Java: Convert insecure bean validation sink to CSV format

2026-04-30 11:15:13 +02:00 · 2021-03-31 10:09:58 +02:00
parent 9e2832a82d
commit f329c3fdab
2 changed files with 5 additions and 20 deletions
--- a/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
+++ b/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
@@ -13,6 +13,7 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
 import DataFlow::PathGraph
+private import semmle.code.java.dataflow.ExternalFlow

 /**
 * A message interpolator Type that perform Expression Language (EL) evaluations
@@ -50,19 +51,6 @@ class SetMessageInterpolatorCall extends MethodAccess {
  predicate isSafe() { not this.getAnArgument().getType() instanceof ELMessageInterpolatorType }
 }

-/**
- * A method named `buildConstraintViolationWithTemplate` declared on a subtype
- * of `javax.validation.ConstraintValidatorContext`.
- */
-class BuildConstraintViolationWithTemplateMethod extends Method {
-  BuildConstraintViolationWithTemplateMethod() {
-    this.getDeclaringType()
-        .getASupertype*()
-        .hasQualifiedName("javax.validation", "ConstraintValidatorContext") and
-    this.hasName("buildConstraintViolationWithTemplate")
-  }
-}
-
 /**
 * Taint tracking BeanValidationConfiguration describing the flow of data from user input
 * to the argument of a method that builds constraint error messages.
@@ -72,12 +60,7 @@ class BeanValidationConfig extends TaintTracking::Configuration {

  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma |
-      ma.getMethod() instanceof BuildConstraintViolationWithTemplateMethod and
-      sink.asExpr() = ma.getArgument(0)
-    )
-  }
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "bean-validation") }
 }

 from BeanValidationConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink
--- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -203,7 +203,9 @@ private predicate sinkModelCsv(string row) {
      "java.nio.file;Files;false;createLink;;;Argument[0];create-file",
      "java.nio.file;Files;false;createSymbolicLink;;;Argument[0];create-file",
      "java.nio.file;Files;false;createTempDirectory;;;Argument[0];create-file",
-      "java.nio.file;Files;false;createTempFile;;;Argument[0];create-file"
+      "java.nio.file;Files;false;createTempFile;;;Argument[0];create-file",
+      // Bean validation
+      "javax.validation;ConstraintValidatorContext;true;buildConstraintViolationWithTemplate;;;Argument[0];bean-validation"
    ]
 }