hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add sinks of servlet dispatcher and filter

Browse Source
This commit is contained in:
luchua-bc
2022-07-26 23:05:25 +00:00
parent 962069ccff
commit 1ce31ec32c
4 changed files with 184 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegex.ql
View File

@@ -33,6 +33,24 @@ private class GetServletUriSource extends SourceModelCsv {
}
}
/** Sink model of servlet dispatcher. */
private class UrlDispatchSink extends SinkModelCsv {
override predicate row(string row) {
row =
[
"javax.servlet;RequestDispatcher;false;forward;;;Argument[-1];url-dispatch;manual",
"javax.servlet;RequestDispatcher;false;include;;;Argument[-1];url-dispatch;manual"
]
}
}
/** Sink model of servlet filter. */
private class UrlFilterSink extends SinkModelCsv {
override predicate row(string row) {
row = ["javax.servlet;FilterChain;true;doFilter;;;Argument[-1];url-filter;manual"]
}
}
/**
* `.` without a `\` prefix, which is likely not a character literal in regex
*/
@@ -119,7 +137,11 @@ class MatchRegexConfiguration extends TaintTracking::Configuration {
DataFlow::localExprFlow(ce, guard.(MethodAccess).getQualifier()) or
DataFlow::localExprFlow(ce, guard.(MethodAccess).getAnArgument())
) and
DataFlow::exprNode(se) instanceof UrlRedirectSink and
(
DataFlow::exprNode(se) instanceof UrlRedirectSink or
sinkNode(DataFlow::exprNode(se), "url-dispatch") or
sinkNode(DataFlow::exprNode(se), "url-filter")
) and
guard.controls(se.getBasicBlock(), true)
)
}