JsonpInjectionExpr updated to JsonpBuilderExpr

2026-02-11 12:41:06 +01:00 · 2021-04-10 10:33:21 +08:00
parent eeae91e620
commit d90527bead
1 changed files with 4 additions and 4 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll
@@ -99,7 +99,7 @@ class SpringControllerRequestMappingGetMethod extends SpringControllerGetMethod

 /** A concatenate expression using `(` and `)` or `);`. */
 class JsonpBuilderExpr extends AddExpr {
-  JsonpInjectionExpr() {
+  JsonpBuilderExpr() {
    getRightOperand().toString().regexpMatch("\"\\);?\"") and
    getLeftOperand()
        .(AddExpr)
@@ -126,7 +126,7 @@ class RemoteFlowConfig extends DataFlow2::Configuration {
  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }

  override predicate isSink(DataFlow::Node sink) {
-    exists(JsonpInjectionExpr jhe | jhe.getFunctionName() = sink.asExpr())
+    exists(JsonpBuilderExpr jhe | jhe.getFunctionName() = sink.asExpr())
  }
 }

@@ -137,7 +137,7 @@ class JsonDataFlowConfig extends DataFlow2::Configuration {
  override predicate isSource(DataFlow::Node src) { src instanceof JsonpStringSource }

  override predicate isSink(DataFlow::Node sink) {
-    exists(JsonpInjectionExpr jhe | jhe.getJsonExpr() = sink.asExpr())
+    exists(JsonpBuilderExpr jhe | jhe.getJsonExpr() = sink.asExpr())
  }
 }

@@ -146,7 +146,7 @@ class JsonpInjectionFlowConfig extends TaintTracking::Configuration {
  JsonpInjectionFlowConfig() { this = "JsonpInjectionFlowConfig" }

  override predicate isSource(DataFlow::Node src) {
-    exists(JsonpInjectionExpr jhe, JsonDataFlowConfig jdfc, RemoteFlowConfig rfc |
+    exists(JsonpBuilderExpr jhe, JsonDataFlowConfig jdfc, RemoteFlowConfig rfc |
      jhe = src.asExpr() and
      jdfc.hasFlowTo(DataFlow::exprNode(jhe.getJsonExpr())) and
      rfc.hasFlowTo(DataFlow::exprNode(jhe.getFunctionName()))