diff --git a/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md b/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md index 6b71ddc22a7..fbc8149ad20 100644 --- a/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md +++ b/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md @@ -3,4 +3,5 @@ category: minorAnalysis --- * Added the `TaintedPermissionQuery.qll` library to provide the `TaintedPermissionFlow` taint-tracking module to reason about tainted permission vulnerabilities. * Added the `XPathInjectionQuery.qll` library to provide the `XPathInjectionFlow` taint-tracking module to reason about XPath injection vulnerabilities. -* Added the `SqlConcatenatedQuery.qll` library to provide the `UncontrolledStringBuilderSourceFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by concatenating untrusted strings. \ No newline at end of file +* Added the `SqlConcatenatedQuery.qll` library to provide the `UncontrolledStringBuilderSourceFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by concatenating untrusted strings. +* Added the `XssLocalQuery.qll` library to provide the `XssLocalFlow` taint-tracking module to reason about XSS vulnerabilities caused by local data flow. \ No newline at end of file diff --git a/java/ql/lib/semmle/code/java/security/XssLocalQuery.qll b/java/ql/lib/semmle/code/java/security/XssLocalQuery.qll new file mode 100644 index 00000000000..e8300ed99ac --- /dev/null +++ b/java/ql/lib/semmle/code/java/security/XssLocalQuery.qll @@ -0,0 +1,20 @@ +/** Provides a taint-tracking configuration to reason about cross-site scripting from a local source. */ + +import java +import semmle.code.java.dataflow.FlowSources +import semmle.code.java.dataflow.TaintTracking +import semmle.code.java.security.XSS + +/** + * A taint-tracking configuration for reasoning about cross-site scripting vulnerabilities from a local source. + */ +module XssLocalConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput } + + predicate isSink(DataFlow::Node sink) { sink instanceof XssSink } +} + +/** + * Taint-tracking flow for cross-site scripting vulnerabilities from a local source. + */ +module XssLocalFlow = TaintTracking::Global; diff --git a/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql b/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql index 90bd2dccc44..09a7849fd56 100644 --- a/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql +++ b/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql @@ -12,17 +12,7 @@ */ import java -import semmle.code.java.dataflow.FlowSources -import semmle.code.java.security.XSS - -module XssLocalConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput } - - predicate isSink(DataFlow::Node sink) { sink instanceof XssSink } -} - -module XssLocalFlow = TaintTracking::Global; - +import semmle.code.java.security.XssLocalQuery import XssLocalFlow::PathGraph from XssLocalFlow::PathNode source, XssLocalFlow::PathNode sink