hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-02 05:43:54 +01:00
Code Issues Packages Projects Releases Wiki Activity

Java: Prune PathGraph for CsrfUnprotectedRequestType.ql

Browse Source
This commit is contained in:
Anders Schack-Mulligen
2025-07-17 15:06:38 +02:00
parent 1485d7072d
commit 996de78a66
2 changed files with 25 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll
View File

@@ -237,12 +237,35 @@ private predicate sink(CallPathNode sinkMethodCall) {
)
}
private predicate fwdFlow(CallPathNode n) {
source(n)
or
exists(CallPathNode mid | fwdFlow(mid) and CallGraph::edges(mid, n))
}
private predicate revFlow(CallPathNode n) {
fwdFlow(n) and
(
sink(n)
or
exists(CallPathNode mid | revFlow(mid) and CallGraph::edges(n, mid))
)
}
/**
* Holds if `pred` has a successor node `succ` and this edge is in an
* `unprotectedStateChange` path.
*/
predicate relevantEdge(CallPathNode pred, CallPathNode succ) {
CallGraph::edges(pred, succ) and revFlow(pred) and revFlow(succ)
}
/**
* Holds if `sourceMethod` is an unprotected request handler that reaches a
* `sinkMethodCall` that updates a database.
*/
private predicate unprotectedDatabaseUpdate(CallPathNode sourceMethod, CallPathNode sinkMethodCall) =
doublyBoundedFastTC(CallGraph::edges/2, source/1, sink/1)(sourceMethod, sinkMethodCall)
doublyBoundedFastTC(relevantEdge/2, source/1, sink/1)(sourceMethod, sinkMethodCall)
/**
* Holds if `sourceMethod` is an unprotected request handler that appears to