hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 18:25:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Spring HTTP: mark explicitly content-typed body calls as sinks

Browse Source 
Previously only the return from the request-handler method constituted a sink, and was filtered by the Produces annotation if any, even though a BodyBuilder could explicitly override.

These sinks are also marked as out-barriers to avoid duplicate paths when the Produces annotation is in agreement.
This commit is contained in:
Chris Smowton
2021-06-22 20:22:52 +01:00
parent 701d0bcdca
commit bdd135dbff
2 changed files with 31 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
java/ql/test/query-tests/security/CWE-079/semmle/tests/SpringXSS.java
View File

@@ -75,7 +75,7 @@ public class SpringXSS {
@GetMapping(value = "/xyz", produces = MediaType.APPLICATION_JSON_VALUE)
public static ResponseEntity<String> methodContentTypeSafeOverriddenWithUnsafe(String userControlled) {
return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $MISSING: xss
return ResponseEntity.ok().contentType(MediaType.TEXT_HTML).body(userControlled); // $xss
}
@GetMapping(value = "/xyz", produces = MediaType.TEXT_HTML_VALUE)