hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Move Jax XSS sinks to JaxWS.qll and add tests

Browse Source
This commit is contained in:
Owen Mansel-Chan
2021-05-20 14:23:40 +01:00
parent d1fe62d4d5
commit e6a6a8898b
4 changed files with 70 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
java/ql/src/semmle/code/java/frameworks/JaxWS.qll
View File

@@ -5,6 +5,7 @@
import java
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.security.XSS
/**
* Gets a name for the root package of JAX-RS.
@@ -308,6 +309,21 @@ class JaxRSConsumesAnnotation extends JaxRSAnnotation {
JaxRSConsumesAnnotation() { this.getType().hasQualifiedName(getAJaxRsPackage(), "Consumes") }
}
/** A default sink representing methods susceptible to XSS attacks. */
private class JaxRSXssSink extends XssSink {
JaxRSXssSink() {
exists(JaxRsResourceMethod resourceMethod, ReturnStmt rs |
resourceMethod = any(JaxRsResourceClass resourceClass).getAResourceMethod() and
rs.getEnclosingCallable() = resourceMethod and
this.asExpr() = rs.getResult()
|
not exists(resourceMethod.getProducesAnnotation())
or
resourceMethod.getProducesAnnotation().getADeclaredContentType() = "text/plain"
)
}
}
/** A URL redirection sink from JAX-RS */
private class JaxRsUrlRedirectSink extends SinkModelCsv {
override predicate row(string row) {

11
java/ql/src/semmle/code/java/security/XSS.qll
View File

@@ -1,7 +1,6 @@
/** Provides classes to reason about Cross-site scripting (XSS) vulnerabilities. */
import java
import semmle.code.java.frameworks.JaxWS
import semmle.code.java.frameworks.Servlets
import semmle.code.java.frameworks.android.WebView
import semmle.code.java.frameworks.spring.SpringController
@@ -94,16 +93,6 @@ private class DefaultXssSink extends XssSink {
returnType instanceof RawClass
)
)
or
exists(JaxRsResourceMethod resourceMethod, ReturnStmt rs |
resourceMethod = any(JaxRsResourceClass resourceClass).getAResourceMethod() and
rs.getEnclosingCallable() = resourceMethod and
this.asExpr() = rs.getResult()
|
not exists(resourceMethod.getProducesAnnotation())
or
resourceMethod.getProducesAnnotation().getADeclaredContentType() = "text/plain"
)
}
}