hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-29 22:32:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix copy-paste errors, remove debugging code

Browse Source
This commit is contained in:
intrigus
2020-03-23 16:49:45 +01:00
parent 9187bacd3c
commit 1f635806b3
1 changed files with 11 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
ql/src/experimental/Security/CWE-643/XPathInjection.ql
View File

@@ -4,7 +4,6 @@
* malicious code by the user.
* @kind path-problem
* @problem.severity error
* @precision high
* @id go/xml/xpath-injection
* @tags security
* external/cwe/cwe-643
@@ -25,9 +24,9 @@ class XPathInjectionConfiguration extends TaintTracking::Configuration {
override predicate isSink(DataFlow::Node sink) { sink instanceof XPathInjectionSink }
override predicate isSanitizer(DataFlow::Node node) {
exists(Type t | t = node.getType().getUnderlyingType() |
not t instanceof StringType or not t instanceof ByteSliceType
)
exists(Type t | t = node.getType().getUnderlyingType() |
not t instanceof StringType or not t instanceof ByteSliceType
)
}
}
@@ -36,18 +35,18 @@ abstract class XPathInjectionSink extends DataFlow::Node { }
// https://github.com/antchfx/xpath
class XPathSink extends XPathInjectionSink {
XPathSink() {
exists(Function f |
f.hasQualifiedName("github.com/antchfx/xpath", "Compile%") and
exists(Function f, string name | name.matches("Compile%") |
f.hasQualifiedName("github.com/antchfx/xpath", name) and
this = f.getACall().getArgument(0)
)
or
exists(Function f |
f.hasQualifiedName("github.com/antchfx/xpath", "MustCompile%") and
exists(Function f, string name | name.matches("MustCompile%") |
f.hasQualifiedName("github.com/antchfx/xpath", name) and
this = f.getACall().getArgument(0)
)
or
exists(Function f |
f.hasQualifiedName("github.com/antchfx/xpath", "Select%") and
exists(Function f, string name | name.matches("Select%") |
f.hasQualifiedName("github.com/antchfx/xpath", name) and
this = f.getACall().getArgument(1)
)
}
@@ -183,7 +182,7 @@ class GokogiriSink extends XPathInjectionSink {
}
}
from DataFlow::PathNode source, DataFlow::PathNode sink, XPathInjectionConfiguration c, Function f
where c.hasFlowPath(source, sink) and f.getName().matches("Compile%")
from DataFlow::PathNode source, DataFlow::PathNode sink, XPathInjectionConfiguration c
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ flows here and is used in an XPath expression.",
source.getNode(), "A user-provided value"