hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: Convert permissve-dot-regex-query to data extensions.

Browse Source
This commit is contained in:
Michael Nebel
2022-11-22 11:00:21 +01:00
parent 91840c613e
commit b96540c937
2 changed files with 14 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
java/ql/lib/ext/experimental/javax.servlet.http.model.yml
View File

@@ -4,3 +4,13 @@ extensions:
extensible: extExperimentalSourceModel
data:
- ["javax.servlet.http", "HttpServletRequest", True, "getServletPath", "", "", "ReturnValue", "remote", "manual", "unsafe-url-forward"]
- addsTo:
pack: codeql/java-all
extensible: extExperimentalSourceModel
data:
- ["javax.servlet.http", "HttpServletRequest", False, "getPathInfo", "()", "", "ReturnValue", "uri-path", "manual", "permissive-dot-regex-query"]
- ["javax.servlet.http", "HttpServletRequest", False, "getPathTranslated", "()", "", "ReturnValue", "uri-path", "manual", "permissive-dot-regex-query"]
- ["javax.servlet.http", "HttpServletRequest", False, "getRequestURI", "()", "", "ReturnValue", "uri-path", "manual", "permissive-dot-regex-query"]
- ["javax.servlet.http", "HttpServletRequest", False, "getRequestURL", "()", "", "ReturnValue", "uri-path", "manual", "permissive-dot-regex-query"]
- ["javax.servlet.http", "HttpServletRequest", False, "getServletPath", "()", "", "ReturnValue", "uri-path", "manual", "permissive-dot-regex-query"]

18
java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll
View File

@@ -8,6 +8,10 @@ import semmle.code.java.controlflow.Guards
import semmle.code.java.security.UrlRedirect
import Regex
private class ActivateModels extends ActiveExperimentalModels {
ActivateModels() { this = "permissive-dot-regex-query" }
}
/** A string that ends with `.*` not prefixed with `\`. */
private class PermissiveDotStr extends StringLiteral {
PermissiveDotStr() {
@@ -19,20 +23,6 @@ private class PermissiveDotStr extends StringLiteral {
}
}
/** Remote flow sources obtained from the URI of a servlet request. */
private class GetServletUriSource extends SourceModelCsv {
override predicate row(string row) {
row =
[
"javax.servlet.http;HttpServletRequest;false;getPathInfo;();;ReturnValue;uri-path;manual",
"javax.servlet.http;HttpServletRequest;false;getPathTranslated;();;ReturnValue;uri-path;manual",
"javax.servlet.http;HttpServletRequest;false;getRequestURI;();;ReturnValue;uri-path;manual",
"javax.servlet.http;HttpServletRequest;false;getRequestURL;();;ReturnValue;uri-path;manual",
"javax.servlet.http;HttpServletRequest;false;getServletPath;();;ReturnValue;uri-path;manual"
]
}
}
/** The qualifier of a request dispatch method call. */
private class UrlDispatchSink extends UrlRedirectSink {
UrlDispatchSink() {