hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-05 18:50:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

implement field taint inheritance for Struts2 unmarshalled objects

Browse Source
This commit is contained in:
Alvaro Muñoz
2023-07-11 10:28:14 +02:00
parent d88f557dbe
commit 2ce1192ee6
2 changed files with 48 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
java/ql/lib/semmle/code/java/Serializability.qll
View File

@@ -6,6 +6,7 @@ import java
private import frameworks.jackson.JacksonSerializability
private import frameworks.google.GsonSerializability
private import frameworks.google.GoogleHttpClientApi
private import frameworks.struts.Struts2Serializability
/**
* A serializable field may be read without code referencing it,

47
java/ql/lib/semmle/code/java/frameworks/struts/Struts2Serializability.qll Normal file
View File

@@ -0,0 +1,47 @@
/**
* Provides classes and predicates for working with objects bound from Http requests in the context of
* the Struts2 web framework.
*/
import java
private import semmle.code.java.Serializability
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.FlowSteps
private import semmle.code.java.frameworks.struts.StrutsActions
/** A type whose values may be unmarshalled from an Http request by the Struts2 framework. */
abstract class Struts2DeserializableType extends Type { }
/** A type whose values are explicitly unmarshalled by from an Http request by the Struts2 framework. */
private class ExplicitlyReadStruts2DeserializableType extends Struts2DeserializableType {
ExplicitlyReadStruts2DeserializableType() {
exists(Struts2ActionSupportClass c |
usesType(c.getASetterMethod().getField().getType(), this) and
not this instanceof TypeClass and
not this instanceof TypeObject
)
}
}
/** A type used in a `Struts2ActionField` declaration. */
private class FieldReferencedStruts2DeserializableType extends Struts2DeserializableType {
FieldReferencedStruts2DeserializableType() {
exists(Struts2ActionField f | usesType(f.getType(), this))
}
}
/** A field that may be unmarshalled from an Http request using the Struts2 framework. */
private class Struts2ActionField extends DeserializableField {
Struts2ActionField() {
exists(Struts2DeserializableType superType |
superType = this.getDeclaringType().getAnAncestor() and
not superType instanceof TypeObject and
superType.fromSource()
)
}
}
/** A field that should convey the taint from its qualifier to itself. */
private class Struts2ActionFieldInheritTaint extends DataFlow::FieldContent, TaintInheritingContent {
Struts2ActionFieldInheritTaint() { this.getField() instanceof Struts2ActionField }
}