diff --git a/java/ql/lib/ext/java.net.model.yml b/java/ql/lib/ext/java.net.model.yml index 084fce7bbc4..e69db468a4a 100644 --- a/java/ql/lib/ext/java.net.model.yml +++ b/java/ql/lib/ext/java.net.model.yml @@ -34,6 +34,11 @@ extensions: - ["java.net", "URLClassLoader", False, "URLClassLoader", "(URL[],ClassLoader)", "", "Argument[0]", "request-forgery", "manual"] - ["java.net", "URLClassLoader", False, "URLClassLoader", "(URL[])", "", "Argument[0]", "request-forgery", "manual"] - ["java.net", "PasswordAuthentication", False, "PasswordAuthentication", "(String,char[])", "", "Argument[0]", "credentials-username", "hq-generated"] + - addsTo: + pack: codeql/java-all + extensible: barrierGuardModel + data: + - ["java.net", "URI", True, "isAbsolute", "()", "", "Argument[this]", "false", "request-forgery", "manual"] - addsTo: pack: codeql/java-all extensible: summaryModel diff --git a/java/ql/lib/semmle/code/java/security/RequestForgery.qll b/java/ql/lib/semmle/code/java/security/RequestForgery.qll index 9e3dec00357..690e4f9315b 100644 --- a/java/ql/lib/semmle/code/java/security/RequestForgery.qll +++ b/java/ql/lib/semmle/code/java/security/RequestForgery.qll @@ -118,25 +118,8 @@ private class ContainsUrlSanitizer extends RequestForgerySanitizer { } } -/** - * A check that the URL is relative, and therefore safe for URL redirects. - */ -private predicate isRelativeUrlSanitizer(Guard guard, Expr e, boolean branch) { - guard = - any(MethodCall call | - call.getMethod().hasQualifiedName("java.net", "URI", "isAbsolute") and - e = call.getQualifier() and - branch = false - ) -} - -/** - * A check that the URL is relative, and therefore safe for URL redirects. - */ -private class RelativeUrlSanitizer extends RequestForgerySanitizer { - RelativeUrlSanitizer() { - this = DataFlow::BarrierGuard::getABarrierNode() - } +private class DefaultRequestForgerySanitizer extends RequestForgerySanitizer { + DefaultRequestForgerySanitizer() { barrierNode(this, "request-forgery") } } /**