hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix conditionControlsMethod predicate

Browse Source 
Exceptions for throw and return statements were missing the appropriate condition
This commit is contained in:
Tony Torralba
2021-09-15 17:51:36 +02:00
parent 4e93330cb9
commit 21079a1315
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll
View File

@@ -17,8 +17,8 @@ predicate conditionControlsMethod(MethodAccess ma, Expr e) {
cb.controls(ma.getBasicBlock(), cond) and
not cb.controls(any(SensitiveExecutionMethod sem).getAReference().getBasicBlock(),
cond.booleanNot()) and
not cb.controls(any(ThrowStmt t).getBasicBlock(), _) and
not cb.controls(any(ReturnStmt r).getBasicBlock(), _) and
not cb.controls(any(ThrowStmt t).getBasicBlock(), cond.booleanNot()) and
not cb.controls(any(ReturnStmt r).getBasicBlock(), cond.booleanNot()) and
e = cb.getCondition()
)
}

4
java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.java
View File

@@ -120,8 +120,8 @@ class ConditionalBypassTest {
public static void test7(String user, String password) {
Cookie adminCookie = getCookies()[0];
// FALSE NEGATIVE: login is bypasseable
if (adminCookie.getValue() == "false") { // $ MISSING: $ hasConditionalBypassTest
// BAD: login is bypasseable
if (adminCookie.getValue() == "false") { // $ hasConditionalBypassTest
login(user, password);
return;
} else {