hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Nit: Fix qhelp and ql autoformat

Browse Source
This commit is contained in:
SpaceWhite
2020-03-12 20:35:01 +09:00
parent b7af1645aa
commit bb1ea94c54
2 changed files with 12 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
java/ql/src/experimental/CWE-643/XPathInjection.qhelp
View File

@@ -15,24 +15,24 @@ If user input must be included in an XPath expression, pre-compile the query and
references to include the user input.
</p>
<p>
XPath injection can also be prevented by using XQuery
XPath injection can also be prevented by using XQuery.
</p>
</recommendation>
<example>
<p>
In the first, second, and third example, the code accepts a user and password specified by the user, and uses this
In the first, second, and third example, the code accepts a name and password specified by the user, and uses this
unvalidated and unsanitized value in an XPath expression. This is vulnerable to the user providing
special characters or string sequences that change the meaning of the XPath expression to search
for different values.
</p>
<p>
In the forth example, the code utilizes setXPathVariableResolver which prevents XPath Injection
In the fourth example, the code utilizes setXPathVariableResolver which prevents XPath Injection.
</p>
<p>
The fifth example is dom4j xpath injection example
The fifth example is a dom4j XPath injection example
</p>
<sample src="XPathInjection.java" />
</example>

19
java/ql/src/experimental/CWE-643/XPathInjection.ql
View File

@@ -27,16 +27,13 @@ class XPathInjectionConfiguration extends TaintTracking::Configuration {
class XPathInjectionSink extends DataFlow::ExprNode {
XPathInjectionSink() {
exists(Method m, MethodAccess ma | ma.getMethod() = m |
(
m.getDeclaringType().hasQualifiedName("javax.xml.xpath", "XPath") and
(m.hasName("evaluate") or m.hasName("compile")) and
ma.getArgument(0) = this.getExpr()
) or
(
m.getDeclaringType().hasQualifiedName("org.dom4j", "Node") and
(m.hasName("selectNodes") or m.hasName("selectSingleNode")) and
ma.getArgument(0) = this.getExpr()
)
m.getDeclaringType().hasQualifiedName("javax.xml.xpath", "XPath") and
(m.hasName("evaluate") or m.hasName("compile")) and
ma.getArgument(0) = this.getExpr()
or
m.getDeclaringType().hasQualifiedName("org.dom4j", "Node") and
(m.hasName("selectNodes") or m.hasName("selectSingleNode")) and
ma.getArgument(0) = this.getExpr()
)
}
}
@@ -44,4 +41,4 @@ class XPathInjectionSink extends DataFlow::ExprNode {
from DataFlow::PathNode source, DataFlow::PathNode sink, XPathInjectionConfiguration c
where c.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "$@ flows to here and is used in an XPath expression.",
source.getNode(), "User-provided value"
source.getNode(), "User-provided value"