hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add JaxWS XSS sink

Browse Source 
Based on d44e4d0e63 by @lcartey
This commit is contained in:
Chris Smowton
2021-03-19 17:43:11 +00:00
committed by Owen Mansel-Chan
parent cc497bf213
commit 5f7165efbb
2 changed files with 15 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
java/ql/src/semmle/code/java/frameworks/JaxWS.qll
View File

@@ -257,15 +257,14 @@ class MessageBodyReaderRead extends Method {
/** An `@Produces` annotation that describes which MIME types can be produced by this resource. */
class JaxRSProducesAnnotation extends JaxRSAnnotation {
JaxRSProducesAnnotation() {
getType().hasQualifiedName("javax.ws.rs", "Produces")
}
JaxRSProducesAnnotation() { getType().hasQualifiedName("javax.ws.rs", "Produces") }
/**
* Gets a declared MIME type that can be produced by this resource.
*/
string getADeclaredMimeType() {
result = getAValue().(CompileTimeConstantExpr).getStringValue() or
result = getAValue().(CompileTimeConstantExpr).getStringValue()
or
exists(Field jaxMediaType |
// Accesses to static fields on `MediaType` class do not have constant strings in the database
// so convert the field name to a mime type string
@@ -279,7 +278,5 @@ class JaxRSProducesAnnotation extends JaxRSAnnotation {
/** An `@Consumes` annotation that describes MIME types can be consumed by this resource. */
class JaxRSConsumesAnnotation extends JaxRSAnnotation {
JaxRSConsumesAnnotation() {
getType().hasQualifiedName("javax.ws.rs", "Consumes")
}
JaxRSConsumesAnnotation() { getType().hasQualifiedName("javax.ws.rs", "Consumes") }
}

11
java/ql/src/semmle/code/java/security/XSS.qll
View File

@@ -1,6 +1,7 @@
/** Provides classes to reason about Cross-site scripting (XSS) vulnerabilities. */
import java
import semmle.code.java.frameworks.JaxWS
import semmle.code.java.frameworks.Servlets
import semmle.code.java.frameworks.android.WebView
import semmle.code.java.frameworks.spring.SpringController
@@ -93,6 +94,16 @@ private class DefaultXssSink extends XssSink {
returnType instanceof RawClass
)
)
or
exists(JaxRsResourceMethod resourceMethod, ReturnStmt rs |
resourceMethod = any(JaxRsResourceClass resourceClass).getAResourceMethod() and
rs.getEnclosingCallable() = resourceMethod and
this.asExpr() = rs.getResult()
|
not exists(resourceMethod.getProducesAnnotation())
or
resourceMethod.getProducesAnnotation().getADeclaredMimeType() = "text/plain"
)
}
}