From ba9f3e2a1ed79a91e0e97ed0e29bffe43028d22d Mon Sep 17 00:00:00 2001 From: Remco Vermeulen Date: Thu, 9 Jul 2020 14:08:43 +0200 Subject: [PATCH] Join ServletUrlRedirectSink with UrlRedirectSink --- .../CWE/CWE-601/ServletUrlRedirect.qll | 24 ------------------- .../src/Security/CWE/CWE-601/UrlRedirect.ql | 2 +- .../Security/CWE/CWE-601/UrlRedirectLocal.ql | 2 +- .../semmle/code/java/security/UrlRedirect.qll | 19 +++++++++++++++ 4 files changed, 21 insertions(+), 26 deletions(-) delete mode 100644 java/ql/src/Security/CWE/CWE-601/ServletUrlRedirect.qll diff --git a/java/ql/src/Security/CWE/CWE-601/ServletUrlRedirect.qll b/java/ql/src/Security/CWE/CWE-601/ServletUrlRedirect.qll deleted file mode 100644 index 82665daafb7..00000000000 --- a/java/ql/src/Security/CWE/CWE-601/ServletUrlRedirect.qll +++ /dev/null @@ -1,24 +0,0 @@ -import java -import semmle.code.java.frameworks.Servlets -import semmle.code.java.dataflow.DataFlow -import semmle.code.java.security.UrlRedirect - -/** - * A Servlet URL redirection sink. - */ -class ServletUrlRedirectSink extends UrlRedirectSink { - ServletUrlRedirectSink() { - exists(MethodAccess ma | - ma.getMethod() instanceof HttpServletResponseSendRedirectMethod and - this.asExpr() = ma.getArgument(0) - ) - or - exists(MethodAccess ma | - ma.getMethod() instanceof ResponseSetHeaderMethod or - ma.getMethod() instanceof ResponseAddHeaderMethod - | - ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "Location" and - this.asExpr() = ma.getArgument(1) - ) - } -} diff --git a/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql b/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql index 2430bc6066d..455f6add626 100644 --- a/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql +++ b/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql @@ -12,7 +12,7 @@ import java import semmle.code.java.dataflow.FlowSources -import ServletUrlRedirect +import semmle.code.java.security.UrlRedirect import DataFlow::PathGraph class UrlRedirectConfig extends TaintTracking::Configuration { diff --git a/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql b/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql index 1d2bda9bf8d..e060d15ab9f 100644 --- a/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql +++ b/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql @@ -12,7 +12,7 @@ import java import semmle.code.java.dataflow.FlowSources -import ServletUrlRedirect +import semmle.code.java.security.UrlRedirect import DataFlow::PathGraph class UrlRedirectLocalConfig extends TaintTracking::Configuration { diff --git a/java/ql/src/semmle/code/java/security/UrlRedirect.qll b/java/ql/src/semmle/code/java/security/UrlRedirect.qll index 3f801d312e7..9a1ce827296 100644 --- a/java/ql/src/semmle/code/java/security/UrlRedirect.qll +++ b/java/ql/src/semmle/code/java/security/UrlRedirect.qll @@ -1,5 +1,24 @@ import java import semmle.code.java.dataflow.DataFlow +import semmle.code.java.frameworks.Servlets /** A URL redirection sink */ abstract class UrlRedirectSink extends DataFlow::Node { } + +/** A Servlet URL redirection sink. */ +class ServletUrlRedirectSink extends UrlRedirectSink { + ServletUrlRedirectSink() { + exists(MethodAccess ma | + ma.getMethod() instanceof HttpServletResponseSendRedirectMethod and + this.asExpr() = ma.getArgument(0) + ) + or + exists(MethodAccess ma | + ma.getMethod() instanceof ResponseSetHeaderMethod or + ma.getMethod() instanceof ResponseAddHeaderMethod + | + ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "Location" and + this.asExpr() = ma.getArgument(1) + ) + } +}