Merge pull request #17075 from RobbingDaHood/17052-second-try-do-not-expose-error-message

Java: 17052 Second try: do not expose error message
2026-05-05 13:45:19 +02:00 · 2024-08-02 12:44:27 +02:00
parent c23938d119 1cb58922a2
commit 4d023f14a6
12 changed files with 125 additions and 37 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/ApiSources.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/ApiSources.qll
@@ -19,5 +19,6 @@ private module AllApiSources {
  private import semmle.code.java.security.InsecureTrustManager
  private import semmle.code.java.security.JWT
  private import semmle.code.java.security.StackTraceExposureQuery
+  private import semmle.code.java.security.SensitiveDataExposureThroughErrorMessageQuery
  private import semmle.code.java.security.ZipSlipQuery
 }
--- a/java/ql/lib/semmle/code/java/security/SensitiveDataExposureThroughErrorMessageQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/SensitiveDataExposureThroughErrorMessageQuery.qll
@@ -0,0 +1,34 @@
+/** Provides predicates to reason about exposure of error messages. */
+
+import java
+private import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.security.InformationLeak
+
+/**
+ * A get message source node.
+ */
+private class GetMessageFlowSource extends ApiSourceNode {
+  GetMessageFlowSource() {
+    exists(Method method | this.asExpr().(MethodCall).getMethod() = method |
+      method.hasName("getMessage") and
+      method.hasNoParameters() and
+      method.getDeclaringType().hasQualifiedName("java.lang", "Throwable")
+    )
+  }
+}
+
+private module GetMessageFlowSourceToHttpResponseSinkFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof GetMessageFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink }
+}
+
+private module GetMessageFlowSourceToHttpResponseSinkFlow =
+  TaintTracking::Global<GetMessageFlowSourceToHttpResponseSinkFlowConfig>;
+
+/**
+ * Holds if there is a call to `getMessage()` that then flows to a servlet response.
+ */
+predicate getMessageFlowsExternally(DataFlow::Node externalExpr, GetMessageFlowSource getMessage) {
+  GetMessageFlowSourceToHttpResponseSinkFlow::flow(getMessage, externalExpr)
+}
--- a/java/ql/lib/semmle/code/java/security/StackTraceExposureQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/StackTraceExposureQuery.qll
@@ -93,32 +93,3 @@ predicate stringifiedStackFlowsExternally(DataFlow::Node externalExpr, Expr stac
    StackTraceStringToHttpResponseSinkFlow::flow(DataFlow::exprNode(stackTraceString), externalExpr)
  )
 }
-
-/**
- * A get message source node.
- */
-private class GetMessageFlowSource extends ApiSourceNode {
-  GetMessageFlowSource() {
-    exists(Method method | this.asExpr().(MethodCall).getMethod() = method |
-      method.hasName("getMessage") and
-      method.hasNoParameters() and
-      method.getDeclaringType().hasQualifiedName("java.lang", "Throwable")
-    )
-  }
-}
-
-private module GetMessageFlowSourceToHttpResponseSinkFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof GetMessageFlowSource }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink }
-}
-
-private module GetMessageFlowSourceToHttpResponseSinkFlow =
-  TaintTracking::Global<GetMessageFlowSourceToHttpResponseSinkFlowConfig>;
-
-/**
- * Holds if there is a call to `getMessage()` that then flows to a servlet response.
- */
-predicate getMessageFlowsExternally(DataFlow::Node externalExpr, GetMessageFlowSource getMessage) {
-  GetMessageFlowSourceToHttpResponseSinkFlow::flow(getMessage, externalExpr)
-}