Merge pull request #6393 from luchua-bc/java/xss-jsf

Java: CWE-079 Query to detect XSS with JavaServer Faces (JSF)
2026-06-18 19:31:11 +02:00 · 2021-09-14 15:15:56 +01:00
parent 26eafcb55a a1ad1ddc10
commit 6cff0d0376
15 changed files with 2203 additions and 10 deletions
--- a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
+++ b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
@@ -36,7 +36,9 @@ class ServletWriterSourceToPrintStackTraceMethodFlowConfig extends TaintTracking
    this = "StackTraceExposure::ServletWriterSourceToPrintStackTraceMethodFlowConfig"
  }

-  override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof ServletWriterSource }
+  override predicate isSource(DataFlow::Node src) {
+    src.asExpr() instanceof XssVulnerableWriterSource
+  }

  override predicate isSink(DataFlow::Node sink) {
    exists(MethodAccess ma |