update JSONP Injection ql

java/ql/src/Security/CWE/CWE-352/JsonpInjection.ql

@@ -1,55 +1,68 @@
 /**
- * @name JSON Hijacking
+ * @name JSONP Injection
  * @description User-controlled callback function names that are not verified are vulnerable
- *              to json hijacking attacks.
+ *              to jsonp injection attacks.
  * @kind path-problem
  * @problem.severity error
  * @precision high
- * @id java/Json-hijacking
+ * @id java/JSONP-Injection
  * @tags security
  *       external/cwe/cwe-352
  */
 
 import java
 import JsonpInjectionLib
+import JsonpInjectionFilterLib
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.deadcode.WebEntryPoints
 import DataFlow::PathGraph
 
-class VerifAuth extends DataFlow::BarrierGuard {
-  VerifAuth() {
+
+/** If there is a method to verify `token`, `auth`, `referer`, and `origin`, it will not pass. */
+class ServletVerifAuth extends DataFlow::BarrierGuard {
+  ServletVerifAuth() {
     exists(MethodAccess ma, Node prod, Node succ |
-      this = ma and
-      ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer).*") and
+      ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*") and
       prod instanceof RemoteFlowSource and
       succ.asExpr() = ma.getAnArgument() and
-      ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer).*") and
-      localFlowStep*(prod, succ)
+      ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*") and
+      localFlowStep*(prod, succ) and
+      this = ma
     )
   }
 
   override predicate checks(Expr e, boolean branch) {
-    exists(ReturnStmt rs |
-      e = rs.getResult() and
+    exists(Node node |
+      node instanceof JsonpInjectionSink and
+      e = node.asExpr() and
       branch = true
     )
   }
 }
 
-/** Taint-tracking configuration tracing flow from remote sources to output jsonp data. */
+/** Taint-tracking configuration tracing flow from get method request sources to output jsonp data. */
 class JsonpInjectionConfig extends TaintTracking::Configuration {
   JsonpInjectionConfig() { this = "JsonpInjectionConfig" }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  override predicate isSource(DataFlow::Node source) { source instanceof GetHttpRequestSource }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof JsonpInjectionSink }
 
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { guard instanceof VerifAuth }
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof ServletVerifAuth
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(MethodAccess ma |
+      isRequestGetParamMethod(ma) and pred.asExpr() = ma.getQualifier() and succ.asExpr() = ma
+    )
+  }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, JsonpInjectionConfig conf
 where
+  not checks() = false and
   conf.hasFlowPath(source, sink) and
   exists(JsonpInjectionFlowConfig jhfc | jhfc.hasFlowTo(sink.getNode()))
-select sink.getNode(), source, sink, "Json Hijacking query might include code from $@.",
-  source.getNode(), "this user input"
+select sink.getNode(), source, sink, "Jsonp Injection query might include code from $@.",
+  source.getNode(), "this user input"

java/ql/src/Security/CWE/CWE-352/JsonpInjectionFilterLib.qll

@@ -0,0 +1,77 @@
+/**
+ * @name JSONP Injection
+ * @description User-controlled callback function names that are not verified are vulnerable
+ *              to json hijacking attacks.
+ * @kind path-problem
+ */
+
+import java
+import DataFlow
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.TaintTracking2
+import DataFlow::PathGraph
+
+class FilterVerifAuth extends DataFlow::BarrierGuard {
+  FilterVerifAuth() {
+    exists(MethodAccess ma, Node prod, Node succ |
+      ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*") and
+      prod instanceof RemoteFlowSource and
+      succ.asExpr() = ma.getAnArgument() and
+      ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*") and
+      localFlowStep*(prod, succ) and
+      this = ma
+    )
+  }
+
+  override predicate checks(Expr e, boolean branch) {
+    exists(Node node |
+      node instanceof DoFilterMethodSink and
+      e = node.asExpr() and
+      branch = true
+    )
+  }
+}
+
+/** A data flow source for `Filter.doFilter` method paramters. */
+private class DoFilterMethodSource extends DataFlow::Node {
+  DoFilterMethodSource() {
+    exists(Method m |
+      isDoFilterMethod(m) and
+      m.getAParameter().getAnAccess() = this.asExpr()
+    )
+  }
+}
+
+/** A data flow sink for `FilterChain.doFilter` method qualifying expression. */
+private class DoFilterMethodSink extends DataFlow::Node {
+  DoFilterMethodSink() {
+    exists(MethodAccess ma, Method m | ma.getMethod() = m |
+      m.hasName("doFilter") and
+      m.getDeclaringType*().hasQualifiedName("javax.servlet", "FilterChain") and
+      ma.getQualifier() = this.asExpr()
+    )
+  }
+}
+
+/** Taint-tracking configuration tracing flow from `doFilter` method paramter source to output 
+ * `FilterChain.doFilter` method qualifying expression. 
+ * */
+class DoFilterMethodConfig extends TaintTracking::Configuration {
+  DoFilterMethodConfig() { this = "DoFilterMethodConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof DoFilterMethodSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof DoFilterMethodSink }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof FilterVerifAuth
+  }
+}
+
+/** Implement class modeling verification for `Filter.doFilter`, return false if it fails. */
+boolean checks() {
+  exists(DataFlow::PathNode source, DataFlow::PathNode sink, DoFilterMethodConfig conf |
+    conf.hasFlowPath(source, sink) and
+    result = false
+  )
+}

java/ql/src/Security/CWE/CWE-352/JsonpInjectionLib.qll

@@ -5,6 +5,69 @@ import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.spring.SpringController
 
+/** Holds if `m` is a method of some override of `HttpServlet.doGet`. */
+private predicate isGetServletMethod(Method m) {
+  isServletRequestMethod(m) and m.getName() = "doGet"
+}
+
+/** Holds if `m` is a method of some override of `HttpServlet.doGet`. */
+private predicate isGetSpringControllerMethod(Method m) {
+  exists(Annotation a |
+    a = m.getAnAnnotation() and
+    a.getType().hasQualifiedName("org.springframework.web.bind.annotation", "GetMapping")
+  )
+  or
+  exists(Annotation a |
+    a = m.getAnAnnotation() and
+    a.getType().hasQualifiedName("org.springframework.web.bind.annotation", "RequestMapping") and
+    a.getValue("method").toString().regexpMatch("RequestMethod.GET|\\{...\\}")
+  )
+}
+
+/** Method parameters use the annotation `@RequestParam` or the parameter type is `ServletRequest`, `String`, `Object` */
+predicate checkSpringMethodParameterType(Method m, int i) {
+  m.getParameter(i).getType() instanceof ServletRequest
+  or
+  exists(Parameter p |
+    p = m.getParameter(i) and
+    p.hasAnnotation() and
+    p.getAnAnnotation()
+        .getType()
+        .hasQualifiedName("org.springframework.web.bind.annotation", "RequestParam") and
+    p.getType().getName().regexpMatch("String|Object")
+  )
+  or
+  exists(Parameter p |
+    p = m.getParameter(i) and
+    not p.hasAnnotation() and
+    p.getType().getName().regexpMatch("String|Object")
+  )
+}
+
+/** A data flow source for get method request parameters. */
+abstract class GetHttpRequestSource extends DataFlow::Node { }
+
+/** A data flow source for servlet get method request parameters. */
+private class ServletGetHttpRequestSource extends GetHttpRequestSource {
+  ServletGetHttpRequestSource() {
+    exists(Method m |
+      isGetServletMethod(m) and
+      m.getParameter(0).getAnAccess() = this.asExpr()
+    )
+  }
+}
+
+/** A data flow source for spring controller get method request parameters. */
+private class SpringGetHttpRequestSource extends GetHttpRequestSource {
+  SpringGetHttpRequestSource() {
+    exists(SpringControllerMethod scm, int i |
+      isGetSpringControllerMethod(scm) and
+      checkSpringMethodParameterType(scm, i) and
+      scm.getParameter(i).getAnAccess() = this.asExpr()
+    )
+  }
+}
+
 /** A data flow sink for unvalidated user input that is used to jsonp. */
 abstract class JsonpInjectionSink extends DataFlow::Node { }
 
@@ -26,7 +89,7 @@ private class WriterPrintln extends JsonpInjectionSink {
 private class SpringReturn extends JsonpInjectionSink {
   SpringReturn() {
     exists(ReturnStmt rs, Method m | m = rs.getEnclosingCallable() |
-      m instanceof SpringRequestMappingMethod and
+      isGetSpringControllerMethod(m) and
       rs.getResult() = this.asExpr()
     )
   }

java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet.java

@@ -0,0 +1,60 @@
+import com.google.gson.Gson;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.HashMap;
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class JsonpInjectionServlet  extends HttpServlet {
+
+    private static HashMap hashMap = new HashMap();
+
+    static {
+        hashMap.put("username","admin");
+        hashMap.put("password","123456");
+    }
+
+    private static final long serialVersionUID = 1L;
+
+    private String key = "test";
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        String jsonpCallback = req.getParameter("jsonpCallback");
+
+        PrintWriter pw = null;
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+
+        String resultStr = null;
+        pw = resp.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+        pw.flush();
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        String jsonpCallback = req.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+
+        String resultStr = null;
+        pw = resp.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+        pw.flush();
+    }
+
+    @Override
+    public void init(ServletConfig config) throws ServletException {
+        this.key = config.getInitParameter("key");
+        System.out.println("初始化" + this.key);
+        super.init(config);
+    }
+
+}

java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet1.java

@@ -0,0 +1,64 @@
+import com.google.gson.Gson;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.HashMap;
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class JsonpInjectionServlet1 extends HttpServlet {
+
+    private static HashMap hashMap = new HashMap();
+
+    static {
+        hashMap.put("username","admin");
+        hashMap.put("password","123456");
+    }
+
+    private static final long serialVersionUID = 1L;
+
+    private String key = "test";
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        doPost(req, resp);
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        resp.setContentType("application/json");
+        String jsonpCallback = req.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        Gson gson = new Gson();
+        String jsonResult = gson.toJson(hashMap);
+
+        String referer = req.getHeader("Referer");
+
+        boolean result = verifReferer(referer);
+
+        // good
+        if (result){
+            String resultStr = null;
+            pw = resp.getWriter();
+            resultStr = jsonpCallback + "(" + jsonResult + ")";
+            pw.println(resultStr);
+            pw.flush();
+        }
+    }
+
+    public static boolean verifReferer(String referer){
+        if (!referer.startsWith("http://test.com/")){
+            return false;
+        }
+        return true;
+    }
+
+    @Override
+    public void init(ServletConfig config) throws ServletException {
+        this.key = config.getInitParameter("key");
+        System.out.println("初始化" + this.key);
+        super.init(config);
+    }
+
+}

java/ql/src/Security/CWE/CWE-352/JsonpInjectionServlet2.java

@@ -0,0 +1,50 @@
+import com.google.gson.Gson;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.HashMap;
+import javax.servlet.ServletConfig;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class JsonpInjectionServlet2  extends HttpServlet {
+
+    private static HashMap hashMap = new HashMap();
+
+    static {
+        hashMap.put("username","admin");
+        hashMap.put("password","123456");
+    }
+
+    private static final long serialVersionUID = 1L;
+
+    private String key = "test";
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        doPost(req, resp);
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+        resp.setContentType("application/json");
+        String jsonpCallback = req.getParameter("jsonpCallback");
+        PrintWriter pw = null;
+        Gson gson = new Gson();
+        String result = gson.toJson(hashMap);
+
+        String resultStr = null;
+        pw = resp.getWriter();
+        resultStr = jsonpCallback + "(" + result + ")";
+        pw.println(resultStr);
+        pw.flush();
+    }
+
+    @Override
+    public void init(ServletConfig config) throws ServletException {
+        this.key = config.getInitParameter("key");
+        System.out.println("初始化" + this.key);
+        super.init(config);
+    }
+
+}

java/ql/src/semmle/code/java/frameworks/Servlets.qll

@@ -337,3 +337,30 @@ predicate isRequestGetParamMethod(MethodAccess ma) {
   ma.getMethod() instanceof ServletRequestGetParameterMapMethod or
   ma.getMethod() instanceof HttpServletRequestGetQueryStringMethod
 }
+
+
+/**
+ * A class that has `javax.servlet.Filter` as an ancestor.
+ */
+class FilterClass extends Class {
+  FilterClass() { getAnAncestor().hasQualifiedName("javax.servlet", "Filter") }
+}
+
+
+/**
+ * The interface `javax.servlet.FilterChain`
+ */
+class FilterChain extends RefType {
+  FilterChain() {
+    hasQualifiedName("javax.servlet", "FilterChain")
+  }
+}
+
+/** Holds if `m` is a request handler method (for example `doGet` or `doPost`). */
+predicate isDoFilterMethod(Method m) {
+  m.getDeclaringType() instanceof FilterClass and
+  m.getNumberOfParameters() = 3 and
+  m.getParameter(0).getType() instanceof ServletRequest and
+  m.getParameter(1).getType() instanceof ServletResponse and
+  m.getParameter(2).getType() instanceof FilterChain
+}

java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected

@@ -1,60 +1,60 @@
 edges
-| JsonpInjection.java:28:32:28:68 | getParameter(...) : String | JsonpInjection.java:33:16:33:24 | resultStr |
-| JsonpInjection.java:32:21:32:54 | ... + ... : String | JsonpInjection.java:33:16:33:24 | resultStr |
-| JsonpInjection.java:40:32:40:68 | getParameter(...) : String | JsonpInjection.java:44:16:44:24 | resultStr |
-| JsonpInjection.java:42:21:42:80 | ... + ... : String | JsonpInjection.java:44:16:44:24 | resultStr |
-| JsonpInjection.java:51:32:51:68 | getParameter(...) : String | JsonpInjection.java:54:16:54:24 | resultStr |
-| JsonpInjection.java:53:21:53:55 | ... + ... : String | JsonpInjection.java:54:16:54:24 | resultStr |
-| JsonpInjection.java:61:32:61:68 | getParameter(...) : String | JsonpInjection.java:64:16:64:24 | resultStr |
-| JsonpInjection.java:63:21:63:54 | ... + ... : String | JsonpInjection.java:64:16:64:24 | resultStr |
-| JsonpInjection.java:72:32:72:68 | getParameter(...) : String | JsonpInjection.java:80:20:80:28 | resultStr |
+| JsonpInjection.java:29:32:29:38 | request : HttpServletRequest | JsonpInjection.java:34:16:34:24 | resultStr |
+| JsonpInjection.java:33:21:33:54 | ... + ... : String | JsonpInjection.java:34:16:34:24 | resultStr |
+| JsonpInjection.java:41:32:41:38 | request : HttpServletRequest | JsonpInjection.java:45:16:45:24 | resultStr |
+| JsonpInjection.java:43:21:43:80 | ... + ... : String | JsonpInjection.java:45:16:45:24 | resultStr |
+| JsonpInjection.java:52:32:52:38 | request : HttpServletRequest | JsonpInjection.java:55:16:55:24 | resultStr |
+| JsonpInjection.java:54:21:54:55 | ... + ... : String | JsonpInjection.java:55:16:55:24 | resultStr |
+| JsonpInjection.java:62:32:62:38 | request : HttpServletRequest | JsonpInjection.java:65:16:65:24 | resultStr |
+| JsonpInjection.java:64:21:64:54 | ... + ... : String | JsonpInjection.java:65:16:65:24 | resultStr |
+| JsonpInjection.java:72:32:72:38 | request : HttpServletRequest | JsonpInjection.java:80:20:80:28 | resultStr |
 | JsonpInjection.java:79:21:79:54 | ... + ... : String | JsonpInjection.java:80:20:80:28 | resultStr |
-| JsonpInjection.java:88:32:88:68 | getParameter(...) : String | JsonpInjection.java:95:20:95:28 | resultStr |
-| JsonpInjection.java:94:21:94:54 | ... + ... : String | JsonpInjection.java:95:20:95:28 | resultStr |
-| JsonpInjection.java:102:32:102:68 | getParameter(...) : String | JsonpInjection.java:113:16:113:24 | resultStr |
-| JsonpInjection.java:128:25:128:59 | ... + ... : String | JsonpInjection.java:129:20:129:28 | resultStr |
-| JsonpInjection.java:147:25:147:59 | ... + ... : String | JsonpInjection.java:148:20:148:28 | resultStr |
+| JsonpInjection.java:87:32:87:38 | request : HttpServletRequest | JsonpInjection.java:94:20:94:28 | resultStr |
+| JsonpInjection.java:93:21:93:54 | ... + ... : String | JsonpInjection.java:94:20:94:28 | resultStr |
+| JsonpInjection.java:101:32:101:38 | request : HttpServletRequest | JsonpInjection.java:112:16:112:24 | resultStr |
+| JsonpInjection.java:127:25:127:59 | ... + ... : String | JsonpInjection.java:128:20:128:28 | resultStr |
+| JsonpInjection.java:148:25:148:59 | ... + ... : String | JsonpInjection.java:149:20:149:28 | resultStr |
 nodes
-| JsonpInjection.java:28:32:28:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjection.java:32:21:32:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:33:16:33:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:33:16:33:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:40:32:40:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjection.java:42:21:42:80 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:44:16:44:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:44:16:44:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:51:32:51:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjection.java:53:21:53:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:54:16:54:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:54:16:54:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:61:32:61:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjection.java:63:21:63:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:64:16:64:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:64:16:64:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:72:32:72:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JsonpInjection.java:29:32:29:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
+| JsonpInjection.java:33:21:33:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:34:16:34:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:34:16:34:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:41:32:41:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
