hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 11:16:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Java: Report log-injection at the source rather than the sink

Browse Source 
This should remove the problem of excessive grouping of different alerts that share a sink location, often due to wrapper functions that form the ultimate sink of all logging calls in a given codebase.
This commit is contained in:
Chris Smowton
2022-06-22 13:00:15 +01:00
parent cc354caa1f
commit 1f9f6d7c33
2 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
java/ql/src/Security/CWE/CWE-117/LogInjection.ql
View File

@@ -17,5 +17,5 @@ import DataFlow::PathGraph
from LogInjectionConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "This $@ flows to a log entry.", source.getNode(),
"user-provided value"
select source.getNode(), source, sink, "This user-provided value flows to a $@.", sink.getNode(),
"log entry"