hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Convert request forgery barrier guard to MaD

Browse Source
This commit is contained in:
Owen Mansel-Chan
2025-12-09 15:45:19 +00:00
committed by Anders Schack-Mulligen
parent 5ab26e481b
commit 7e562f3150
2 changed files with 7 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
java/ql/lib/ext/java.net.model.yml
View File

@@ -34,6 +34,11 @@ extensions:
- ["java.net", "URLClassLoader", False, "URLClassLoader", "(URL[],ClassLoader)", "", "Argument[0]", "request-forgery", "manual"]
- ["java.net", "URLClassLoader", False, "URLClassLoader", "(URL[])", "", "Argument[0]", "request-forgery", "manual"]
- ["java.net", "PasswordAuthentication", False, "PasswordAuthentication", "(String,char[])", "", "Argument[0]", "credentials-username", "hq-generated"]
- addsTo:
pack: codeql/java-all
extensible: barrierGuardModel
data:
- ["java.net", "URI", True, "isAbsolute", "()", "", "Argument[this]", "false", "request-forgery", "manual"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel

21
java/ql/lib/semmle/code/java/security/RequestForgery.qll
View File

@@ -118,25 +118,8 @@ private class ContainsUrlSanitizer extends RequestForgerySanitizer {
}
}
/**
* A check that the URL is relative, and therefore safe for URL redirects.
*/
private predicate isRelativeUrlSanitizer(Guard guard, Expr e, boolean branch) {
guard =
any(MethodCall call |
call.getMethod().hasQualifiedName("java.net", "URI", "isAbsolute") and
e = call.getQualifier() and
branch = false
)
}
/**
* A check that the URL is relative, and therefore safe for URL redirects.
*/
private class RelativeUrlSanitizer extends RequestForgerySanitizer {
RelativeUrlSanitizer() {
this = DataFlow::BarrierGuard<isRelativeUrlSanitizer/3>::getABarrierNode()
}
private class DefaultRequestForgerySanitizer extends RequestForgerySanitizer {
DefaultRequestForgerySanitizer() { barrierNode(this, "request-forgery") }
}
/**