hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Support more methods that evaluate XPath expressions

Browse Source
This commit is contained in:
Tony Torralba
2021-04-27 15:02:15 +02:00
parent 3705970bfd
commit 2bb2baf6f7
5 changed files with 185 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
java/ql/src/semmle/code/java/security/XPath.qll
View File

@@ -9,13 +9,13 @@ private class XPath extends RefType {
XPath() { this.hasQualifiedName("javax.xml.xpath", "XPath") }
}
/** A call to `XPath.evaluate` or `XPath.compile` */
private class XPathEvaluateOrCompile extends MethodAccess {
XPathEvaluateOrCompile() {
/** A call to methods of any class implementing the interface `XPath` that evaluate XPath expressions */
private class XPathEvaluation extends MethodAccess {
XPathEvaluation() {
exists(Method m |
this.getMethod() = m and m.getDeclaringType() instanceof XPath
this.getMethod() = m and m.getDeclaringType().getASourceSupertype*() instanceof XPath
|
m.hasName(["evaluate", "compile"])
m.hasName(["evaluate", "evaluateExpression", "compile"])
)
}
}
@@ -25,13 +25,16 @@ private class Dom4JNode extends Interface {
Dom4JNode() { this.hasQualifiedName("org.dom4j", "Node") }
}
/** A call to `Node.selectNodes` or `Node.selectSingleNode` */
private class NodeSelectNodes extends MethodAccess {
NodeSelectNodes() {
/** A call to methods of any class implementing the interface `Node` that evaluate XPath expressions */
private class NodeXPathEvaluation extends MethodAccess {
NodeXPathEvaluation() {
exists(Method m |
this.getMethod() = m and m.getDeclaringType().getASourceSupertype*() instanceof Dom4JNode
|
m.hasName(["selectNodes", "selectSingleNode"])
m.hasName([
"selectObject", "selectNodes", "selectSingleNode", "numberValueOf", "valueOf", "matches",
"createXPath"
])
)
}
}
@@ -44,7 +47,7 @@ abstract class XPathInjectionSink extends DataFlow::Node { }
private class DefaultXPathInjectionSink extends XPathInjectionSink {
DefaultXPathInjectionSink() {
exists(NodeSelectNodes sink | sink.getArgument(0) = this.asExpr()) or
exists(XPathEvaluateOrCompile sink | sink.getArgument(0) = this.asExpr())
exists(NodeXPathEvaluation sink | sink.getArgument(0) = this.asExpr()) or
exists(XPathEvaluation sink | sink.getArgument(0) = this.asExpr())
}
}