Move and convert URL redirect sinks

Adds for them as well
2025-12-21 03:06:31 +01:00 · 2021-05-20 12:15:30 +01:00
parent f2ff2aa3e1
commit 1ae9d68409
7 changed files with 48 additions and 16 deletions
--- a/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
+++ b/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
@@ -13,6 +13,7 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.UrlRedirect
+import semmle.code.java.dataflow.ExternalFlow
 import DataFlow::PathGraph

 class UrlRedirectConfig extends TaintTracking::Configuration {
@@ -20,7 +21,11 @@ class UrlRedirectConfig extends TaintTracking::Configuration {

  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

-  override predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink }
+  override predicate isSink(DataFlow::Node sink) {
+    sink instanceof UrlRedirectSink
+    or
+    sinkNode(sink, "url-redirect")
+  }
 }

 from DataFlow::PathNode source, DataFlow::PathNode sink, UrlRedirectConfig conf
--- a/java/ql/src/semmle/code/java/frameworks/JaxWS.qll
+++ b/java/ql/src/semmle/code/java/frameworks/JaxWS.qll
@@ -308,6 +308,20 @@ class JaxRSConsumesAnnotation extends JaxRSAnnotation {
  JaxRSConsumesAnnotation() { this.getType().hasQualifiedName(getAJaxRsPackage(), "Consumes") }
 }

+/** A URL redirection sink from JAX-RS */
+private class JaxRsUrlRedirectSink extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //`namespace; type; subtypes; name; signature; ext; input; kind`
+        "javax.ws.rs.core;Response;true;seeOther;;;Argument[0];url-redirect",
+        "javax.ws.rs.core;Response;true;temporaryRedirect;;;Argument[0];url-redirect",
+        "jakarta.ws.rs.core;Response;true;seeOther;;;Argument[0];url-redirect",
+        "jakarta.ws.rs.core;Response;true;temporaryRedirect;;;Argument[0];url-redirect"
+      ]
+  }
+}
+
 /**
 * Model Response:
 *
--- a/java/ql/src/semmle/code/java/security/UrlRedirect.qll
+++ b/java/ql/src/semmle/code/java/security/UrlRedirect.qll
@@ -36,17 +36,3 @@ private class ApacheUrlRedirectSink extends UrlRedirectSink {
    )
  }
 }
-
-/** A URL redirection sink from JAX-RS */
-private class JaxRsUrlRedirectSink extends UrlRedirectSink {
-  JaxRsUrlRedirectSink() {
-    exists(MethodAccess ma |
-      ma.getMethod()
-          .getDeclaringType()
-          .getAnAncestor()
-          .hasQualifiedName(getAJaxRsPackage("core"), "Response") and
-      ma.getMethod().getName() in ["seeOther", "temporaryRedirect"] and
-      this.asExpr() = ma.getArgument(0)
-    )
-  }
-}