |
| JsonpController.java:139:21:139:55 | ... + ... : String | JsonpController.java:140:16:140:24 | resultStr |
| JsonpController.java:150:21:150:54 | ... + ... : String | JsonpController.java:151:16:151:24 | resultStr |
| JsonpController.java:165:21:165:54 | ... + ... : String | JsonpController.java:166:16:166:24 | resultStr |
| JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr |
| JsonpController.java:36:21:36:54 | ... + ... : String | JsonpController.java:37:16:37:24 | resultStr |
| JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr |
| JsonpController.java:45:21:45:80 | ... + ... : String | JsonpController.java:46:16:46:24 | resultStr |
| JsonpController.java:53:32:53:68 | getParameter(...) : String | JsonpController.java:56:16:56:24 | resultStr |
| JsonpController.java:55:21:55:55 | ... + ... : String | JsonpController.java:56:16:56:24 | resultStr |
| JsonpController.java:63:32:63:68 | getParameter(...) : String | JsonpController.java:66:16:66:24 | resultStr |
| JsonpController.java:65:21:65:54 | ... + ... : String | JsonpController.java:66:16:66:24 | resultStr |
| JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr |
| JsonpController.java:79:21:79:54 | ... + ... : String | JsonpController.java:80:20:80:28 | resultStr |
| JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr |
| JsonpController.java:93:21:93:54 | ... + ... : String | JsonpController.java:94:20:94:28 | resultStr |
| JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr |
| JsonpController.java:104:21:104:54 | ... + ... : String | JsonpController.java:105:16:105:24 | resultStr |
| JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr |
| JsonpController.java:116:21:116:55 | ... + ... : String | JsonpController.java:117:16:117:24 | resultStr |
| JsonpController.java:127:36:127:72 | getParameter(...) : String | JsonpController.java:130:20:130:28 | resultStr |
| JsonpController.java:129:25:129:59 | ... + ... : String | JsonpController.java:130:20:130:28 | resultStr |
| JsonpController.java:145:32:145:68 | getParameter(...) : String | JsonpController.java:148:16:148:24 | resultStr |
| JsonpController.java:147:21:147:55 | ... + ... : String | JsonpController.java:148:16:148:24 | resultStr |
| JsonpController.java:158:21:158:54 | ... + ... : String | JsonpController.java:159:16:159:24 | resultStr |
| JsonpController.java:173:21:173:54 | ... + ... : String | JsonpController.java:174:16:174:24 | resultStr |
nodes
| JsonpController.java:36:32:36:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:39:21:39:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:47:32:47:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:48:21:48:80 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:56:32:56:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:58:21:58:55 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:66:32:66:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:68:21:68:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:76:32:76:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:83:21:83:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:91:32:91:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:97:21:97:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:105:32:105:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:108:21:108:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:117:24:117:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:118:24:118:28 | token | semmle.label | token |
| JsonpController.java:119:36:119:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:121:25:121:59 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:132:24:132:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:133:37:133:41 | token | semmle.label | token |
| JsonpController.java:137:32:137:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:139:21:139:55 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:150:21:150:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:151:16:151:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:165:21:165:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:166:16:166:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:33:32:33:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:36:21:36:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:37:16:37:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:37:16:37:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:44:32:44:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:45:21:45:80 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:46:16:46:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:46:16:46:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:53:32:53:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:55:21:55:55 