Convert XSS barrier to MaD

2025-12-16 16:53:25 +01:00 · 2025-12-09 16:11:12 +00:00
parent 7e562f3150
commit 44295e4c7d
3 changed files with 22 additions and 15 deletions
--- a/java/ql/lib/ext/hudson.model.yml
+++ b/java/ql/lib/ext/hudson.model.yml
@@ -50,6 +50,12 @@ extensions:
      - ["hudson", "FilePath", False, "readToString", "", "", "ReturnValue", "file", "manual"]
      - ["hudson", "Plugin", True, "configure", "", "", "Parameter", "remote", "manual"]
      - ["hudson", "Plugin", True, "newInstance", "", "", "Parameter", "remote", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: barrierModel
+    data:
+      - ["hudson", "Util", True, "escape", "(String)", "", "ReturnValue", "html-injection", "manual"]
+        # Not including xmlEscape because it only accounts for >, <, and &. It does not account for ", or ', which makes it an incomplete XSS sanitizer.
  - addsTo:
      pack: codeql/java-all
      extensible: summaryModel
--- a/java/ql/lib/semmle/code/java/frameworks/hudson/Hudson.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/hudson/Hudson.qll
@@ -14,14 +14,3 @@ class HudsonWebMethod extends Method {
    this.getDeclaringType().getASourceSupertype*().hasQualifiedName("hudson.model", "Descriptor")
  }
 }
-
-private class HudsonUtilXssSanitizer extends XssSanitizer {
-  HudsonUtilXssSanitizer() {
-    this.asExpr()
-        .(MethodCall)
-        .getMethod()
-        // Not including xmlEscape because it only accounts for >, <, and &.
-        // It does not account for ", or ', which makes it an incomplete XSS sanitizer.
-        .hasQualifiedName("hudson", "Util", "escape")
-  }
-}
--- a/java/ql/lib/semmle/code/java/security/XSS.qll
+++ b/java/ql/lib/semmle/code/java/security/XSS.qll
@@ -54,12 +54,24 @@ private class DefaultXssSink extends XssSink {
  }
 }

-/** A default sanitizer that considers numeric and boolean typed data safe for writing to output. */
 private class DefaultXssSanitizer extends XssSanitizer {
-  DefaultXssSanitizer() {
+  DefaultXssSanitizer() { barrierNode(this, ["html-injection", "js-injection"]) }
+}
+
+/** A sanitizer that considers numeric and boolean typed data safe for writing to output. */
+private class PrimitiveSanitizer extends XssSanitizer {
+  PrimitiveSanitizer() {
    this.getType() instanceof NumericType or
-    this.getType() instanceof BooleanType or
-    // Match `org.springframework.web.util.HtmlUtils.htmlEscape` and possibly other methods like it.
+    this.getType() instanceof BooleanType
+  }
+}
+
+/**
+ * A call to `org.springframework.web.util.HtmlUtils.htmlEscape`, or possibly
+ * other methods like it, considered as a sanitizer for XSS.
+ */
+private class HtmlEscapeXssSanitizer extends XssSanitizer {
+  HtmlEscapeXssSanitizer() {
    this.asExpr().(MethodCall).getMethod().getName().regexpMatch("(?i)html_?escape.*")
  }
 }