hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add SpringUrlRedirect

Browse Source
This commit is contained in:
Ed Minnix
2023-04-12 12:22:56 -04:00
parent 30cfbb83b3
commit 13e1cc50c8
1 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
View File

@@ -15,7 +15,7 @@ import java
import experimental.semmle.code.java.security.SpringUrlRedirect
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.controlflow.Guards
import DataFlow::PathGraph
import SpringUrlRedirectFlow::PathGraph
private predicate startsWithSanitizer(Guard g, Expr e, boolean branch) {
g.(MethodAccess).getMethod().hasName("startsWith") and
@@ -25,18 +25,16 @@ private predicate startsWithSanitizer(Guard g, Expr e, boolean branch) {
branch = true
}
class SpringUrlRedirectFlowConfig extends TaintTracking::Configuration {
SpringUrlRedirectFlowConfig() { this = "SpringUrlRedirectFlowConfig" }
module SpringUrlRedirectFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof SpringUrlRedirectSink }
override predicate isSink(DataFlow::Node sink) { sink instanceof SpringUrlRedirectSink }
override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
springUrlRedirectTaintStep(fromNode, toNode)
}
override predicate isSanitizer(DataFlow::Node node) {
predicate isBarrier(DataFlow::Node node) {
// Exclude the case where the left side of the concatenated string is not `redirect:`.
// E.g: `String url = "/path?token=" + request.getParameter("token");`
// Note this is quite a broad sanitizer (it will also sanitize the right-hand side of `url = "http://" + request.getParameter("token")`);
@@ -62,7 +60,9 @@ class SpringUrlRedirectFlowConfig extends TaintTracking::Configuration {
}
}
from DataFlow::PathNode source, DataFlow::PathNode sink, SpringUrlRedirectFlowConfig conf
where conf.hasFlowPath(source, sink)
module SpringUrlRedirectFlow = TaintTracking::Global<SpringUrlRedirectFlowConfig>;
from SpringUrlRedirectFlow::PathNode source, SpringUrlRedirectFlow::PathNode sink
where SpringUrlRedirectFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "Potentially untrusted URL redirection due to $@.",
source.getNode(), "user-provided value"