mirror of
https://github.com/github/codeql.git
synced 2025-12-20 10:46:30 +01:00
34 lines
1.1 KiB
Plaintext
34 lines
1.1 KiB
Plaintext
import java
|
|
import semmle.code.java.dataflow.FlowSources
|
|
import semmle.code.java.security.XSS
|
|
import TestUtilities.InlineExpectationsTest
|
|
|
|
class XSSConfig extends TaintTracking::Configuration {
|
|
XSSConfig() { this = "XSSConfig" }
|
|
|
|
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
|
|
|
override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
|
|
|
|
override predicate isSanitizer(DataFlow::Node node) { node instanceof XssSanitizer }
|
|
|
|
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
|
|
any(XssAdditionalTaintStep s).step(node1, node2)
|
|
}
|
|
}
|
|
|
|
class XssTest extends InlineExpectationsTest {
|
|
XssTest() { this = "XssTest" }
|
|
|
|
override string getARelevantTag() { result = ["xss"] }
|
|
|
|
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
|
tag = "xss" and
|
|
exists(DataFlow::Node src, DataFlow::Node sink, XSSConfig conf | conf.hasFlow(src, sink) |
|
|
sink.getLocation() = location and
|
|
element = sink.toString() and
|
|
value = ""
|
|
)
|
|
}
|
|
}
|