hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Remove CSV sinks; make imports private

Browse Source
This commit is contained in:
Tony Torralba
2021-07-20 14:52:02 +02:00
parent 91f46624b6
commit 6bf1e87bbe
3 changed files with 10 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
java/ql/src/Security/CWE/CWE-094/SpelInjection.ql
View File

@@ -12,6 +12,7 @@
import java
import semmle.code.java.security.SpelInjectionQuery
import semmle.code.java.dataflow.DataFlow
import DataFlow::PathGraph
from DataFlow::PathNode source, DataFlow::PathNode sink, SpelInjectionConfig conf

18
java/ql/src/semmle/code/java/security/SpelInjection.qll
View File

@@ -1,25 +1,13 @@
/** Provides classes to reason about SpEL injection attacks. */
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.ExternalFlow
import semmle.code.java.frameworks.spring.SpringExpression
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.frameworks.spring.SpringExpression
/** A data flow sink for unvalidated user input that is used to construct SpEL expressions. */
abstract class SpelExpressionEvaluationSink extends DataFlow::ExprNode { }
private class SpelExpressionEvaluationModel extends SinkModelCsv {
override predicate row(string row) {
row =
[
"org.springframework.expression;Expression;true;getValue;;;Argument[-1];spel",
"org.springframework.expression;Expression;true;getValueTypeDescriptor;;;Argument[-1];spel",
"org.springframework.expression;Expression;true;getValueType;;;Argument[-1];spel",
"org.springframework.expression;Expression;true;setValue;;;Argument[-1];spel"
]
}
}
/**
* A unit class for adding additional taint steps.
*

12
java/ql/src/semmle/code/java/security/SpelInjectionQuery.qll
View File

@@ -1,10 +1,10 @@
/** Provides taint tracking and dataflow configurations to be used in SpEL injection queries. */
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.frameworks.spring.SpringExpression
import semmle.code.java.security.SpelInjection
private import semmle.code.java.dataflow.FlowSources
private import semmle.code.java.dataflow.TaintTracking
private import semmle.code.java.frameworks.spring.SpringExpression
private import semmle.code.java.security.SpelInjection
/**
* A taint-tracking configuration for unsafe user input
@@ -26,8 +26,8 @@ class SpelInjectionConfig extends TaintTracking::Configuration {
private class DefaultSpelExpressionEvaluationSink extends SpelExpressionEvaluationSink {
DefaultSpelExpressionEvaluationSink() {
exists(MethodAccess ma |
sinkNode(this, "spel") and
this.asExpr() = ma.getQualifier() and
ma.getMethod() instanceof ExpressionEvaluationMethod and
ma.getQualifier() = this.asExpr() and
not exists(SafeEvaluationContextFlowConfig config |
config.hasFlowTo(DataFlow::exprNode(ma.getArgument(0)))
)