hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6136 from smowton/smowton/admin/spring-xss-content-type-sensitivity

Browse Source 
Spring HTTP: improve content-type sensitivity
This commit is contained in:
Anders Schack-Mulligen
2021-09-15 09:50:56 +02:00
committed by GitHub
parent 2a9e3da24f 406466de9a
commit 3f7d6e6f85
5 changed files with 219 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java
View File

@@ -28,11 +28,11 @@ public class SpringXSS {
}
else {
if(chainDirectly) {
return builder.contentType(MediaType.APPLICATION_JSON).body(userControlled); // $SPURIOUS: xss
return builder.contentType(MediaType.APPLICATION_JSON).body(userControlled);
}
else {
ResponseEntity.BodyBuilder builder2 = builder.contentType(MediaType.APPLICATION_JSON);
return builder2.body(userControlled); // $SPURIOUS: xss
return builder2.body(userControlled);
}
}
@@ -60,7 +60,7 @@ public class SpringXSS {
@GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE)
public static ResponseEntity<String> methodContentTypeUnsafe(String userControlled) {
return ResponseEntity.ok(userControlled); // $MISSING: xss
return ResponseEntity.ok(userControlled); // $xss
}
@GetMapping(value = "/xyz", produces = "text/html")
@@ -75,7 +75,7 @@ public class SpringXSS {
@GetMapping(value = "/xyz", produces = MediaType.APPLICATION_JSON_VALUE)
public static ResponseEntity<String> methodContentTypeSafeOverriddenWithUnsafe(String userControlled) {
return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $MISSING: xss
return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $xss
}
@GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE)
@@ -105,12 +105,12 @@ public class SpringXSS {
private static class ClassContentTypeSafe {
@GetMapping(value = "/abc")
public ResponseEntity<String> test(String userControlled) {
return ResponseEntity.ok(userControlled); // $SPURIOUS: xss
return ResponseEntity.ok(userControlled);
}
@GetMapping(value = "/abc")
public String testDirectReturn(String userControlled) {
return userControlled; // $SPURIOUS: xss
return userControlled;
}
@GetMapping(value = "/xyz", produces = {"text/html"})
@@ -139,12 +139,12 @@ public class SpringXSS {
@GetMapping(value = "/xyz", produces = {"application/json"})
public ResponseEntity<String> overridesWithSafe(String userControlled) {
return ResponseEntity.ok(userControlled); // $SPURIOUS: xss
return ResponseEntity.ok(userControlled);
}
@GetMapping(value = "/abc")
public ResponseEntity<String> overridesWithSafe2(String userControlled) {
return ResponseEntity.ok().contentType(MediaType.APPLICATION_JSON).body(userControlled); // $SPURIOUS: xss
return ResponseEntity.ok().contentType(MediaType.APPLICATION_JSON).body(userControlled);
}
}