From 50935899fa9dd9dfbfd178f58092841b12dd8ff6 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 7 Mar 2023 13:33:00 +0100 Subject: [PATCH] Java: Refactor XSS.ql --- java/ql/src/Security/CWE/CWE-079/XSS.ql | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-079/XSS.ql b/java/ql/src/Security/CWE/CWE-079/XSS.ql index fe071334c48..f2b0a65f9fe 100644 --- a/java/ql/src/Security/CWE/CWE-079/XSS.ql +++ b/java/ql/src/Security/CWE/CWE-079/XSS.ql @@ -14,25 +14,26 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.XSS -import DataFlow::PathGraph -class XssConfig extends TaintTracking::Configuration { - XssConfig() { this = "XSSConfig" } +module XssConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } - override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + predicate isSink(DataFlow::Node sink) { sink instanceof XssSink } - override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink } + predicate isBarrier(DataFlow::Node node) { node instanceof XssSanitizer } - override predicate isSanitizer(DataFlow::Node node) { node instanceof XssSanitizer } + predicate isBarrierOut(DataFlow::Node node) { node instanceof XssSinkBarrier } - override predicate isSanitizerOut(DataFlow::Node node) { node instanceof XssSinkBarrier } - - override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { + predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { any(XssAdditionalTaintStep s).step(node1, node2) } } -from DataFlow::PathNode source, DataFlow::PathNode sink, XssConfig conf -where conf.hasFlowPath(source, sink) +module XssFlow = TaintTracking::Make; + +import XssFlow::PathGraph + +from XssFlow::PathNode source, XssFlow::PathNode sink +where XssFlow::hasFlowPath(source, sink) select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to a $@.", source.getNode(), "user-provided value"