hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 12:45:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Renaming in java/ql/src/experimental/Security/CWE/CWE-094

Browse Source
This commit is contained in:
Artem Smotrakov
2021-04-12 21:40:49 +03:00
parent b39a3ab12c
commit b96b665262
4 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
java/ql/src/experimental/Security/CWE/CWE-094/InjectionLib.qll → java/ql/src/experimental/Security/CWE/CWE-094/FlowUtils.qll
View File

@@ -5,7 +5,7 @@ import semmle.code.java.dataflow.FlowSources
* Holds if `fromNode` to `toNode` is a dataflow step that returns data from
* a bean by calling one of its getters.
*/
predicate returnsDataFromBean(DataFlow::Node fromNode, DataFlow::Node toNode) {
predicate hasGetterFlow(DataFlow::Node fromNode, DataFlow::Node toNode) {
exists(MethodAccess ma, Method m | ma.getMethod() = m |
m instanceof GetterMethod and
ma.getQualifier() = fromNode.asExpr() and

6
java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.qhelp
View File

@@ -29,14 +29,14 @@ with sandboxing capabilities such as Apache Commons JEXL or the Spring Expressio
The following example shows how untrusted data is used to build and run an expression
using the JUEL interpreter:
</p>
<sample src="UnsafeExpressionEvaluationWithJUEL.java" />
<sample src="UnsafeExpressionEvaluationWithJuel.java" />
<p>
JUEL does not support to run expressions in a sandbox. To prevent running arbitrary code,
JUEL does not support running expressions in a sandbox. To prevent running arbitrary code,
incoming data has to be checked before including it in an expression. The next example
uses a Regex pattern to check whether a user tries to run an allowed expression or not:
</p>
<sample src="SaferExpressionEvaluationWithJUEL.java" />
<sample src="SaferExpressionEvaluationWithJuel.java" />
</example>

4
java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
View File

@@ -1,5 +1,5 @@
import java
import InjectionLib
import FlowUtils
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.TaintTracking
@@ -16,7 +16,7 @@ class JakartaExpressionInjectionConfig extends TaintTracking::Configuration {
override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
any(TaintPropagatingCall c).taintFlow(fromNode, toNode) or
returnsDataFromBean(fromNode, toNode)
hasGetterFlow(fromNode, toNode)
}
}

4
java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
View File

@@ -1,5 +1,5 @@
import java
import InjectionLib
import FlowUtils
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.TaintTracking
@@ -17,7 +17,7 @@ class JexlInjectionConfig extends TaintTracking::Configuration {
override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
any(TaintPropagatingJexlMethodCall c).taintFlow(fromNode, toNode) or
returnsDataFromBean(fromNode, toNode)
hasGetterFlow(fromNode, toNode)
}
}