hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-24 10:53:49 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
121b24ea7c0e21f2032afc64b54f4de85bda9275
codeql/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll
Chris Smowton f552a15aae Mass-rename MethodAccess -> MethodCall
2023-10-24 10:30:26 +01:00

59 lines
2.5 KiB
Plaintext
Raw Blame History

/**
* Provides a taint-tracking configuration characterising request-forgery risks.
*
* Only import this directly from .ql files, to avoid the possibility of polluting the Configuration hierarchy accidentally.
*/
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.RequestForgery
/**
* DEPRECATED: Use `RequestForgeryConfiguration` module instead.
*
* A taint-tracking configuration characterising request-forgery risks.
*/
deprecated class RequestForgeryConfiguration extends TaintTracking::Configuration {
RequestForgeryConfiguration() { this = "Server-Side Request Forgery" }
override predicate isSource(DataFlow::Node source) {
source instanceof RemoteFlowSource and
// Exclude results of remote HTTP requests: fetching something else based on that result
// is no worse than following a redirect returned by the remote server, and typically
// we're requesting a resource via https which we trust to only send us to safe URLs.
not source.asExpr().(MethodCall).getCallee() instanceof UrlConnectionGetInputStreamMethod
}
override predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
any(RequestForgeryAdditionalTaintStep r).propagatesTaint(pred, succ)
}
override predicate isSanitizer(DataFlow::Node node) { node instanceof RequestForgerySanitizer }
}
/**
* A taint-tracking configuration characterising request-forgery risks.
*/
module RequestForgeryConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof ThreatModelFlowSource and
// Exclude results of remote HTTP requests: fetching something else based on that result
// is no worse than following a redirect returned by the remote server, and typically
// we're requesting a resource via https which we trust to only send us to safe URLs.
not source.asExpr().(MethodCall).getCallee() instanceof UrlConnectionGetInputStreamMethod
}
predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
any(RequestForgeryAdditionalTaintStep r).propagatesTaint(pred, succ)
}
predicate isBarrier(DataFlow::Node node) { node instanceof RequestForgerySanitizer }
predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
}
module RequestForgeryFlow = TaintTracking::Global<RequestForgeryConfig>;
Reference in New Issue View Git Blame Copy Permalink