Combine two Configurations into one

2026-04-29 10:45:15 +02:00 · 2021-04-12 15:44:39 +08:00
parent d90527bead
commit 1b948ac2e2
2 changed files with 23 additions and 34 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
@@ -16,7 +16,7 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.deadcode.WebEntryPoints
 import DataFlow::PathGraph

-/** 
+/**
 * Holds if some `Filter.doFilter` method exists in the whole program that takes some user-controlled
 * input and tests it with what appears to be a token- or authentication-checking function.
 */
@@ -28,7 +28,7 @@ predicate existsFilterVerificationMethod() {
  )
 }

-/** 
+/**
 * Holds if somewhere in the whole program some user-controlled
 * input is tested with what appears to be a token- or authentication-checking function,
 * and `checkNode` is reachable from any function that can reach the user-controlled input source.
@@ -69,4 +69,4 @@ where
  conf.hasFlowPath(source, sink) and
  exists(JsonpInjectionFlowConfig jhfc | jhfc.hasFlowTo(sink.getNode()))
 select sink.getNode(), source, sink, "Jsonp response might include code from $@.", source.getNode(),
-  "this user input"
+  "this user input"
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -7,31 +7,11 @@ import semmle.code.java.dataflow.DataFlow3
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.spring.SpringController

-/** A data flow configuration tracing flow from the result of a method whose name includes token/auth/referer/origin to an if-statement condition. */
-class VerificationMethodToIfFlowConfig extends DataFlow3::Configuration {
-  VerificationMethodToIfFlowConfig() { this = "VerificationMethodToIfFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) {
-    exists(MethodAccess ma | ma instanceof BarrierGuard |
-      (
-        ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
-        or
-        ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
-      ) and
-      ma = src.asExpr()
-    )
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(IfStmt is | is.getCondition() = sink.asExpr())
-  }
-}
-
-/** Taint-tracking configuration tracing flow from untrusted inputs to an argument of a function whose result is used as an if-statement condition.
-* 
-* For example, in the context `String userControlled = request.getHeader("xyz"); boolean isGood = checkToken(userControlled); if(isGood) { ...`,
-* the flow from `checkToken`'s result to the condition of `if(isGood)` matches the configuration `VerificationMethodToIfFlowConfig` above,
-* and so the flow from `getHeader(...)` to the argument to `checkToken` matches this configuration.
+/**
+ * Taint-tracking configuration tracing flow from untrusted inputs to an argument of a function whose result is used as an if-statement condition.
+ *
+ * For example, in the context `String userControlled = request.getHeader("xyz"); boolean isGood = checkToken(userControlled); if(isGood) { ...`,
+ * the flow from `getHeader(...)` to the argument to `checkToken`, and then the flow from `checkToken`'s result to the condition of `if(isGood)`.
 */
 class VerificationMethodFlowConfig extends TaintTracking2::Configuration {
  VerificationMethodFlowConfig() { this = "VerificationMethodFlowConfig" }
@@ -39,16 +19,25 @@ class VerificationMethodFlowConfig extends TaintTracking2::Configuration {
  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }

  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma, int i, VerificationMethodToIfFlowConfig vmtifc |
-      ma instanceof BarrierGuard
-    |
+    exists(IfStmt is, Method m | is.getEnclosingCallable() = m |
      (
-        ma.getMethod().getParameter(i).getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
+        not m.getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
+        or
+        not m.getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
+      ) and
+      sink.asExpr() = is.getCondition()
+    )
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node prod, DataFlow::Node succ) {
+    exists(MethodAccess ma |
+      (
+        ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
        or
        ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
      ) and
-      ma.getArgument(i) = sink.asExpr() and
-      vmtifc.hasFlow(exprNode(ma), _)
+      ma.getAnArgument() = prod.asExpr() and
+      ma = succ.asExpr()
    )
  }
 }