hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add RequestForgerySanitizer

Browse Source
This commit is contained in:
Tony Torralba
2021-06-17 14:58:27 +02:00
parent 0c71393171
commit 3ec2c1308e
3 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
java/ql/src/Security/CWE/CWE-749/UnsafeAndroidAccess.ql
View File

@@ -13,6 +13,7 @@
import java import java
import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.RequestForgeryConfig
import semmle.code.java.security.UnsafeAndroidAccess import semmle.code.java.security.UnsafeAndroidAccess
import DataFlow::PathGraph import DataFlow::PathGraph
@@ -25,6 +26,10 @@ class FetchUntrustedResourceConfiguration extends TaintTracking::Configuration {
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof UrlResourceSink } override predicate isSink(DataFlow::Node sink) { sink instanceof UrlResourceSink }
override predicate isSanitizer(DataFlow::Node sanitizer) {
sanitizer instanceof RequestForgerySanitizer
}
} }
from DataFlow::PathNode source, DataFlow::PathNode sink, FetchUntrustedResourceConfiguration conf from DataFlow::PathNode source, DataFlow::PathNode sink, FetchUntrustedResourceConfiguration conf

2
java/ql/test/query-tests/security/CWE-749/UnsafeAndroidAccess.java
View File

@@ -147,6 +147,6 @@ public class UnsafeAndroidAccess extends Activity {
String thisUrl = getIntent().getStringExtra("url"); String thisUrl = getIntent().getStringExtra("url");
// This should be considered safe - the query lacks a proper sanitizer for partial URLs. // This should be considered safe - the query lacks a proper sanitizer for partial URLs.
wv.loadUrl("https://www.mycorp.com/" + thisUrl); // $ SPURIOUS: hasUnsafeAndroidAccess wv.loadUrl("https://www.mycorp.com/" + thisUrl);
} }
} }

7
java/ql/test/query-tests/security/CWE-749/UnsafeAndroidAccessTest.ql
View File

@@ -1,8 +1,9 @@
import java import java
import semmle.code.java.dataflow.DataFlow import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.FlowSources
import TestUtilities.InlineExpectationsTest import semmle.code.java.security.RequestForgeryConfig
import semmle.code.java.security.UnsafeAndroidAccess import semmle.code.java.security.UnsafeAndroidAccess
import TestUtilities.InlineExpectationsTest
class Conf extends TaintTracking::Configuration { class Conf extends TaintTracking::Configuration {
Conf() { this = "qltest:cwe:unsafe-android-access" } Conf() { this = "qltest:cwe:unsafe-android-access" }
@@ -10,6 +11,10 @@ class Conf extends TaintTracking::Configuration {
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof UrlResourceSink } override predicate isSink(DataFlow::Node sink) { sink instanceof UrlResourceSink }
override predicate isSanitizer(DataFlow::Node sanitizer) {
sanitizer instanceof RequestForgerySanitizer
}
} }
class UnsafeAndroidAccessTest extends InlineExpectationsTest { class UnsafeAndroidAccessTest extends InlineExpectationsTest {