hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add XssLocalQuery

Browse Source
This commit is contained in:
Ed Minnix
2023-04-03 16:44:42 -04:00
parent c2b6a3f4e0
commit cc22a7d4b4
3 changed files with 23 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md
View File

@@ -3,4 +3,5 @@ category: minorAnalysis
---
* Added the `TaintedPermissionQuery.qll` library to provide the `TaintedPermissionFlow` taint-tracking module to reason about tainted permission vulnerabilities.
* Added the `XPathInjectionQuery.qll` library to provide the `XPathInjectionFlow` taint-tracking module to reason about XPath injection vulnerabilities.
* Added the `SqlConcatenatedQuery.qll` library to provide the `UncontrolledStringBuilderSourceFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by concatenating untrusted strings.
* Added the `SqlConcatenatedQuery.qll` library to provide the `UncontrolledStringBuilderSourceFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by concatenating untrusted strings.
* Added the `XssLocalQuery.qll` library to provide the `XssLocalFlow` taint-tracking module to reason about XSS vulnerabilities caused by local data flow.

20
java/ql/lib/semmle/code/java/security/XssLocalQuery.qll Normal file
View File

@@ -0,0 +1,20 @@
/** Provides a taint-tracking configuration to reason about cross-site scripting from a local source. */
import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.security.XSS
/**
* A taint-tracking configuration for reasoning about cross-site scripting vulnerabilities from a local source.
*/
module XssLocalConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
}
/**
* Taint-tracking flow for cross-site scripting vulnerabilities from a local source.
*/
module XssLocalFlow = TaintTracking::Global<XssLocalConfig>;

12
java/ql/src/Security/CWE/CWE-079/XSSLocal.ql
View File

@@ -12,17 +12,7 @@
*/
import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.XSS
module XssLocalConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
}
module XssLocalFlow = TaintTracking::Global<XssLocalConfig>;
import semmle.code.java.security.XssLocalQuery
import XssLocalFlow::PathGraph
from XssLocalFlow::PathNode source, XssLocalFlow::PathNode sink