refactor to meet experimental guidelines.

2026-05-01 19:55:15 +02:00 · 2021-03-01 18:46:33 +05:30
parent 602f63ad45
commit 14ec148272
2 changed files with 18 additions and 17 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll
@@ -20,6 +20,22 @@ predicate thymeleafIsUsed() {
  exists(SpringBean b | b.getClassNameRaw().matches("org.thymeleaf.spring%"))
 }

+/** Models methods from the `javax.portlet.RenderState` package which return data from externally controlled sources. */
+class PortletRenderRequestMethod extends Method {
+  PortletRenderRequestMethod() {
+    exists(RefType c, Interface t |
+      c.extendsOrImplements*(t) and
+      t.hasQualifiedName("javax.portlet", "RenderState") and
+      this = c.getAMethod()
+    |
+      this.hasName([
+          "getCookies", "getParameter", "getRenderParameters", "getParameterNames",
+          "getParameterValues", "getParameterMap"
+        ])
+    )
+  }
+}
+
 /**
 * A taint-tracking configuration for unsafe user input
 * that can lead to Spring View Manipulation vulnerabilities.
@@ -29,7 +45,8 @@ class SpringViewManipulationConfig extends TaintTracking::Configuration {

  override predicate isSource(DataFlow::Node source) {
    source instanceof RemoteFlowSource or
-    source instanceof WebRequestSource
+    source instanceof WebRequestSource or
+    source.asExpr().(MethodAccess).getMethod() instanceof PortletRenderRequestMethod
  }

  override predicate isSink(DataFlow::Node sink) { sink instanceof SpringViewManipulationSink }
--- a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
+++ b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
@@ -256,7 +256,6 @@ private class RemoteTaintedMethod extends Method {
    this instanceof ServletRequestGetParameterMethod or
    this instanceof ServletRequestGetParameterMapMethod or
    this instanceof ServletRequestGetParameterNamesMethod or
-    this instanceof PortletRenderRequestGetParameterMethod or
    this instanceof HttpServletRequestGetQueryStringMethod or
    this instanceof HttpServletRequestGetHeaderMethod or
    this instanceof HttpServletRequestGetPathMethod or
@@ -309,21 +308,6 @@ class EnvReadMethod extends Method {
  }
 }

-private class PortletRenderRequestGetParameterMethod extends Method {
-  PortletRenderRequestGetParameterMethod() {
-    exists(RefType c, Interface t |
-      c.extendsOrImplements*(t) and
-      t.hasQualifiedName("javax.portlet", "RenderState") and
-      this = c.getAMethod()
-    |
-      this.hasName([
-          "getCookies", "getParameter", "getRenderParameters", "getParameterNames",
-          "getParameterValues", "getParameterMap"
-        ])
-    )
-  }
-}
-
 /** The type `java.net.InetAddress`. */
 class TypeInetAddr extends RefType {
  TypeInetAddr() { this.getQualifiedName() = "java.net.InetAddress" }