Modify the model

2025-12-21 11:16:30 +01:00 · 2021-09-28 09:42:21 +08:00
parent 679652e63a
commit 283376eb19
3 changed files with 16 additions and 22 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql
@@ -13,6 +13,7 @@
 import java
 import UnsafeUrlForward
 import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.frameworks.Servlets
 import DataFlow::PathGraph

 private class StartsWithSanitizer extends DataFlow::BarrierGuard {
@@ -32,12 +33,12 @@ class UnsafeUrlForwardFlowConfig extends TaintTracking::Configuration {

  override predicate isSource(DataFlow::Node source) {
    source instanceof RemoteFlowSource and
-    not exists(MethodAccess ma |
-      ma.getMethod().getName() in ["getRequestURI", "getRequestURL", "getPathInfo"] and
-      ma.getMethod()
-          .getDeclaringType()
-          .getASupertype*()
-          .hasQualifiedName("javax.servlet.http", "HttpServletRequest") and
+    not exists(MethodAccess ma, Method m | ma.getMethod() = m |
+      (
+        m instanceof HttpServletRequestGetRequestURIMethod or
+        m instanceof HttpServletRequestGetRequestURLMethod or
+        m instanceof HttpServletRequestGetPathMethod
+      ) and
      ma = source.asExpr()
    )
  }
--- a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll
@@ -2,6 +2,7 @@ import java
 import DataFlow
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.Servlets
+import semmle.code.java.frameworks.spring.SpringWeb

 /** A sanitizer for unsafe url forward vulnerabilities. */
 abstract class UnsafeUrlForwardSanitizer extends DataFlow::Node { }
@@ -144,7 +145,7 @@ private class UnsafeUrlForwardSanitizedExpr extends Expr {
 /**
 * A concatenate expression using the string `forward:` on the left.
 *
- * E.g: `"forward:" + url`
+ * For example, `"forward:" + url`.
 */
 private class ForwardBuilderExpr extends AddExpr {
  ForwardBuilderExpr() {
@@ -155,7 +156,7 @@ private class ForwardBuilderExpr extends AddExpr {
 /**
 * A call to `StringBuilder.append` or `StringBuffer.append` method, and the parameter value is `"forward:"`.
 *
- * E.g: `StringBuilder.append("forward:")`
+ * For example, `StringBuilder.append("forward:")`.
 */
 private class ForwardAppendCall extends StringBuilderAppend {
  ForwardAppendCall() {
@@ -191,7 +192,7 @@ private class SpringUrlForwardSink extends UnsafeUrlForwardSink {
    )
    or
    exists(ClassInstanceExpr cie |
-      cie.getConstructedType().hasQualifiedName("org.springframework.web.servlet", "ModelAndView") and
+      cie.getConstructedType() instanceof ModelAndView and
      (
        exists(ForwardBuilderExpr rbe |
          rbe = cie.getArgument(0) and rbe.getRightOperand() = this.asExpr()
@@ -201,12 +202,6 @@ private class SpringUrlForwardSink extends UnsafeUrlForwardSink {
      )
    )
    or
-    exists(MethodAccess ma |
-      ma.getMethod().hasName("setViewName") and
-      ma.getMethod()
-          .getDeclaringType()
-          .hasQualifiedName("org.springframework.web.servlet", "ModelAndView") and
-      ma.getArgument(0) = this.asExpr()
-    )
+    exists(SpringModelAndViewSetViewNameCall smavsvnc | smavsvnc.getArgument(0) = this.asExpr())
  }
 }