Getters called on parameters propagate taint

2026-05-03 12:45:27 +02:00 · 2021-05-03 17:43:33 +02:00
parent 4d5ec87de9
commit 745a6f6fb4
2 changed files with 4 additions and 1 deletions
--- a/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
@@ -28,7 +28,7 @@ class JexlInjectionConfig extends TaintTracking::Configuration {
  override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }

  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    any(JexlInjectionAdditionalTaintStep c).step(node1, node2) 
+    any(JexlInjectionAdditionalTaintStep c).step(node1, node2)
  }
 }

--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -14,6 +14,7 @@ private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.internal.DataFlowPrivate
 import semmle.code.java.dataflow.FlowSteps
 private import FlowSummaryImpl as FlowSummaryImpl
+private import semmle.code.java.frameworks.JaxWS

 /**
 * Holds if taint can flow from `src` to `sink` in zero or more
@@ -263,6 +264,8 @@ private predicate taintPreservingQualifierToMethod(Method m) {
  )
  or
  m.(TaintPreservingCallable).returnsTaintFrom(-1)
+  or
+  exists(JaxRsResourceMethod resourceMethod | m.(GetterMethod).getDeclaringType() = resourceMethod.getAParameter().getType())
 }

 private class StringReplaceMethod extends TaintPreservingCallable {