Simplified JexlInjectionLib.qll and removed LocalUserInput

artem-smotrakov · artem-smotrakov · commit 6b66323ac3ed · 2021-03-02T21:22:46.000+01:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
@@ -12,8 +12,7 @@ class JexlInjectionConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) {
     source instanceof TaintedSpringRequestBody or
-    source instanceof RemoteFlowSource or
-    source instanceof LocalUserInput
+    source instanceof RemoteFlowSource
   }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }
@@ -30,7 +29,7 @@ class JexlInjectionConfig extends TaintTracking::Configuration {
  */
 private class TaintedSpringRequestBody extends DataFlow::Node {
   TaintedSpringRequestBody() {
-    exists(SpringServletInputAnnotation a | this.asParameter().getAnAnnotation() = a)
+    this.asParameter().getAnAnnotation() instanceof SpringServletInputAnnotation
   }
 }
 
@@ -137,7 +136,7 @@ private class SandboxedJexlSource extends DataFlow::ExprNode {
       m.getDeclaringType() instanceof JexlBuilder and
       m.hasName(["uberspect", "sandbox"]) and
       m.getReturnType() instanceof JexlBuilder and
-      (ma = this.asExpr() or ma.getQualifier() = this.asExpr())
+      this.asExpr() = [ma, ma.getQualifier()]
     )
     or
     exists(ConstructorCall cc |

Original file line number	Diff line number	Diff line change
`@@ -12,8 +12,7 @@ class JexlInjectionConfig extends TaintTracking::Configuration {`
`12`	`12`
`13`	`13`	`override predicate isSource(DataFlow::Node source) {`
`14`	`14`	`source instanceof TaintedSpringRequestBody or`
`15`		`- source instanceof RemoteFlowSource or`
`16`		`- source instanceof LocalUserInput`
	`15`	`+ source instanceof RemoteFlowSource`
`17`	`16`	`}`
`18`	`17`
`19`	`18`	`override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }`
`@@ -30,7 +29,7 @@ class JexlInjectionConfig extends TaintTracking::Configuration {`
`30`	`29`	`*/`
`31`	`30`	`private class TaintedSpringRequestBody extends DataFlow::Node {`
`32`	`31`	`TaintedSpringRequestBody() {`
`33`		`- exists(SpringServletInputAnnotation a \| this.asParameter().getAnAnnotation() = a)`
	`32`	`+ this.asParameter().getAnAnnotation() instanceof SpringServletInputAnnotation`
`34`	`33`	`}`
`35`	`34`	`}`
`36`	`35`
`@@ -137,7 +136,7 @@ private class SandboxedJexlSource extends DataFlow::ExprNode {`
`137`	`136`	`m.getDeclaringType() instanceof JexlBuilder and`
`138`	`137`	`m.hasName(["uberspect", "sandbox"]) and`
`139`	`138`	`m.getReturnType() instanceof JexlBuilder and`
`140`		`- (ma = this.asExpr() or ma.getQualifier() = this.asExpr())`
	`139`	`+ this.asExpr() = [ma, ma.getQualifier()]`
`141`	`140`	`)`
`142`	`141`	`or`
`143`	`142`	`exists(ConstructorCall cc \|`