Removed LocalUserInput in JexlInjectionLib.ql

2026-04-30 11:15:13 +02:00 · 2021-01-29 12:38:51 +01:00
parent 8d701e604a
commit 59f48ecea3
1 changed files with 1 additions and 2 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
@@ -12,8 +12,7 @@ class JexlInjectionConfig extends TaintTracking::Configuration {

  override predicate isSource(DataFlow::Node source) {
    source instanceof TaintedSpringRequestBody or
-    source instanceof RemoteFlowSource or
-    source instanceof LocalUserInput
+    source instanceof RemoteFlowSource
  }

  override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }