hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3454 from porcupineyhairs/javaSSRf

Browse Source 
Java : add request forgery query
This commit is contained in:
Anders Schack-Mulligen
2020-11-26 08:52:15 +01:00
committed by GitHub
parent d29a6ec4c6 9c30b82116
commit f70072a2db
39 changed files with 1559 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
View File

@@ -11,6 +11,7 @@
import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.frameworks.Networking
import DataFlow::PathGraph
class HTTPString extends StringLiteral {
@@ -29,18 +30,6 @@ class HTTPString extends StringLiteral {
}
}
class URLConstructor extends ClassInstanceExpr {
URLConstructor() { this.getConstructor().getDeclaringType().getQualifiedName() = "java.net.URL" }
Expr protocolArg() {
// In all cases except where the first parameter is a URL, the argument
// containing the protocol is the first one, otherwise it is the second.
if this.getConstructor().getParameter(0).getType().getName() = "URL"
then result = this.getArgument(1)
else result = this.getArgument(0)
}
}
class URLOpenMethod extends Method {
URLOpenMethod() {
this.getDeclaringType().getQualifiedName() = "java.net.URL" and
@@ -63,7 +52,7 @@ class HTTPStringToURLOpenMethodFlowConfig extends TaintTracking::Configuration {
}
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
exists(URLConstructor u |
exists(UrlConstructorCall u |
node1.asExpr() = u.protocolArg() and
node2.asExpr() = u
)