hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-04 05:05:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Preserve taint on field-read-steps on entrypoint types

Browse Source
This commit is contained in:
Tony Torralba
2021-06-17 16:09:56 +02:00
parent 9363d64166
commit 5e80044f11
4 changed files with 86 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
View File

@@ -11,6 +11,7 @@ private import semmle.code.java.frameworks.spring.SpringController
private import semmle.code.java.frameworks.spring.SpringHttp
private import semmle.code.java.frameworks.Networking
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.FlowSources
private import semmle.code.java.dataflow.internal.DataFlowPrivate
import semmle.code.java.dataflow.FlowSteps
private import FlowSummaryImpl as FlowSummaryImpl
@@ -91,6 +92,8 @@ private module Cached {
)
or
FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, false)
or
entrypointFieldStep(src, sink)
}
/**
@@ -591,3 +594,18 @@ private MethodAccess callReturningSameType(Expr ref) {
ref = result.getQualifier() and
result.getMethod().getReturnType() = ref.getType()
}
private SrcRefType entrypointType() {
result =
pragma[only_bind_out](any(RemoteFlowSource s | s instanceof DataFlow::ExplicitParameterNode))
.getType()
.(RefType)
.getASubtype*()
.getSourceDeclaration() or
result = entrypointType().getAField().getType().(RefType).getSourceDeclaration()
}
private predicate entrypointFieldStep(DataFlow::Node src, DataFlow::Node sink) {
src = DataFlow::getFieldQualifier(sink.asExpr().(FieldRead)) and
src.getType().(RefType).getSourceDeclaration() = entrypointType()
}