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:56:16:56:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:56:16:56:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:63:32:63:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:65:21:65:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:66:16:66:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:66:16:66:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:73:32:73:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:79:21:79:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:80:20:80:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:80:20:80:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:87:32:87:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:93:21:93:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:94:20:94:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:94:20:94:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:101:32:101:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:104:21:104:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:114:32:114:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:116:21:116:55 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:127:36:127:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:129:25:129:59 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:145:32:145:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:147:21:147:55 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:158:21:158:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:159:16:159:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:173:21:173:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:174:16:174:24 | resultStr | semmle.label | resultStr |
#select
| JsonpController.java:40:16:40:24 | resultStr | JsonpController.java:36:32:36:68 | getParameter(...) : String | JsonpController.java:40:16:40:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:36:32:36:68 | getParameter(...) | this user input |
| JsonpController.java:49:16:49:24 | resultStr | JsonpController.java:47:32:47:68 | getParameter(...) : String | JsonpController.java:49:16:49:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:47:32:47:68 | getParameter(...) | this user input |
| JsonpController.java:59:16:59:24 | resultStr | JsonpController.java:56:32:56:68 | getParameter(...) : String | JsonpController.java:59:16:59:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:56:32:56:68 | getParameter(...) | this user input |
| JsonpController.java:69:16:69:24 | resultStr | JsonpController.java:66:32:66:68 | getParameter(...) : String | JsonpController.java:69:16:69:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:66:32:66:68 | getParameter(...) | this user input |
| JsonpController.java:84:20:84:28 | resultStr | JsonpController.java:76:32:76:68 | getParameter(...) : String | JsonpController.java:84:20:84:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:76:32:76:68 | getParameter(...) | this user input |
| JsonpController.java:98:20:98:28 | resultStr | JsonpController.java:91:32:91:68 | getParameter(...) : String | JsonpController.java:98:20:98:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:91:32:91:68 | getParameter(...) | this user input |
| JsonpController.java:109:16:109:24 | resultStr | JsonpController.java:105:32:105:68 | getParameter(...) : String | JsonpController.java:109:16:109:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:105:32:105:68 | getParameter(...) | this user input |
| JsonpController.java:37:16:37:24 | resultStr | JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:33:32:33:68 | getParameter(...) | this user input |
| JsonpController.java:46:16:46:24 | resultStr | JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:44:32:44:68 | getParameter(...) | this user input |
| JsonpController.java:56:16:56:24 | resultStr | JsonpController.java:53:32:53:68 | getParameter(...) : String | JsonpController.java:56:16:56:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:53:32:53:68 | getParameter(...) | this user input |
| JsonpController.java:66:16:66:24 | resultStr | JsonpController.java:63:32:63:68 | getParameter(...) : String | JsonpController.java:66:16:66:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:63:32:63:68 | getParameter(...) | this user input |
| JsonpController.java:80:20:80:28 | resultStr | JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:73:32:73:68 | getParameter(...) | this user input |
| JsonpController.java:94:20:94:28 | resultStr | JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:87:32:87:68 | getParameter(...) | this user input |
| JsonpController.java:105:16:105:24 | resultStr | JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:101:32:101:68 | getParameter(...) | this user input |
| JsonpController.java:117:16:117:24 | resultStr | JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:114:32:114:68 | getParameter(...) | this user input |

37
java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpController.java
View File

@@ -26,9 +26,6 @@ public class JsonpController {
hashMap.put("password","123456");
}
private String name = null;
@GetMapping(value = "jsonp1")
@ResponseBody
public String bad1(HttpServletRequest request) {
@@ -77,7 +74,6 @@ public class JsonpController {
PrintWriter pw = null;
Gson gson = new Gson();
String result = gson.toJson(hashMap);
String resultStr = null;
pw = response.getWriter();
resultStr = jsonpCallback + "(" + result + ")";
@@ -109,13 +105,25 @@ public class JsonpController {
return resultStr;
}
@GetMapping(value = "jsonp8")
@ResponseBody
public String bad8(HttpServletRequest request) {
String resultStr = null;
String token = request.getParameter("token");
boolean result = verifToken(token); //Just check.
