hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 01:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Refactor JxBrowserWithoutCertValidation

Browse Source
This commit is contained in:
Ed Minnix
2023-04-12 13:07:26 -04:00
parent ccdd9bce33
commit a186b771ba
1 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
View File

@@ -66,16 +66,14 @@ private class JxBrowserSafeLoadHandler extends RefType {
* Models flow from the source `new Browser()` to a sink `browser.setLoadHandler(loadHandler)` where `loadHandler`
* has been determined to be safe.
*/
private class JxBrowserFlowConfiguration extends DataFlow::Configuration {
JxBrowserFlowConfiguration() { this = "JxBrowserFlowConfiguration" }
override predicate isSource(DataFlow::Node src) {
private module JxBrowserFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) {
exists(ClassInstanceExpr newJxBrowser | newJxBrowser.getConstructedType() instanceof JxBrowser |
newJxBrowser = src.asExpr()
)
}
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
exists(MethodAccess ma | ma.getMethod() instanceof JxBrowserSetLoadHandler |
ma.getArgument(0).getType() instanceof JxBrowserSafeLoadHandler and
ma.getQualifier() = sink.asExpr()
@@ -83,9 +81,11 @@ private class JxBrowserFlowConfiguration extends DataFlow::Configuration {
}
}
from JxBrowserFlowConfiguration cfg, DataFlow::Node src
private module JxBrowserFlow = DataFlow::Global<JxBrowserFlowConfig>;
from DataFlow::Node src
where
cfg.isSource(src) and
not cfg.hasFlow(src, _) and
JxBrowserFlowConfig::isSource(src) and
not JxBrowserFlow::flow(src, _) and
not isSafeJxBrowserVersion()
select src, "This JxBrowser instance may not check HTTPS certificates."