hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Convert XSS barrier to MaD

Browse Source
This commit is contained in:
Owen Mansel-Chan
2025-12-09 16:11:12 +00:00
committed by Anders Schack-Mulligen
parent 7e562f3150
commit 44295e4c7d
3 changed files with 22 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
java/ql/lib/ext/hudson.model.yml
View File

@@ -50,6 +50,12 @@ extensions:
- ["hudson", "FilePath", False, "readToString", "", "", "ReturnValue", "file", "manual"] - ["hudson", "FilePath", False, "readToString", "", "", "ReturnValue", "file", "manual"]
- ["hudson", "Plugin", True, "configure", "", "", "Parameter", "remote", "manual"] - ["hudson", "Plugin", True, "configure", "", "", "Parameter", "remote", "manual"]
- ["hudson", "Plugin", True, "newInstance", "", "", "Parameter", "remote", "manual"] - ["hudson", "Plugin", True, "newInstance", "", "", "Parameter", "remote", "manual"]
- addsTo:
pack: codeql/java-all
extensible: barrierModel
data:
- ["hudson", "Util", True, "escape", "(String)", "", "ReturnValue", "html-injection", "manual"]
# Not including xmlEscape because it only accounts for >, <, and &. It does not account for ", or ', which makes it an incomplete XSS sanitizer.
- addsTo: - addsTo:
pack: codeql/java-all pack: codeql/java-all
extensible: summaryModel extensible: summaryModel

11
java/ql/lib/semmle/code/java/frameworks/hudson/Hudson.qll
View File

@@ -14,14 +14,3 @@ class HudsonWebMethod extends Method {
this.getDeclaringType().getASourceSupertype*().hasQualifiedName("hudson.model", "Descriptor") this.getDeclaringType().getASourceSupertype*().hasQualifiedName("hudson.model", "Descriptor")
} }
} }
private class HudsonUtilXssSanitizer extends XssSanitizer {
HudsonUtilXssSanitizer() {
this.asExpr()
.(MethodCall)
.getMethod()
// Not including xmlEscape because it only accounts for >, <, and &.
// It does not account for ", or ', which makes it an incomplete XSS sanitizer.
.hasQualifiedName("hudson", "Util", "escape")
}
}

20
java/ql/lib/semmle/code/java/security/XSS.qll
View File

@@ -54,12 +54,24 @@ private class DefaultXssSink extends XssSink {
} }
} }
/** A default sanitizer that considers numeric and boolean typed data safe for writing to output. */
private class DefaultXssSanitizer extends XssSanitizer { private class DefaultXssSanitizer extends XssSanitizer {
DefaultXssSanitizer() { DefaultXssSanitizer() { barrierNode(this, ["html-injection", "js-injection"]) }
}
/** A sanitizer that considers numeric and boolean typed data safe for writing to output. */
private class PrimitiveSanitizer extends XssSanitizer {
PrimitiveSanitizer() {
this.getType() instanceof NumericType or this.getType() instanceof NumericType or
this.getType() instanceof BooleanType or this.getType() instanceof BooleanType
// Match `org.springframework.web.util.HtmlUtils.htmlEscape` and possibly other methods like it. }
}
/**
* A call to `org.springframework.web.util.HtmlUtils.htmlEscape`, or possibly
* other methods like it, considered as a sanitizer for XSS.
*/
private class HtmlEscapeXssSanitizer extends XssSanitizer {
HtmlEscapeXssSanitizer() {
this.asExpr().(MethodCall).getMethod().getName().regexpMatch("(?i)html_?escape.*") this.asExpr().(MethodCall).getMethod().getName().regexpMatch("(?i)html_?escape.*")
} }
} }