hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 16:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Added ESAPI sanitizer

Browse Source
This commit is contained in:
Ed Minnix
2023-07-25 11:58:36 -04:00
parent 97d6e82869
commit 55fae2daaa
3 changed files with 86 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
java/ql/test/query-tests/security/CWE-501/TrustBoundaryViolations.java
View File

@@ -2,11 +2,34 @@ import java.io.IOException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.owasp.esapi.Validator;
public class TrustBoundaryViolations extends HttpServlet {
Validator validator;
public void doGet(HttpServletRequest request, HttpServletResponse response) {
String input = request.getParameter("input");
// BAD: The input is written to the response without being sanitized.
request.getSession().setAttribute("input", input); // $ hasTaintFlow
String input2 = request.getParameter("input2");
try {
String sanitized = validator.getValidInput("HTTP parameter", input2, "HTTPParameterValue", 100, false);
// GOOD: The input is sanitized before being written to the response.
request.getSession().setAttribute("input2", sanitized);
} catch (Exception e) {
}
try {
String input3 = request.getParameter("input3");
if (validator.isValidInput("HTTP parameter", input3, "HTTPParameterValue", 100, false)) {
// GOOD: The input is sanitized before being written to the response.
request.getSession().setAttribute("input3", input3);
}
} catch (Exception e) {
}
}
}