hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Refactor Security.CWE.CWE-094.InsecureBeanValidation

Browse Source
This commit is contained in:
Ed Minnix
2023-03-15 13:33:01 -04:00
parent 7aecefc4aa
commit ac223ea57f
1 changed files with 9 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
View File

@@ -13,7 +13,6 @@
import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.FlowSources
import DataFlow::PathGraph
private import semmle.code.java.dataflow.ExternalFlow
/**
@@ -56,14 +55,16 @@ class SetMessageInterpolatorCall extends MethodAccess {
* Taint tracking BeanValidationConfiguration describing the flow of data from user input
* to the argument of a method that builds constraint error messages.
*/
class BeanValidationConfig extends TaintTracking::Configuration {
BeanValidationConfig() { this = "BeanValidationConfig" }
private module BeanValidationConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink }
predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink }
}
module BeanValidationFlow = TaintTracking::Make<BeanValidationConfig>;
import BeanValidationFlow::PathGraph
/**
* A bean validation sink, such as method `buildConstraintViolationWithTemplate`
* declared on a subtype of `javax.validation.ConstraintValidatorContext`.
@@ -72,13 +73,13 @@ private class BeanValidationSink extends DataFlow::Node {
BeanValidationSink() { sinkNode(this, "bean-validation") }
}
from BeanValidationConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink
from BeanValidationFlow::PathNode source, BeanValidationFlow::PathNode sink
where
(
not exists(SetMessageInterpolatorCall c)
or
exists(SetMessageInterpolatorCall c | not c.isSafe())
) and
cfg.hasFlowPath(source, sink)
BeanValidationFlow::hasFlowPath(source, sink)
select sink.getNode(), source, sink, "Custom constraint error message contains an unsanitized $@.",
source, "user-provided value"