hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-21 15:05:56 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20083 from aschackmull/java/prune-csrf-unprotected-request-type

Browse Source 
Java: Prune PathGraph for CsrfUnprotectedRequestType.ql
This commit is contained in:
Anders Schack-Mulligen
2025-07-18 13:25:00 +02:00
committed by GitHub
parent ededa3c006 996de78a66
commit f6975117fe
2 changed files with 25 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll
View File

@@ -237,12 +237,35 @@ private predicate sink(CallPathNode sinkMethodCall) {
)
}
private predicate fwdFlow(CallPathNode n) {
source(n)
or
exists(CallPathNode mid | fwdFlow(mid) and CallGraph::edges(mid, n))
}
private predicate revFlow(CallPathNode n) {
fwdFlow(n) and
(
sink(n)
or
exists(CallPathNode mid | revFlow(mid) and CallGraph::edges(n, mid))
)
}
/**
* Holds if `pred` has a successor node `succ` and this edge is in an
* `unprotectedStateChange` path.
*/
predicate relevantEdge(CallPathNode pred, CallPathNode succ) {
CallGraph::edges(pred, succ) and revFlow(pred) and revFlow(succ)
}
/**
* Holds if `sourceMethod` is an unprotected request handler that reaches a
* `sinkMethodCall` that updates a database.
*/
private predicate unprotectedDatabaseUpdate(CallPathNode sourceMethod, CallPathNode sinkMethodCall) =
doublyBoundedFastTC(CallGraph::edges/2, source/1, sink/1)(sourceMethod, sinkMethodCall)
doublyBoundedFastTC(relevantEdge/2, source/1, sink/1)(sourceMethod, sinkMethodCall)
/**
* Holds if `sourceMethod` is an unprotected request handler that appears to

2
java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestType.ql
View File

@@ -15,7 +15,7 @@
import java
import semmle.code.java.security.CsrfUnprotectedRequestTypeQuery
query predicate edges(CallPathNode pred, CallPathNode succ) { CallGraph::edges(pred, succ) }
query predicate edges(CallPathNode pred, CallPathNode succ) { relevantEdge(pred, succ) }
from CallPathNode source, CallPathNode sink
where unprotectedStateChange(source, sink)