hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Java: Treat x.matches(regexp) as a sanitizer for request forgery

Browse Source
This commit is contained in:
Tom Hvitved
2025-10-24 09:06:57 +02:00
parent c84cec9d29
commit 7a9cb64e2e
2 changed files with 43 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
java/ql/lib/semmle/code/java/security/RequestForgery.qll
View File

@@ -164,3 +164,24 @@ private class HostComparisonSanitizer extends RequestForgerySanitizer {
this = DataFlow::BarrierGuard<isHostComparisonSanitizer/3>::getABarrierNode() this = DataFlow::BarrierGuard<isHostComparisonSanitizer/3>::getABarrierNode()
} }
} }
/**
* A qualifier in a call to a `.matches()` method that is a sanitizer for URL redirects.
*
* Matches any method call where the method is named `matches`.
*/
private predicate isMatchesSanitizer(Guard guard, Expr e, boolean branch) {
guard =
any(MethodCall method |
method.getMethod().getName() = "matches" and
e = method.getQualifier() and
branch = true
)
}
/**
* A qualifier in a call to `.matches()` that is a sanitizer for URL redirects.
*/
private class MatchesSanitizer extends RequestForgerySanitizer {
MatchesSanitizer() { this = DataFlow::BarrierGuard<isMatchesSanitizer/3>::getABarrierNode() }
}

22
java/ql/test/query-tests/security/CWE-918/SanitizationTests.java
View File

@@ -119,8 +119,30 @@ public class SanitizationTests extends HttpServlet {
String unsafeUri10 = String.format("%s://%s:%s%s", "http", "myserver.com", "80", request.getParameter("baduri10")); // $ Source String unsafeUri10 = String.format("%s://%s:%s%s", "http", "myserver.com", "80", request.getParameter("baduri10")); // $ Source
HttpRequest unsafer10 = HttpRequest.newBuilder(new URI(unsafeUri10)).build(); // $ Alert HttpRequest unsafer10 = HttpRequest.newBuilder(new URI(unsafeUri10)).build(); // $ Alert
client.send(unsafer10, null); // $ Alert client.send(unsafer10, null); // $ Alert
// GOOD: sanitisation by regexp validation
String safeUri10 = "https://example.com/";
String param10 = request.getParameter("uri10");
if (param10.matches("[a-zA-Z0-9/_-]+")) {
safeUri10 = safeUri10 + param10;
}
HttpRequest r10 = HttpRequest.newBuilder(new URI(safeUri10)).build();
client.send(r10, null);
String param11 = request.getParameter("uri11");
validate(param11);
String safeUri11 = "https://example.com/" + param11;
HttpRequest r11 = HttpRequest.newBuilder(new URI(safeUri11)).build();
client.send(r11, null);
} catch (Exception e) { } catch (Exception e) {
// TODO: handle exception // TODO: handle exception
} }
} }
private void validate(String s) {
if (!s.matches("[a-zA-Z0-9/_-]+")) {
throw new IllegalArgumentException("Invalid ID");
}
}
} }