hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Java: Report log-injection at the source rather than the sink

Browse Source 
This should remove the problem of excessive grouping of different alerts that share a sink location, often due to wrapper functions that form the ultimate sink of all logging calls in a given codebase.
This commit is contained in:
Chris Smowton
2022-06-22 13:00:15 +01:00
parent cc354caa1f
commit 1f9f6d7c33
2 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
java/ql/src/Security/CWE/CWE-117/LogInjection.ql
View File

@@ -17,5 +17,5 @@ import DataFlow::PathGraph
from LogInjectionConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink from LogInjectionConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink) where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "This $@ flows to a log entry.", source.getNode(), select source.getNode(), source, sink, "This user-provided value flows to a $@.", sink.getNode(),
"user-provided value" "log entry"

4
java/ql/src/change-notes/2022-06-22-log-injection-location.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The query `java/log-injection` now reports problems at the source (user-controlled data) instead of at the ultimate logging call. This was changed because user functions that wrap the ultimate logging call could result in most alerts being reported in an uninformative location.