mirror of
https://github.com/github/codeql.git
synced 2025-12-24 04:36:35 +01:00
Modify the model
This commit is contained in:
haby0
@@ -74,7 +74,7 @@ library class HttpServletRequestGetQueryStringMethod extends Method {
|
|||||||
/**
|
/**
|
||||||
* The method `getPathInfo()` declared in `javax.servlet.http.HttpServletRequest`.
|
* The method `getPathInfo()` declared in `javax.servlet.http.HttpServletRequest`.
|
||||||
*/
|
*/
|
||||||
library class HttpServletRequestGetPathMethod extends Method {
|
class HttpServletRequestGetPathMethod extends Method {
|
||||||
HttpServletRequestGetPathMethod() {
|
HttpServletRequestGetPathMethod() {
|
||||||
getDeclaringType() instanceof HttpServletRequest and
|
getDeclaringType() instanceof HttpServletRequest and
|
||||||
hasName("getPathInfo") and
|
hasName("getPathInfo") and
|
||||||
@@ -120,7 +120,7 @@ library class HttpServletRequestGetHeaderNamesMethod extends Method {
|
|||||||
/**
|
/**
|
||||||
* The method `getRequestURL()` declared in `javax.servlet.http.HttpServletRequest`.
|
* The method `getRequestURL()` declared in `javax.servlet.http.HttpServletRequest`.
|
||||||
*/
|
*/
|
||||||
library class HttpServletRequestGetRequestURLMethod extends Method {
|
class HttpServletRequestGetRequestURLMethod extends Method {
|
||||||
HttpServletRequestGetRequestURLMethod() {
|
HttpServletRequestGetRequestURLMethod() {
|
||||||
getDeclaringType() instanceof HttpServletRequest and
|
getDeclaringType() instanceof HttpServletRequest and
|
||||||
hasName("getRequestURL") and
|
hasName("getRequestURL") and
|
||||||
@@ -131,7 +131,7 @@ library class HttpServletRequestGetRequestURLMethod extends Method {
|
|||||||
/**
|
/**
|
||||||
* The method `getRequestURI()` declared in `javax.servlet.http.HttpServletRequest`.
|
* The method `getRequestURI()` declared in `javax.servlet.http.HttpServletRequest`.
|
||||||
*/
|
*/
|
||||||
library class HttpServletRequestGetRequestURIMethod extends Method {
|
class HttpServletRequestGetRequestURIMethod extends Method {
|
||||||
HttpServletRequestGetRequestURIMethod() {
|
HttpServletRequestGetRequestURIMethod() {
|
||||||
getDeclaringType() instanceof HttpServletRequest and
|
getDeclaringType() instanceof HttpServletRequest and
|
||||||
hasName("getRequestURI") and
|
hasName("getRequestURI") and
|
||||||
@@ -197,9 +197,7 @@ class HttpServletResponseSendErrorMethod extends Method {
|
|||||||
class ServletRequestGetRequestDispatcherMethod extends Method {
|
class ServletRequestGetRequestDispatcherMethod extends Method {
|
||||||
ServletRequestGetRequestDispatcherMethod() {
|
ServletRequestGetRequestDispatcherMethod() {
|
||||||
getDeclaringType() instanceof ServletRequest and
|
getDeclaringType() instanceof ServletRequest and
|
||||||
hasName("getRequestDispatcher") and
|
hasName("getRequestDispatcher")
|
||||||
getNumberOfParameters() = 1 and
|
|
||||||
getParameter(0).getType() instanceof TypeString
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -13,6 +13,7 @@
|
|||||||
import java
|
import java
|
||||||
import UnsafeUrlForward
|
import UnsafeUrlForward
|
||||||
import semmle.code.java.dataflow.FlowSources
|
import semmle.code.java.dataflow.FlowSources
|
||||||
|
import semmle.code.java.frameworks.Servlets
|
||||||
import DataFlow::PathGraph
|
import DataFlow::PathGraph
|
||||||
|
|
||||||
private class StartsWithSanitizer extends DataFlow::BarrierGuard {
|
private class StartsWithSanitizer extends DataFlow::BarrierGuard {
|
||||||
@@ -32,12 +33,12 @@ class UnsafeUrlForwardFlowConfig extends TaintTracking::Configuration {
|
|||||||
|
|
||||||
override predicate isSource(DataFlow::Node source) {
|
override predicate isSource(DataFlow::Node source) {
|
||||||
source instanceof RemoteFlowSource and
|
source instanceof RemoteFlowSource and
|
||||||
not exists(MethodAccess ma |
|
not exists(MethodAccess ma, Method m | ma.getMethod() = m |
|
||||||
ma.getMethod().getName() in ["getRequestURI", "getRequestURL", "getPathInfo"] and
|
(
|
||||||
ma.getMethod()
|
m instanceof HttpServletRequestGetRequestURIMethod or
|
||||||
.getDeclaringType()
|
m instanceof HttpServletRequestGetRequestURLMethod or
|
||||||
.getASupertype*()
|
m instanceof HttpServletRequestGetPathMethod
|
||||||
.hasQualifiedName("javax.servlet.http", "HttpServletRequest") and
|
) and
|
||||||
ma = source.asExpr()
|
ma = source.asExpr()
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -2,6 +2,7 @@ import java
|
|||||||
import DataFlow
|
import DataFlow
|
||||||
import semmle.code.java.dataflow.FlowSources
|
import semmle.code.java.dataflow.FlowSources
|
||||||
import semmle.code.java.frameworks.Servlets
|
import semmle.code.java.frameworks.Servlets
|
||||||
|
import semmle.code.java.frameworks.spring.SpringWeb
|
||||||
|
|
||||||
/** A sanitizer for unsafe url forward vulnerabilities. */
|
/** A sanitizer for unsafe url forward vulnerabilities. */
|
||||||
abstract class UnsafeUrlForwardSanitizer extends DataFlow::Node { }
|
abstract class UnsafeUrlForwardSanitizer extends DataFlow::Node { }
|
||||||
@@ -144,7 +145,7 @@ private class UnsafeUrlForwardSanitizedExpr extends Expr {
|
|||||||
/**
|
/**
|
||||||
* A concatenate expression using the string `forward:` on the left.
|
* A concatenate expression using the string `forward:` on the left.
|
||||||
*
|
*
|
||||||
* E.g: `"forward:" + url`
|
* For example, `"forward:" + url`.
|
||||||
*/
|
*/
|
||||||
private class ForwardBuilderExpr extends AddExpr {
|
private class ForwardBuilderExpr extends AddExpr {
|
||||||
ForwardBuilderExpr() {
|
ForwardBuilderExpr() {
|
||||||
@@ -155,7 +156,7 @@ private class ForwardBuilderExpr extends AddExpr {
|
|||||||
/**
|
/**
|
||||||
* A call to `StringBuilder.append` or `StringBuffer.append` method, and the parameter value is `"forward:"`.
|
* A call to `StringBuilder.append` or `StringBuffer.append` method, and the parameter value is `"forward:"`.
|
||||||
*
|
*
|
||||||
* E.g: `StringBuilder.append("forward:")`
|
* For example, `StringBuilder.append("forward:")`.
|
||||||
*/
|
*/
|
||||||
private class ForwardAppendCall extends StringBuilderAppend {
|
private class ForwardAppendCall extends StringBuilderAppend {
|
||||||
ForwardAppendCall() {
|
ForwardAppendCall() {
|
||||||
@@ -191,7 +192,7 @@ private class SpringUrlForwardSink extends UnsafeUrlForwardSink {
|
|||||||
)
|
)
|
||||||
or
|
or
|
||||||
exists(ClassInstanceExpr cie |
|
exists(ClassInstanceExpr cie |
|
||||||
cie.getConstructedType().hasQualifiedName("org.springframework.web.servlet", "ModelAndView") and
|
cie.getConstructedType() instanceof ModelAndView and
|
||||||
(
|
(
|
||||||
exists(ForwardBuilderExpr rbe |
|
exists(ForwardBuilderExpr rbe |
|
||||||
rbe = cie.getArgument(0) and rbe.getRightOperand() = this.asExpr()
|
rbe = cie.getArgument(0) and rbe.getRightOperand() = this.asExpr()
|
||||||
@@ -201,12 +202,6 @@ private class SpringUrlForwardSink extends UnsafeUrlForwardSink {
|
|||||||
)
|
)
|
||||||
)
|
)
|
||||||
or
|
or
|
||||||
exists(MethodAccess ma |
|
exists(SpringModelAndViewSetViewNameCall smavsvnc | smavsvnc.getArgument(0) = this.asExpr())
|
||||||
ma.getMethod().hasName("setViewName") and
|
|
||||||
ma.getMethod()
|
|
||||||
.getDeclaringType()
|
|
||||||
.hasQualifiedName("org.springframework.web.servlet", "ModelAndView") and
|
|
||||||
ma.getArgument(0) = this.asExpr()
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user