Use LocalUserInput when looking for JEXL injections

2026-04-29 10:45:15 +02:00 · 2021-01-21 22:46:18 +01:00
parent 8166e269ec
commit ee6d28b562
1 changed files with 1 additions and 2 deletions
--- a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
@@ -13,8 +13,7 @@ class JexlInjectionConfig extends TaintTracking::Configuration {
  override predicate isSource(DataFlow::Node source) {
    source instanceof TaintedSpringRequestBody or
    source instanceof RemoteFlowSource or
-    source instanceof UserInput or
-    source instanceof EnvInput
+    source instanceof LocalUserInput
  }

  override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }