hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-23 04:06:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #13408 from aschackmull/java/loginjection-perf

Browse Source 
Java: Add more negation context to reduce string ops and improve perf.
This commit is contained in:
Anders Schack-Mulligen
2023-06-09 08:44:27 +02:00
committed by GitHub
parent e8b12ce416 5a2ac1b5ca
commit 44b09507ab
1 changed files with 22 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
java/ql/lib/semmle/code/java/security/LogInjection.qll
View File

@@ -46,16 +46,33 @@ private class LineBreaksLogInjectionSanitizer extends LogInjectionSanitizer {
} }
} }
private predicate stringMethodAccess(
MethodAccess ma, CompileTimeConstantExpr arg0, CompileTimeConstantExpr arg1
) {
ma.getMethod().getDeclaringType() instanceof TypeString and
arg0 = ma.getArgument(0) and
arg1 = ma.getArgument(1)
}
private predicate stringMethodArgument(CompileTimeConstantExpr arg) {
stringMethodAccess(_, arg, _) or stringMethodAccess(_, _, arg)
}
bindingset[match]
pragma[inline_late]
private predicate stringMethodArgumentValueMatches(CompileTimeConstantExpr const, string match) {
stringMethodArgument(const) and
const.getStringValue().matches(match)
}
/** /**
* Holds if the return value of `ma` is sanitized against log injection attacks * Holds if the return value of `ma` is sanitized against log injection attacks
* by removing line breaks from it. * by removing line breaks from it.
*/ */
private predicate logInjectionSanitizer(MethodAccess ma) { private predicate logInjectionSanitizer(MethodAccess ma) {
exists(CompileTimeConstantExpr target, CompileTimeConstantExpr replacement | exists(CompileTimeConstantExpr target, CompileTimeConstantExpr replacement |
ma.getMethod().getDeclaringType() instanceof TypeString and stringMethodAccess(ma, target, replacement) and
target = ma.getArgument(0) and not stringMethodArgumentValueMatches(replacement, ["%\n%", "%\r%"])
replacement = ma.getArgument(1) and
not replacement.getStringValue().matches(["%\n%", "%\r%"])
| |
ma.getMethod().hasName("replace") and ma.getMethod().hasName("replace") and
not replacement.getIntValue() = [10, 13] and not replacement.getIntValue() = [10, 13] and
@@ -68,7 +85,7 @@ private predicate logInjectionSanitizer(MethodAccess ma) {
( (
// Replace anything not in an allow list // Replace anything not in an allow list
target.getStringValue().matches("[^%]") and target.getStringValue().matches("[^%]") and
not target.getStringValue().matches("%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%") not stringMethodArgumentValueMatches(target, "%" + ["\n", "\r", "\\n", "\\r", "\\R"] + "%")
or or
// Replace line breaks // Replace line breaks
target.getStringValue() = ["\n", "\r", "\\n", "\\r", "\\R"] target.getStringValue() = ["\n", "\r", "\\n", "\\r", "\\R"]