+| JsonpInjection.java:43:21:43:80 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:45:16:45:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:45:16:45:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:52:32:52:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
+| JsonpInjection.java:54:21:54:55 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:55:16:55:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:55:16:55:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:62:32:62:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
+| JsonpInjection.java:64:21:64:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:65:16:65:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:65:16:65:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:72:32:72:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
 | JsonpInjection.java:79:21:79:54 | ... + ... : String | semmle.label | ... + ... : String |
 | JsonpInjection.java:80:20:80:28 | resultStr | semmle.label | resultStr |
 | JsonpInjection.java:80:20:80:28 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:88:32:88:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjection.java:94:21:94:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:95:20:95:28 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:95:20:95:28 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:102:32:102:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpInjection.java:113:16:113:24 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:128:25:128:59 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:129:20:129:28 | resultStr | semmle.label | resultStr |
-| JsonpInjection.java:147:25:147:59 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpInjection.java:148:20:148:28 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:87:32:87:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
+| JsonpInjection.java:93:21:93:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:94:20:94:28 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:94:20:94:28 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:101:32:101:38 | request : HttpServletRequest | semmle.label | request : HttpServletRequest |
+| JsonpInjection.java:112:16:112:24 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:127:25:127:59 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:128:20:128:28 | resultStr | semmle.label | resultStr |
+| JsonpInjection.java:148:25:148:59 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpInjection.java:149:20:149:28 | resultStr | semmle.label | resultStr |
 #select
-| JsonpInjection.java:33:16:33:24 | resultStr | JsonpInjection.java:28:32:28:68 | getParameter(...) : String | JsonpInjection.java:33:16:33:24 | resultStr | Json Hijacking query 
-might include code from $@. | JsonpInjection.java:28:32:28:68 | getParameter(...) | this user input |
-| JsonpInjection.java:44:16:44:24 | resultStr | JsonpInjection.java:40:32:40:68 | getParameter(...) : String | JsonpInjection.java:44:16:44:24 | resultStr | Json Hijacking query 
-might include code from $@. | JsonpInjection.java:40:32:40:68 | getParameter(...) | this user input |
-| JsonpInjection.java:54:16:54:24 | resultStr | JsonpInjection.java:51:32:51:68 | getParameter(...) : String | JsonpInjection.java:54:16:54:24 | resultStr | Json Hijacking query 
-might include code from $@. | JsonpInjection.java:51:32:51:68 | getParameter(...) | this user input |
-| JsonpInjection.java:64:16:64:24 | resultStr | JsonpInjection.java:61:32:61:68 | getParameter(...) : String | JsonpInjection.java:64:16:64:24 | resultStr | Json Hijacking query 
-might include code from $@. | JsonpInjection.java:61:32:61:68 | getParameter(...) | this user input |
-| JsonpInjection.java:80:20:80:28 | resultStr | JsonpInjection.java:72:32:72:68 | getParameter(...) : String | JsonpInjection.java:80:20:80:28 | resultStr | Json Hijacking query 
-might include code from $@. | JsonpInjection.java:72:32:72:68 | getParameter(...) | this user input |
-| JsonpInjection.java:95:20:95:28 | resultStr | JsonpInjection.java:88:32:88:68 | getParameter(...) : String | JsonpInjection.java:95:20:95:28 | resultStr | Json Hijacking query 
-might include code from $@. | JsonpInjection.java:88:32:88:68 | getParameter(...) | this user input |
+| JsonpInjection.java:34:16:34:24 | resultStr | JsonpInjection.java:29:32:29:38 | request : HttpServletRequest | JsonpInjection.java:34:16:34:24 | 
+resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:29:32:29:38 | request | this user input |
+| JsonpInjection.java:45:16:45:24 | resultStr | JsonpInjection.java:41:32:41:38 | request : HttpServletRequest | JsonpInjection.java:45:16:45:24 | 
+resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:41:32:41:38 | request | this user input |
+| JsonpInjection.java:55:16:55:24 | resultStr | JsonpInjection.java:52:32:52:38 | request : HttpServletRequest | JsonpInjection.java:55:16:55:24 | 
+resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:52:32:52:38 | request | this user input |
+| JsonpInjection.java:65:16:65:24 | resultStr | JsonpInjection.java:62:32:62:38 | request : HttpServletRequest | JsonpInjection.java:65:16:65:24 | 
+resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:62:32:62:38 | request | this user input |
+| JsonpInjection.java:80:20:80:28 | resultStr | JsonpInjection.java:72:32:72:38 | request : HttpServletRequest | JsonpInjection.java:80:20:80:28 | 
+resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:72:32:72:38 | request | this user input |
+| JsonpInjection.java:94:20:94:28 | resultStr | JsonpInjection.java:87:32:87:38 | request : HttpServletRequest | JsonpInjection.java:94:20:94:28 | 
+resultStr | Jsonp Injection query might include code from $@. | JsonpInjection.java:87:32:87:38 | request | this user input |

