hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-23 12:16:33 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add SensitiveGetQuery

Browse Source
This commit is contained in:
Ed Minnix
2023-04-12 12:22:35 -04:00
parent 478309c90b
commit 5594e7f6d2
1 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
View File

@@ -14,7 +14,7 @@ import java
import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.TaintTracking import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.security.SensitiveActions import semmle.code.java.security.SensitiveActions
import DataFlow::PathGraph import SensitiveGetQueryFlow::PathGraph
/** A variable that holds sensitive information judging by its name. */ /** A variable that holds sensitive information judging by its name. */
class SensitiveInfoExpr extends Expr { class SensitiveInfoExpr extends Expr {
@@ -59,22 +59,22 @@ class RequestGetParamSource extends DataFlow::ExprNode {
} }
/** A taint configuration tracking flow from the `ServletRequest` of a GET request handler to an expression whose name suggests it holds security-sensitive data. */ /** A taint configuration tracking flow from the `ServletRequest` of a GET request handler to an expression whose name suggests it holds security-sensitive data. */
class SensitiveGetQueryConfiguration extends TaintTracking::Configuration { module SensitiveGetQueryConfig implements DataFlow::ConfigSig {
SensitiveGetQueryConfiguration() { this = "SensitiveGetQueryConfiguration" } predicate isSource(DataFlow::Node source) { source instanceof RequestGetParamSource }
override predicate isSource(DataFlow::Node source) { source instanceof RequestGetParamSource } predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof SensitiveInfoExpr }
override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof SensitiveInfoExpr }
/** Holds if the node is in a servlet method other than `doGet`. */ /** Holds if the node is in a servlet method other than `doGet`. */
override predicate isSanitizer(DataFlow::Node node) { predicate isBarrier(DataFlow::Node node) {
isServletRequestMethod(node.getEnclosingCallable()) and isServletRequestMethod(node.getEnclosingCallable()) and
not isGetServletMethod(node.getEnclosingCallable()) not isGetServletMethod(node.getEnclosingCallable())
} }
} }
from DataFlow::PathNode source, DataFlow::PathNode sink, SensitiveGetQueryConfiguration c module SensitiveGetQueryFlow = TaintTracking::Global<SensitiveGetQueryConfig>;
where c.hasFlowPath(source, sink)
from SensitiveGetQueryFlow::PathNode source, SensitiveGetQueryFlow::PathNode sink
where SensitiveGetQueryFlow::flowPath(source, sink)
select sink.getNode(), source, sink, select sink.getNode(), source, sink,
"$@ uses the GET request method to transmit sensitive information.", source.getNode(), "$@ uses the GET request method to transmit sensitive information.", source.getNode(),
"This request" "This request"