hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Revert "Java: Convert Google HTTP client API parseAs sink to CSV format"

Browse Source 
This reverts commit 3e53484bb3.
This commit is contained in:
Tamas Vajk
2021-04-22 11:14:51 +02:00
parent 351f35d9bc
commit 180904e9f6
2 changed files with 14 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
View File

@@ -76,7 +76,6 @@ private module Frameworks {
private import semmle.code.java.frameworks.ApacheHttp
private import semmle.code.java.frameworks.apache.Lang
private import semmle.code.java.frameworks.guava.Guava
private import semmle.code.java.frameworks.google.GoogleHttpClientApi
private import semmle.code.java.security.ResponseSplitting
private import semmle.code.java.security.XSS
}

22
java/ql/src/semmle/code/java/frameworks/google/GoogleHttpClientApi.qll
View File

@@ -2,7 +2,14 @@ import java
import semmle.code.java.Serializability
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.DataFlow5
private import semmle.code.java.dataflow.ExternalFlow
/** The method `parseAs` in `com.google.api.client.http.HttpResponse`. */
private class ParseAsMethod extends Method {
ParseAsMethod() {
this.getDeclaringType().hasQualifiedName("com.google.api.client.http", "HttpResponse") and
this.hasName("parseAs")
}
}
private class TypeLiteralToParseAsFlowConfiguration extends DataFlow5::Configuration {
TypeLiteralToParseAsFlowConfiguration() {
@@ -11,17 +18,16 @@ private class TypeLiteralToParseAsFlowConfiguration extends DataFlow5::Configura
override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof TypeLiteral }
override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "google-parse-as") }
override predicate isSink(DataFlow::Node sink) {
exists(MethodAccess ma |
ma.getAnArgument() = sink.asExpr() and
ma.getMethod() instanceof ParseAsMethod
)
}
TypeLiteral getSourceWithFlowToParseAs() { hasFlow(DataFlow::exprNode(result), _) }
}
private class ParseAsSinkModel extends SinkModelCsv {
override predicate row(string row) {
row = ["com.google.api.client.http;HttpResponse;false;parseAs;;;Argument;google-parse-as"]
}
}
/** A field that is deserialized by `HttpResponse.parseAs`. */
class HttpResponseParseAsDeserializableField extends DeserializableField {
HttpResponseParseAsDeserializableField() {