Address review comments re: flow states

2026-04-28 02:05:14 +02:00 · 2022-09-16 14:48:30 +02:00
parent f412f433bf
commit 3141fdae72
2 changed files with 13 additions and 8 deletions
--- a/java/ql/lib/semmle/code/java/security/TemplateInjection.qll
+++ b/java/ql/lib/semmle/code/java/security/TemplateInjection.qll
@@ -50,9 +50,16 @@ class TemplateInjectionAdditionalTaintStep extends Unit {
 /**
 * A sanitizer for server-side template injection (SST) vulnerabilities.
 */
-abstract class TemplateInjectionSanitizer extends DataFlow::Node {
+abstract class TemplateInjectionSanitizer extends DataFlow::Node { }
+
+/**
+ * A sanitizer for server-side template injection (SST) vulnerabilities.
+ * This sanitizer is only applicable when `TemplateInjectionSanitizerWithState::hasState`
+ * holds for the flow state.
+ */
+abstract class TemplateInjectionSanitizerWithState extends DataFlow::Node {
  /** Holds if this sanitizer has the specified `state`. */
-  predicate hasState(DataFlow::FlowState state) { state instanceof DataFlow::FlowStateEmpty }
+  abstract predicate hasState(DataFlow::FlowState state);
 }

 private class DefaultTemplateInjectionSource extends TemplateInjectionSource instanceof RemoteFlowSource {
--- a/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/TemplateInjectionQuery.qll
@@ -9,22 +9,20 @@ import semmle.code.java.security.TemplateInjection
 class TemplateInjectionFlowConfig extends TaintTracking::Configuration {
  TemplateInjectionFlowConfig() { this = "TemplateInjectionFlowConfig" }

-  override predicate isSource(DataFlow::Node source) { this.isSource(source, _) }
-
  override predicate isSource(DataFlow::Node source, DataFlow::FlowState state) {
    source.(TemplateInjectionSource).hasState(state)
  }

-  override predicate isSink(DataFlow::Node sink) { this.isSink(sink, _) }
-
  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
    sink.(TemplateInjectionSink).hasState(state)
  }

-  override predicate isSanitizer(DataFlow::Node sanitizer) { this.isSanitizer(sanitizer, _) }
+  override predicate isSanitizer(DataFlow::Node sanitizer) {
+    sanitizer instanceof TemplateInjectionSanitizer
+  }

  override predicate isSanitizer(DataFlow::Node sanitizer, DataFlow::FlowState state) {
-    sanitizer.(TemplateInjectionSanitizer).hasState(state)
+    sanitizer.(TemplateInjectionSanitizerWithState).hasState(state)
  }

  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {