hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 11:16:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add sanitizer for virtual method calls

Browse Source
This commit is contained in:
luchua-bc
2021-12-15 16:19:50 +00:00
parent 8bcffc2886
commit 29ce0e9ef1
1 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql
View File

@@ -145,6 +145,23 @@ private class NullOrEmptyCheckSanitizer extends DataFlow::Node {
NullOrEmptyCheckSanitizer() { isNullOrEmptyCheck(this.asExpr()) }
}
/** Holds if `ma` is a virtual method call of Map::get or Object::toString. */
predicate isVirtualMethod(MethodAccess ma, Expr expr) {
ma.getMethod().getDeclaringType() instanceof TypeObject and
ma.getMethod().hasName("toString") and
(expr = ma or expr = ma.getQualifier())
or
(
ma.getMethod().getDeclaringType().getASupertype*().hasQualifiedName("java.util", "Map") and
ma.getMethod().hasName(["get", "getOrDefault"])
) and
(expr = ma or expr = ma.getAnArgument())
}
private class VirtualMethodSanitizer extends DataFlow::Node {
VirtualMethodSanitizer() { exists(MethodAccess ma | isVirtualMethod(ma, this.asExpr())) }
}
class UnsafeUrlForwardFlowConfig extends TaintTracking::Configuration {
UnsafeUrlForwardFlowConfig() { this = "UnsafeUrlForwardFlowConfig" }
@@ -166,7 +183,8 @@ class UnsafeUrlForwardFlowConfig extends TaintTracking::Configuration {
node instanceof UnsafeUrlForwardSanitizer or
node instanceof PathMatchSanitizer or
node instanceof StringOperationSanitizer or
node instanceof NullOrEmptyCheckSanitizer
node instanceof NullOrEmptyCheckSanitizer or
node instanceof VirtualMethodSanitizer
}
}