hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-01 13:23:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add or change qldocs

Browse Source
This commit is contained in:
Remco Vermeulen
2020-08-17 11:40:08 +02:00
parent 8db5c4f2e2
commit 894b3f2cd4
1 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
java/ql/src/semmle/code/java/security/XSS.qll
View File

@@ -1,3 +1,5 @@
/** Provides classes to reason about Cross-site scripting (XSS) vulnerabilities. */
import java
import semmle.code.java.frameworks.Servlets
import semmle.code.java.frameworks.android.WebView
@@ -6,12 +8,10 @@ import semmle.code.java.frameworks.spring.SpringHttp
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.TaintTracking2
/*
* Definitions for XSS sinks
*/
/** A sink that represent a method that outputs data without applying contextual output encoding. */
abstract class XssSink extends DataFlow::Node { }
/** A sanitizer that neutralizes dangerous characters that can be used to perform a XSS attack. */
abstract class XssSanitizer extends DataFlow::Node { }
/**
@@ -28,6 +28,7 @@ abstract class XssAdditionalTaintStep extends TaintTracking2::Unit {
abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
}
/** A default sink representing methods susceptible to XSS attacks. */
private class DefaultXssSink extends XssSink {
DefaultXssSink() {
exists(HttpServletResponseSendErrorMethod m, MethodAccess ma |
@@ -96,12 +97,14 @@ private class DefaultXssSink extends XssSink {
}
}
/** A default sanitizer that considers numeric and boolean typed data safe for writing to output. */
private class DefaultXSSSanitizer extends XssSanitizer {
DefaultXSSSanitizer() {
this.getType() instanceof NumericType or this.getType() instanceof BooleanType
}
}
/** A configuration that tracks data from a servlet writer to an output method. */
private class ServletWriterSourceToWritingMethodFlowConfig extends TaintTracking2::Configuration {
ServletWriterSourceToWritingMethodFlowConfig() {
this = "XSS::ServletWriterSourceToWritingMethodFlowConfig"
@@ -116,6 +119,7 @@ private class ServletWriterSourceToWritingMethodFlowConfig extends TaintTracking
}
}
/** A class representing methods that can be used to output data. */
private class WritingMethod extends Method {
WritingMethod() {
getDeclaringType().getASupertype*().hasQualifiedName("java.io", _) and
@@ -127,6 +131,7 @@ private class WritingMethod extends Method {
}
}
/** A class representing methods that provides access to an output stream or writer. */
class ServletWriterSource extends MethodAccess {
ServletWriterSource() {
this.getMethod() instanceof ServletResponseGetWriterMethod