String jsonpCallback = request.getParameter("jsonpCallback");
String jsonStr = getJsonStr(hashMap);
resultStr = jsonpCallback + "(" + jsonStr + ")";
return resultStr;
}
@GetMapping(value = "jsonp9")
@ResponseBody
public String good1(HttpServletRequest request) {
String resultStr = null;
String token = request.getParameter("token");
if (verifToken(token)){
String referer = request.getParameter("referer");
if (verifReferer(referer)){
String jsonpCallback = request.getParameter("jsonpCallback");
String jsonStr = getJsonStr(hashMap);
resultStr = jsonpCallback + "(" + jsonStr + ")";
@@ -125,7 +133,7 @@ public class JsonpController {
}
@GetMapping(value = "jsonp9")
@GetMapping(value = "jsonp10")
@ResponseBody
public String good2(HttpServletRequest request) {
String resultStr = null;
@@ -140,7 +148,7 @@ public class JsonpController {
return resultStr;
}
@RequestMapping(value = "jsonp10")
@RequestMapping(value = "jsonp11")
@ResponseBody
public String good3(HttpServletRequest request) {
JSONObject parameterObj = readToJSONObect(request);
@@ -151,7 +159,7 @@ public class JsonpController {
return resultStr;
}
@RequestMapping(value = "jsonp11")
@RequestMapping(value = "jsonp12")
@ResponseBody
public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
if(null == file){
@@ -200,4 +208,11 @@ public class JsonpController {
}
return true;
}
}
public static boolean verifReferer(String str){
if (str != "xxxx"){
return false;
}
return true;
}
}

150
java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringControllerAndServlet/JsonpInjection.expected
View File

@@ -1,79 +1,76 @@
edges
| JsonpController.java:36:32:36:68 | getParameter(...) : String | JsonpController.java:40:16:40:24 | resultStr |
| JsonpController.java:39:21:39:54 | ... + ... : String | JsonpController.java:40:16:40:24 | resultStr |
| JsonpController.java:47:32:47:68 | getParameter(...) : String | JsonpController.java:49:16:49:24 | resultStr |
| JsonpController.java:48:21:48:80 | ... + ... : String | JsonpController.java:49:16:49:24 | resultStr |
| JsonpController.java:56:32:56:68 | getParameter(...) : String | JsonpController.java:59:16:59:24 | resultStr |
| JsonpController.java:58:21:58:55 | ... + ... : String | JsonpController.java:59:16:59:24 | resultStr |
| JsonpController.java:66:32:66:68 | getParameter(...) : String | JsonpController.java:69:16:69:24 | resultStr |
| JsonpController.java:68:21:68:54 | ... + ... : String | JsonpController.java:69:16:69:24 | resultStr |
| JsonpController.java:76:32:76:68 | getParameter(...) : String | JsonpController.java:84:20:84:28 | resultStr |
| JsonpController.java:83:21:83:54 | ... + ... : String | JsonpController.java:84:20:84:28 | resultStr |
| JsonpController.java:91:32:91:68 | getParameter(...) : String | JsonpController.java:98:20:98:28 | resultStr |
| JsonpController.java:97:21:97:54 | ... + ... : String | JsonpController.java:98:20:98:28 | resultStr |
| JsonpController.java:105:32:105:68 | getParameter(...) : String | JsonpController.java:109:16:109:24 | resultStr |
| JsonpController.java:108:21:108:54 | ... + ... : String | JsonpController.java:109:16:109:24 | resultStr |
| JsonpController.java:117:24:117:52 | getParameter(...) : String | JsonpController.java:118:24:118:28 | token |
| JsonpController.java:119:36:119:72 | getParameter(...) : String | JsonpController.java:122:20:122:28 | resultStr |
| JsonpController.java:121:25:121:59 | ... + ... : String | JsonpController.java:122:20:122:28 | resultStr |
| JsonpController.java:132:24:132:52 | getParameter(...) : String | JsonpController.java:133:37:133:41 | token |
| JsonpController.java:137:32:137:68 | getParameter(...) : String | JsonpController.java:140:16:140:24 | resultStr |
| JsonpController.java:139:21:139:55 | ... + ... : String | JsonpController.java:140:16:140:24 | resultStr |
| JsonpController.java:150:21:150:54 | ... + ... : String | JsonpController.java:151:16:151:24 | resultStr |
| JsonpController.java:165:21:165:54 | ... + ... : String | JsonpController.java:166:16:166:24 | resultStr |
| JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr |
| JsonpController.java:36:21:36:54 | ... + ... : String | JsonpController.java:37:16:37:24 | resultStr |
| JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr |
| JsonpController.java:45:21:45:80 | ... + ... : String | JsonpController.java:46:16:46:24 | resultStr |
| JsonpController.java:53:32:53:68 | getParameter(...) : String | JsonpController.java:56:16:56:24 | resultStr |
| JsonpController.java:55:21:55:55 | ... + ... : String | JsonpController.java:56:16:56:24 | resultStr |
| JsonpController.java:63:32:63:68 | getParameter(...) : String | JsonpController.java:66:16:66:24 | resultStr |
| JsonpController.java:65:21:65:54 | ... + ... : String | JsonpController.java:66:16:66:24 | resultStr |
| JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr |
| JsonpController.java:79:21:79:54 | ... + ... : String | JsonpController.java:80:20:80:28 | resultStr |
| JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr |
| JsonpController.java:93:21:93:54 | ... + ... : String | JsonpController.java:94:20:94:28 | resultStr |
| JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr |
| JsonpController.java:104:21:104:54 | ... + ... : String | JsonpController.java:105:16:105:24 | resultStr |
| JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr |
| JsonpController.java:116:21:116:55 | ... + ... : String | JsonpController.java:117:16:117:24 | resultStr |
| JsonpController.java:127:36:127:72 | getParameter(...) : String | JsonpController.java:130:20:130:28 | resultStr |
| JsonpController.java:129:25:129:59 | ... + ... : String | JsonpController.java:130:20:130:28 | resultStr |
| JsonpController.java:145:32:145:68 | getParameter(...) : String | JsonpController.java:148:16:148:24 | resultStr |
| JsonpController.java:147:21:147:55 | ... + ... : String | JsonpController.java:148:16:148:24 | resultStr |
| JsonpController.java:158:21:158:54 | ... + ... : String | JsonpController.java:159:16:159:24 | resultStr |
| JsonpController.java:173:21:173:54 | ... + ... : String | JsonpController.java:174:16:174:24 | resultStr |
| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | JsonpInjectionServlet1.java:38:39:38:45 | referer |
| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | JsonpInjectionServlet1.java:45:24:45:32 | resultStr |
| JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
| JsonpInjectionServlet2.java:38:21:38:54 | ... + ... : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr |
nodes
| JsonpController.java:36:32:36:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:39:21:39:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:40:16:40:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:47:32:47:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:48:21:48:80 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:49:16:49:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:56:32:56:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:58:21:58:55 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:59:16:59:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:66:32:66:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:68:21:68:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:69:16:69:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:76:32:76:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:83:21:83:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:84:20:84:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:91:32:91:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:97:21:97:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:98:20:98:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:105:32:105:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:108:21:108:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:109:16:109:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:117:24:117:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:118:24:118:28 | token | semmle.label | token |
| JsonpController.java:119:36:119:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:121:25:121:59 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:122:20:122:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:132:24:132:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:133:37:133:41 | token | semmle.label | token |
| JsonpController.java:137:32:137:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:139:21:139:55 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:140:16:140:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:150:21:150:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:151:16:151:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:165:21:165:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:166:16:166:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:33:32:33:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:36:21:36:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:37:16:37:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:37:16:37:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:44:32:44:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:45:21:45:80 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:46:16:46:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:46:16:46:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:53:32:53:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:55:21:55:55 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:56:16:56:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:56:16:56:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:63:32:63:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:65:21:65:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:66:16:66:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:66:16:66:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:73:32:73:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:79:21:79:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:80:20:80:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:80:20:80:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:87:32:87:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:93:21:93:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:94:20:94:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:94:20:94:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:101:32:101:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:104:21:104:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:114:32:114:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:116:21:116:55 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:127:36:127:72 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:129:25:129:59 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr |
| JsonpController.java:145:32:145:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpController.java:147:21:147:55 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:158:21:158:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:159:16:159:24 | resultStr | semmle.label | resultStr |
| JsonpController.java:173:21:173:54 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpController.java:174:16:174:24 | resultStr | semmle.label | resultStr |
| JsonpInjectionServlet1.java:31:32:31:64 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| JsonpInjectionServlet1.java:36:26:36:49 | getHeader(...) : String | semmle.label | getHeader(...) : String |
| JsonpInjectionServlet1.java:38:39:38:45 | referer | semmle.label | referer |
| JsonpInjectionServlet1.java:44:25:44:62 | ... + ... : String | semmle.label | ... + ... : String |
| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
| JsonpInjectionServlet1.java:45:24:45:32 | resultStr | semmle.label | resultStr |
@@ -82,11 +79,12 @@ nodes
| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | semmle.label | resultStr |
#select
| JsonpController.java:40:16:40:24 | resultStr | JsonpController.java:36:32:36:68 | getParameter(...) : String | JsonpController.java:40:16:40:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:36:32:36:68 | getParameter(...) | this user input |
| JsonpController.java:49:16:49:24 | resultStr | JsonpController.java:47:32:47:68 | getParameter(...) : String | JsonpController.java:49:16:49:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:47:32:47:68 | getParameter(...) | this user input |
| JsonpController.java:59:16:59:24 | resultStr | JsonpController.java:56:32:56:68 | getParameter(...) : String | JsonpController.java:59:16:59:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:56:32:56:68 | getParameter(...) | this user input |
| JsonpController.java:69:16:69:24 | resultStr | JsonpController.java:66:32:66:68 | getParameter(...) : String | JsonpController.java:69:16:69:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:66:32:66:68 | getParameter(...) | this user input |
| JsonpController.java:84:20:84:28 | resultStr | JsonpController.java:76:32:76:68 | getParameter(...) : String | JsonpController.java:84:20:84:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:76:32:76:68 | getParameter(...) | this user input |
| JsonpController.java:98:20:98:28 | resultStr | JsonpController.java:91:32:91:68 | getParameter(...) : String | JsonpController.java:98:20:98:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:91:32:91:68 | getParameter(...) | this user input |
| JsonpController.java:109:16:109:24 | resultStr | JsonpController.java:105:32:105:68 | getParameter(...) : String | JsonpController.java:109:16:109:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:105:32:105:68 | getParameter(...) | this user input |
| JsonpController.java:37:16:37:24 | resultStr | JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:33:32:33:68 | getParameter(...) | this user input |
| JsonpController.java:46:16:46:24 | resultStr | JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:44:32:44:68 | getParameter(...) | this user input |
| JsonpController.java:56:16:56:24 | resultStr | JsonpController.java:53:32:53:68 | getParameter(...) : String | JsonpController.java:56:16:56:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:53:32:53:68 | getParameter(...) | this user input |
| JsonpController.java:66:16:66:24 | resultStr | JsonpController.java:63:32:63:68 | getParameter(...) : String | JsonpController.java:66:16:66:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:63:32:63:68 | getParameter(...) | this user input |
| JsonpController.java:80:20:80:28 | resultStr | JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:73:32:73:68 | getParameter(...) | this user input |
| JsonpController.java:94:20:94:28 | resultStr | JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:87:32:87:68 | getParameter(...) | this user input |
| JsonpController.java:105:16:105:24 | resultStr | JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:101:32:101:68 | getParameter(...) | this user input |
| JsonpController.java:117:16:117:24 | resultStr | JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:114:32:114:68 | getParameter(...) | this user input |
| JsonpInjectionServlet2.java:39:20:39:28 | resultStr | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) : String | JsonpInjectionServlet2.java:39:20:39:28 | resultStr | Jsonp response might include code from $@. | JsonpInjectionServlet2.java:31:32:31:64 | getParameter(...) | this user input |