hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 08:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Refactor XQueryInjection.ql

Browse Source
This commit is contained in:
Ed Minnix
2023-04-12 10:01:53 -04:00
parent e7cbd493d7
commit d528c8461f
1 changed files with 12 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql
View File

@@ -14,17 +14,15 @@
import java
import semmle.code.java.dataflow.FlowSources
import XQueryInjectionLib
import DataFlow::PathGraph
import XQueryInjectionFlow::PathGraph
/**
* A taint-tracking configuration tracing flow from remote sources, through an XQuery parser, to its eventual execution.
*/
class XQueryInjectionConfig extends TaintTracking::Configuration {
XQueryInjectionConfig() { this = "XQueryInjectionConfig" }
module XQueryInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
sink.asExpr() = any(XQueryPreparedExecuteCall xpec).getPreparedExpression() or
sink.asExpr() = any(XQueryExecuteCall xec).getExecuteQueryArgument() or
sink.asExpr() = any(XQueryExecuteCommandCall xecc).getExecuteCommandArgument()
@@ -33,12 +31,17 @@ class XQueryInjectionConfig extends TaintTracking::Configuration {
/**
* Holds if taint from the input `pred` to a `prepareExpression` call flows to the returned prepared expression `succ`.
*/
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(XQueryParserCall parser | pred.asExpr() = parser.getInput() and succ.asExpr() = parser)
}
}
from DataFlow::PathNode source, DataFlow::PathNode sink, XQueryInjectionConfig conf
where conf.hasFlowPath(source, sink)
/**
* Taint-tracking flow from remote sources, through an XQuery parser, to its eventual execution.
*/
module XQueryInjectionFlow = TaintTracking::Global<XQueryInjectionConfig>;
from XQueryInjectionFlow::PathNode source, XQueryInjectionFlow::PathNode sink
where XQueryInjectionFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "XQuery query might include code from $@.", source.getNode(),
"this user input"