Add more servlet methods and fix formatting errors

2026-04-26 09:15:12 +02:00 · 2020-07-02 03:07:19 +00:00
parent d978f28822
commit 1d0232b464
4 changed files with 10 additions and 5 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.java
@@ -30,9 +30,9 @@ class UncaughtServletException extends HttpServlet {
    // GOOD
    {
        public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
-		    String ip = "10.100.10.81";
+            String ip = "10.100.10.81";
            InetAddress addr = InetAddress.getByName(ip); // OK: Hard-coded variable value or system property is not controlled by attacker.
        }
-	}
+    }

 }
--- a/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.qhelp
@@ -4,7 +4,7 @@
 <qhelp>
 <overview>
 <p>
-Even though the signatures for methods in a servlet include throws IOException, ServletException, it's a bad idea to let such exceptions be thrown. Failure to catch exceptions in a servlet could leave a system in a vulnerable state, possibly resulting in denial-of-service attacks, or the exposure of sensitive information because when a servlet throws an exception, the servlet container typically sends debugging information back to the user. And that information could be very valuable to an attacker.
+Even though the signatures for methods in a servlet include `throws IOException, ServletException`, it's a bad idea to let such exceptions be thrown. Failure to catch exceptions in a servlet could leave a system in a vulnerable state, possibly resulting in denial-of-service attacks, or the exposure of sensitive information because when a servlet throws an exception, the servlet container typically sends debugging information back to the user. And that information could be very valuable to an attacker.
 </p>
 </overview>

--- a/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql
@@ -36,7 +36,11 @@ private predicate isServletMethod(Callable c) {
    c.getName() = "doGet" or
    c.getName() = "doPost" or
    c.getName() = "doPut" or
-    c.getName() = "doDelete"
+    c.getName() = "doDelete" or
+    c.getName() = "doHead" or
+    c.getName() = "doOptions" or
+    c.getName() = "doTrace" or
+    c.getName() = "service"
  )
 }