From 3545edb92c8aad0c5d4b74be4145e72849f7e575 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= Date: Tue, 10 Nov 2020 10:45:14 +0100 Subject: [PATCH] address code review suggestions --- .../CWE/CWE-094/InsecureBeanValidation.ql | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql b/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql index f7bd3a47c5b..b14ee02ac1b 100644 --- a/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql +++ b/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql @@ -23,20 +23,20 @@ class ELMessageInterpolatorType extends RefType { } } -class SetSafeMessageInterpolator extends MethodAccess { - SetSafeMessageInterpolator() { - exists(Method m | +/** + * A method call that sets the application's default message interpolator to an interpolator type that is likely to be safe, + * because it does not process Java Expression Language expressions. + */ +class SetSafeMessageInterpolatorCall extends MethodAccess { + SetSafeMessageInterpolatorCall() { + exists(Method m, RefType t | this.getMethod() = m and + m.getDeclaringType().getASourceSupertype*() = t and ( - m - .getDeclaringType() - .getASourceSupertype*() - .hasQualifiedName("javax.validation", ["Configuration", "ValidatorContext"]) and + t.hasQualifiedName("javax.validation", ["Configuration", "ValidatorContext"]) and m.getName() = "messageInterpolator" or - m - .getDeclaringType() - .getASourceSupertype*() + t .hasQualifiedName("org.springframework.validation.beanvalidation", ["CustomValidatorBean", "LocalValidatorFactoryBean"]) and m.getName() = "setMessageInterpolator" @@ -71,7 +71,7 @@ class BeanValidationConfig extends TaintTracking::Configuration { from BeanValidationConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink where - not exists(SetSafeMessageInterpolator ma) and + not exists(SetSafeMessageInterpolatorCall ma) and cfg.hasFlowPath(source, sink) select sink.getNode(), source, sink, "Custom constraint error message contains unsanitized user data"