hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Always bind arguments in TaintPropagatingCall

Browse Source
This commit is contained in:
Artem Smotrakov
2021-04-07 21:12:21 +03:00
parent c13ee0859a
commit a764a79090
2 changed files with 11 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
View File

@@ -56,15 +56,17 @@ private class TaintPropagatingCall extends Call {
TaintPropagatingCall() {
taintFromExpr = this.getArgument(1) and
exists(Method m | this.(MethodAccess).getMethod() = m |
m.getDeclaringType() instanceof ExpressionFactory and
m.hasName(["createValueExpression", "createMethodExpression"]) and
taintFromExpr.getType() instanceof TypeString
)
or
exists(Constructor c | this.(ConstructorCall).getConstructor() = c |
c.getDeclaringType() instanceof LambdaExpression and
taintFromExpr.getType() instanceof ValueExpression
(
exists(Method m | this.(MethodAccess).getMethod() = m |
m.getDeclaringType() instanceof ExpressionFactory and
m.hasName(["createValueExpression", "createMethodExpression"]) and
taintFromExpr.getType() instanceof TypeString
)
or
exists(Constructor c | this.(ConstructorCall).getConstructor() = c |
c.getDeclaringType() instanceof LambdaExpression and
taintFromExpr.getType() instanceof ValueExpression
)
)
}