hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 01:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: Add extension point and default sanitizer to Open Redirect query

Browse Source
This commit is contained in:
Tony Torralba
2024-02-09 09:10:20 +01:00
parent 31cb308d4c
commit 34f74869c8
6 changed files with 18 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
java/ql/lib/semmle/code/java/security/UrlRedirect.qll
View File

@@ -6,10 +6,14 @@ private import semmle.code.java.dataflow.ExternalFlow
import semmle.code.java.frameworks.Servlets
import semmle.code.java.frameworks.ApacheHttp
private import semmle.code.java.frameworks.JaxWS
private import semmle.code.java.security.RequestForgery
/** A URL redirection sink. */
abstract class UrlRedirectSink extends DataFlow::Node { }
/** A URL redirection sanitizer. */
abstract class UrlRedirectSanitizer extends DataFlow::Node { }
/** A default sink represeting methods susceptible to URL redirection attacks. */
private class DefaultUrlRedirectSink extends UrlRedirectSink {
DefaultUrlRedirectSink() { sinkNode(this, "url-redirection") }
@@ -42,3 +46,6 @@ private class ApacheUrlRedirectSink extends UrlRedirectSink {
)
}
}
private class DefaultUrlRedirectSanitizer extends UrlRedirectSanitizer instanceof RequestForgerySanitizer
{ }

2
java/ql/lib/semmle/code/java/security/UrlRedirectQuery.qll
View File

@@ -11,6 +11,8 @@ module UrlRedirectConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof ThreatModelFlowSource }
predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink }
predicate isBarrier(DataFlow::Node node) { node instanceof UrlRedirectSanitizer }
}
/**