hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 02:35:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add taint step for setExpression

Browse Source
This commit is contained in:
Tony Torralba
2021-05-13 13:15:51 +02:00
parent 09b40601a7
commit db732918af
2 changed files with 37 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
java/ql/test/query-tests/security/CWE-917/OgnlInjection.java
View File

@@ -56,6 +56,18 @@ public class OgnlInjection {
Ognl.getValue(accessor, null, new Object()); // $hasOgnlInjection
Ognl.setValue(accessor, null, new Object()); // $hasOgnlInjection
}
@RequestMapping
public void testExpressionAccessorSetExpression(@RequestParam String expr) throws Exception {
Node tree = Ognl.compileExpression(null, new Object(), "\"some safe expression\".toString()");
ExpressionAccessor accessor = tree.getAccessor();
Node taintedTree = Ognl.compileExpression(null, new Object(), expr);
accessor.setExpression(taintedTree);
accessor.get(null, new Object()); // $hasOgnlInjection
accessor.set(null, new Object(), new Object()); // $hasOgnlInjection
Ognl.getValue(accessor, null, new Object()); // $hasOgnlInjection
Ognl.setValue(accessor, null, new Object()); // $hasOgnlInjection
}
}