Standardize the query and update qldoc

2026-05-03 04:39:29 +02:00 · 2022-04-27 22:17:17 +00:00
parent e99cee4913
commit 590b9d8519
6 changed files with 17 additions and 13 deletions
--- a/java/ql/lib/semmle/code/java/frameworks/Servlets.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/Servlets.qll
@@ -381,7 +381,7 @@ class RequestDispatchMethod extends Method {
 /**
 * The interface `javax.servlet.ServletContext`.
 */
-library class ServletContext extends RefType {
+class ServletContext extends RefType {
  ServletContext() { this.hasQualifiedName("javax.servlet", "ServletContext") }
 }

--- a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeResourceGet.java
+++ b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeResourceGet.java
@@ -1,5 +1,5 @@
 // BAD: no URI validation
-URL url = servletContext.getResource(requestUrl);
+URL url = request.getServletContext().getResource(requestUrl);
 url = getClass().getResource(requestUrl);
 InputStream in = url.openStream();

@@ -13,4 +13,6 @@ if (!requestPath.contains("..") && requestPath.startsWith("/trusted")) {
 }

 Path path = Paths.get(requestUrl).normalize().toRealPath();
-URL url = sc.getResource(path.toString());
+if (path.startsWith("/trusted")) {
+	URL url = request.getServletContext().getResource(path.toString());
+}
--- a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qhelp
+++ b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qhelp
@@ -54,8 +54,8 @@ file exposure attacks. It also shows how to remedy the problem by validating the
 <li>Micro Focus:
  <a href="https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.file_disclosure_j2ee">File Disclosure: J2EE</a>
 </li>
-<li>
-  <a href="https://vuldb.com/?id.81084">Apache Tomcat 6.0/7.0/8.0/9.0 Servletcontext Getresource/getresourceasstream/getresourcepaths Path Traversal</a>
+<li>CVE-2015-5174:
+  <a href="https://vuldb.com/?id.81084">Apache Tomcat 6.0/7.0/8.0/9.0 Servletcontext getResource/getResourceAsStream/getResourcePaths Path Traversal</a>
 </li>
 </references>
 </qhelp>
--- a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.ql
@@ -14,6 +14,7 @@ import java
 import UnsafeUrlForward
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.dataflow.TaintTracking
+import experimental.semmle.code.java.frameworks.Jsf
 import experimental.semmle.code.java.PathSanitizer
 import DataFlow::PathGraph

--- a/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll
@@ -3,6 +3,7 @@ private import experimental.semmle.code.java.frameworks.Jsf
 private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.dataflow.StringPrefixes
+private import semmle.code.java.frameworks.javaee.ejb.EJBRestrictions

 /** A sink for unsafe URL forward vulnerabilities. */
 abstract class UnsafeUrlForwardSink extends DataFlow::Node { }
@@ -23,7 +24,7 @@ private class RequestDispatcherSink extends UnsafeUrlForwardSink {
 /** The `getResource` method of `Class`. */
 class GetClassResourceMethod extends Method {
  GetClassResourceMethod() {
-    this.getSourceDeclaration().getDeclaringType().hasQualifiedName("java.lang", "Class") and
+    this.getDeclaringType() instanceof TypeClass and
    this.hasName("getResource")
  }
 }
@@ -31,7 +32,7 @@ class GetClassResourceMethod extends Method {
 /** The `getResourceAsStream` method of `Class`. */
 class GetClassResourceAsStreamMethod extends Method {
  GetClassResourceAsStreamMethod() {
-    this.getSourceDeclaration().getDeclaringType().hasQualifiedName("java.lang", "Class") and
+    this.getDeclaringType() instanceof TypeClass and
    this.hasName("getResourceAsStream")
  }
 }
@@ -39,7 +40,7 @@ class GetClassResourceAsStreamMethod extends Method {
 /** The `getResource` method of `ClassLoader`. */
 class GetClassLoaderResourceMethod extends Method {
  GetClassLoaderResourceMethod() {
-    this.getDeclaringType().hasQualifiedName("java.lang", "ClassLoader") and
+    this.getDeclaringType() instanceof ClassLoaderClass and
    this.hasName("getResource")
  }
 }
@@ -47,7 +48,7 @@ class GetClassLoaderResourceMethod extends Method {
 /** The `getResourceAsStream` method of `ClassLoader`. */
 class GetClassLoaderResourceAsStreamMethod extends Method {
  GetClassLoaderResourceAsStreamMethod() {
-    this.getDeclaringType().hasQualifiedName("java.lang", "ClassLoader") and
+    this.getDeclaringType() instanceof ClassLoaderClass and
    this.hasName("getResourceAsStream")
  }
 }
@@ -73,8 +74,8 @@ class VirtualFile extends RefType {
 }

 /** The JBoss method `getChild` of `FileResourceManager`. */
-class GetVirtualFileMethod extends Method {
-  GetVirtualFileMethod() {
+class GetVirtualFileChildMethod extends Method {
+  GetVirtualFileChildMethod() {
    this.getDeclaringType().getASupertype*() instanceof VirtualFile and
    this.hasName("getChild")
  }
@@ -91,7 +92,7 @@ private class GetResourceSink extends UnsafeUrlForwardSink {
        ma.getMethod() instanceof GetFacesResourceAsStreamMethod or
        ma.getMethod() instanceof GetClassResourceAsStreamMethod or
        ma.getMethod() instanceof GetClassLoaderResourceAsStreamMethod or
-        ma.getMethod() instanceof GetVirtualFileMethod
+        ma.getMethod() instanceof GetVirtualFileChildMethod
      ) and
      ma.getArgument(0) = this.asExpr()
    )
--- a/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll
+++ b/java/ql/src/experimental/semmle/code/java/frameworks/Jsf.qll
@@ -5,7 +5,7 @@
 import semmle.code.java.Type

 /**
- * The JSF class `FacesContext` for processing HTTP requests.
+ * The JSF class `ExternalContext` for processing HTTP requests.
 */
 class ExternalContext extends RefType {
  ExternalContext() {