Convert request forgery barrier guard to MaD

2025-12-16 16:53:25 +01:00 · 2025-12-09 15:45:19 +00:00
parent 5ab26e481b
commit 7e562f3150
2 changed files with 7 additions and 19 deletions
--- a/java/ql/lib/ext/java.net.model.yml
+++ b/java/ql/lib/ext/java.net.model.yml
@@ -34,6 +34,11 @@ extensions:
      - ["java.net", "URLClassLoader", False, "URLClassLoader", "(URL[],ClassLoader)", "", "Argument[0]", "request-forgery", "manual"]
      - ["java.net", "URLClassLoader", False, "URLClassLoader", "(URL[])", "", "Argument[0]", "request-forgery", "manual"]
      - ["java.net", "PasswordAuthentication", False, "PasswordAuthentication", "(String,char[])", "", "Argument[0]", "credentials-username", "hq-generated"]
  - addsTo:
      pack: codeql/java-all
      extensible: barrierGuardModel
    data:
      - ["java.net", "URI", True, "isAbsolute", "()", "", "Argument[this]", "false", "request-forgery", "manual"]
  - addsTo:
      pack: codeql/java-all
      extensible: summaryModel
--- a/java/ql/lib/semmle/code/java/security/RequestForgery.qll
+++ b/java/ql/lib/semmle/code/java/security/RequestForgery.qll
@@ -118,25 +118,8 @@ private class ContainsUrlSanitizer extends RequestForgerySanitizer {
  }
 }
-/**
+private class DefaultRequestForgerySanitizer extends RequestForgerySanitizer {
- * A check that the URL is relative, and therefore safe for URL redirects.
+  DefaultRequestForgerySanitizer() { barrierNode(this, "request-forgery") }
 */
 private predicate isRelativeUrlSanitizer(Guard guard, Expr e, boolean branch) {
  guard =
    any(MethodCall call |
      call.getMethod().hasQualifiedName("java.net", "URI", "isAbsolute") and
      e = call.getQualifier() and
      branch = false
    )
 }
 /**
 * A check that the URL is relative, and therefore safe for URL redirects.
 */
 private class RelativeUrlSanitizer extends RequestForgerySanitizer {
  RelativeUrlSanitizer() {
    this = DataFlow::BarrierGuard<isRelativeUrlSanitizer/3>::getABarrierNode()
  }
 }
 /**