mirror of
https://github.com/github/codeql.git
synced 2025-12-24 04:36:35 +01:00
Refactor ClientSuppliedIpUsedInSecurityCheck
This commit is contained in:
Ed Minnix
@@ -12,29 +12,26 @@
|
||||
*/
|
||||
|
||||
import java
|
||||
import ClientSuppliedIpUsedInSecurityCheckLib
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import DataFlow::PathGraph
|
||||
import ClientSuppliedIpUsedInSecurityCheckLib
|
||||
import ClientSuppliedIpUsedInSecurityCheckFlow::PathGraph
|
||||
|
||||
/**
|
||||
* Taint-tracking configuration tracing flow from obtaining a client ip from an HTTP header to a sensitive use.
|
||||
*/
|
||||
class ClientSuppliedIpUsedInSecurityCheckConfig extends TaintTracking::Configuration {
|
||||
ClientSuppliedIpUsedInSecurityCheckConfig() { this = "ClientSuppliedIpUsedInSecurityCheckConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source instanceof ClientSuppliedIpUsedInSecurityCheck
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
sink instanceof ClientSuppliedIpUsedInSecurityCheckSink
|
||||
}
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof ClientSuppliedIpUsedInSecurityCheckSink }
|
||||
|
||||
/**
|
||||
* Splitting a header value by `,` and taking an entry other than the first is sanitizing, because
|
||||
* later entries may originate from more-trustworthy intermediate proxies, not the original client.
|
||||
*/
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
predicate isBarrier(DataFlow::Node node) {
|
||||
exists(ArrayAccess aa, MethodAccess ma | aa.getArray() = ma |
|
||||
ma.getQualifier() = node.asExpr() and
|
||||
ma.getMethod() instanceof SplitMethod and
|
||||
@@ -47,8 +44,12 @@ class ClientSuppliedIpUsedInSecurityCheckConfig extends TaintTracking::Configura
|
||||
}
|
||||
}
|
||||
|
||||
module ClientSuppliedIpUsedInSecurityCheckFlow =
|
||||
TaintTracking::Global<ClientSuppliedIpUsedInSecurityCheckConfig>;
|
||||
|
||||
from
|
||||
DataFlow::PathNode source, DataFlow::PathNode sink, ClientSuppliedIpUsedInSecurityCheckConfig conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
ClientSuppliedIpUsedInSecurityCheckFlow::PathNode source,
|
||||
ClientSuppliedIpUsedInSecurityCheckFlow::PathNode sink
|
||||
where ClientSuppliedIpUsedInSecurityCheckFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "IP address spoofing might include code from $@.",
|
||||
source.getNode(), "this user input"
|
||||
|
||||
Reference in New Issue
Block a user