java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.java

@@ -8,11 +8,12 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 @Controller
 public class JsonpInjection {
-    
     private static HashMap hashMap = new HashMap();
 
     static {
@@ -21,7 +22,7 @@ public class JsonpInjection {
     }
 
 
-    @GetMapping(value = "jsonp1")
+    @GetMapping(value = "jsonp1", produces="text/javascript")
     @ResponseBody
     public String bad1(HttpServletRequest request) {
         String resultStr = null;
@@ -68,7 +69,6 @@ public class JsonpInjection {
     @ResponseBody
     public void bad5(HttpServletRequest request,
             HttpServletResponse response) throws Exception {
-        response.setContentType("application/json");
         String jsonpCallback = request.getParameter("jsonpCallback");
         PrintWriter pw = null;
         Gson gson = new Gson();
@@ -84,7 +84,6 @@ public class JsonpInjection {
     @ResponseBody
     public void bad6(HttpServletRequest request,
             HttpServletResponse response) throws Exception {
-        response.setContentType("application/json");
         String jsonpCallback = request.getParameter("jsonpCallback");
         PrintWriter pw = null;
         ObjectMapper mapper = new ObjectMapper();
@@ -141,8 +140,10 @@ public class JsonpInjection {
         String referer = request.getHeader("Referer");
 
         boolean result = verifReferer(referer);
+
+        boolean test = result;
         // good
-        if (result){
+        if (test){
             String jsonStr = getJsonStr(hashMap);
             resultStr = jsonpCallback + "(" + jsonStr + ")";
             return resultStr;
@@ -168,4 +169,4 @@ public class JsonpInjection {
         }
         return true;
     }
-}
+}

java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMapping.java

@@ -10,4 +10,6 @@ public @interface RequestMapping {
 
     @AliasFor("value")
     String[] path() default {};
+
+    RequestMethod[] method() default {};
 }

java/ql/test/stubs/spring-web-5.3.2/org/springframework/web/bind/annotation/RequestMethod.java

@@ -0,0 +1,15 @@
+package org.springframework.web.bind.annotation;
+
+public enum RequestMethod {
+    GET,
+    HEAD,
+    POST,
+    PUT,
+    PATCH,
+    DELETE,
+    OPTIONS,
+    TRACE;
+
+    private RequestMethod() {
+    }
+}