hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 03:36:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

check that either there are no custom message interpolator configured, or there is at least one that is insecure

Browse Source
This commit is contained in:
Alvaro Muñoz
2020-11-11 12:53:54 +01:00
parent c3bc0d6c15
commit 30d8dce389
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
View File

@@ -85,7 +85,11 @@ class BeanValidationConfig extends TaintTracking::Configuration {
from BeanValidationConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where
not forall(SetMessageInterpolatorCall c | c.isSafe()) and
(
not exists(SetMessageInterpolatorCall c)
or
exists(SetMessageInterpolatorCall c | not c.isSafe())
) and
cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink,
"Custom constraint error message contains unsanitized user data"