Java: some updates to test cases

2026-04-18 05:24:01 +02:00 · 2024-03-10 14:42:46 -04:00
parent d9772c1880
commit d220b3a298
3 changed files with 88 additions and 99 deletions
--- a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
+++ b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
@@ -64,7 +64,10 @@ private predicate exactPathMatchGuard(Guard g, Expr e, boolean branch) {
  )
 }

-// TODO: switch back to private if possible
+/**
+ * A sanitizer that protects against path injection vulnerabilities
+ * by checking for a matching path.
+ */
 class ExactPathMatchSanitizer extends PathInjectionSanitizer {
  ExactPathMatchSanitizer() {
    this = DataFlow::BarrierGuard<exactPathMatchGuard/3>::getABarrierNode()
@@ -152,8 +155,7 @@ private class DotDotCheckSanitizer extends PathInjectionSanitizer {
  }
 }

-// TODO: switch back to private if possible
-class BlockListGuard extends PathGuard instanceof MethodCall {
+private class BlockListGuard extends PathGuard instanceof MethodCall {
  BlockListGuard() {
    (isStringPartialMatch(this) or isPathPrefixMatch(this)) and
    isDisallowedWord(super.getAnArgument())
@@ -230,7 +232,6 @@ private predicate isStringPartialMatch(MethodCall ma) {
  exists(RefType t | t = ma.getMethod().getDeclaringType() |
    t instanceof TypeString or t instanceof StringsKt
  ) and
-  // TODO ! Why not use `StringPartialMatchMethod` for the below?
  getSourceMethod(ma.getMethod())
      .hasName(["contains", "matches", "regionMatches", "indexOf", "lastIndexOf"])
 }
--- a/java/ql/lib/semmle/code/java/security/UrlForward.qll
+++ b/java/ql/lib/semmle/code/java/security/UrlForward.qll
@@ -50,23 +50,20 @@ private class FollowsBarrierPrefix extends UrlForwardBarrier {
 private class BarrierPrefix extends InterestingPrefix {
  BarrierPrefix() {
    not this.getStringValue().matches("/WEB-INF/%") and
-    not this.getStringValue() = "forward:"
+    not this instanceof ForwardPrefix
  }

  override int getOffset() { result = 0 }
 }

-private class UrlPathBarrier extends UrlForwardBarrier {
+private class UrlPathBarrier extends UrlForwardBarrier instanceof PathInjectionSanitizer {
  UrlPathBarrier() {
-    this instanceof PathInjectionSanitizer and
-    (
-      this instanceof ExactPathMatchSanitizer //TODO: still need a better solution for this edge case...
-      or
-      // TODO: these don't enforce order of checks and PathSanitization... make bypass test cases.
-      this instanceof NoEncodingBarrier
-      or
-      this instanceof FullyDecodesBarrier
-    )
+    this instanceof ExactPathMatchSanitizer //TODO: still need a better solution for this edge case...
+    or
+    // TODO: these don't enforce order of checks and PathSanitization... make bypass test cases.
+    this instanceof NoEncodingBarrier
+    or
+    this instanceof FullyDecodesBarrier
  }
 }