Skip to content

Commit 9d6b2e7

Browse files
authored
Merge pull request #4042 from aschackmull/java/xsssink-extensible
Approved by aibaars
2 parents b89a22b + 99c9524 commit 9d6b2e7

File tree

4 files changed

+22
-21
lines changed

4 files changed

+22
-21
lines changed

java/ql/src/Security/CWE/CWE-079/XSS.ql

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,11 +12,10 @@
1212

1313
import java
1414
import semmle.code.java.dataflow.FlowSources
15-
import semmle.code.java.dataflow.TaintTracking2
1615
import semmle.code.java.security.XSS
17-
import DataFlow2::PathGraph
16+
import DataFlow::PathGraph
1817

19-
class XSSConfig extends TaintTracking2::Configuration {
18+
class XSSConfig extends TaintTracking::Configuration {
2019
XSSConfig() { this = "XSSConfig" }
2120

2221
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
@@ -28,7 +27,7 @@ class XSSConfig extends TaintTracking2::Configuration {
2827
}
2928
}
3029

31-
from DataFlow2::PathNode source, DataFlow2::PathNode sink, XSSConfig conf
30+
from DataFlow::PathNode source, DataFlow::PathNode sink, XSSConfig conf
3231
where conf.hasFlowPath(source, sink)
3332
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
3433
source.getNode(), "user-provided value"

java/ql/src/Security/CWE/CWE-079/XSSLocal.ql

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,19 +12,18 @@
1212

1313
import java
1414
import semmle.code.java.dataflow.FlowSources
15-
import semmle.code.java.dataflow.TaintTracking2
1615
import semmle.code.java.security.XSS
17-
import DataFlow2::PathGraph
16+
import DataFlow::PathGraph
1817

19-
class XSSLocalConfig extends TaintTracking2::Configuration {
18+
class XSSLocalConfig extends TaintTracking::Configuration {
2019
XSSLocalConfig() { this = "XSSLocalConfig" }
2120

2221
override predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
2322

2423
override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
2524
}
2625

27-
from DataFlow2::PathNode source, DataFlow2::PathNode sink, XSSLocalConfig conf
26+
from DataFlow::PathNode source, DataFlow::PathNode sink, XSSLocalConfig conf
2827
where conf.hasFlowPath(source, sink)
2928
select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.",
3029
source.getNode(), "user-provided value"

java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@
1414

1515
import java
1616
import semmle.code.java.dataflow.DataFlow
17-
import semmle.code.java.dataflow.TaintTracking2
17+
import semmle.code.java.dataflow.TaintTracking
1818
import semmle.code.java.security.XSS
1919

2020
/**
@@ -84,7 +84,7 @@ predicate stackTraceExpr(Expr exception, MethodAccess stackTraceString) {
8484
)
8585
}
8686

87-
class StackTraceStringToXssSinkFlowConfig extends TaintTracking2::Configuration {
87+
class StackTraceStringToXssSinkFlowConfig extends TaintTracking::Configuration {
8888
StackTraceStringToXssSinkFlowConfig() {
8989
this = "StackTraceExposure::StackTraceStringToXssSinkFlowConfig"
9090
}
@@ -124,7 +124,7 @@ class GetMessageFlowSource extends MethodAccess {
124124
}
125125
}
126126

127-
class GetMessageFlowSourceToXssSinkFlowConfig extends TaintTracking2::Configuration {
127+
class GetMessageFlowSourceToXssSinkFlowConfig extends TaintTracking::Configuration {
128128
GetMessageFlowSourceToXssSinkFlowConfig() {
129129
this = "StackTraceExposure::GetMessageFlowSourceToXssSinkFlowConfig"
130130
}

java/ql/src/semmle/code/java/security/XSS.qll

Lines changed: 13 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -3,33 +3,36 @@ import semmle.code.java.frameworks.Servlets
33
import semmle.code.java.frameworks.android.WebView
44
import semmle.code.java.frameworks.spring.SpringController
55
import semmle.code.java.frameworks.spring.SpringHttp
6-
import semmle.code.java.dataflow.TaintTracking
6+
import semmle.code.java.dataflow.DataFlow
7+
import semmle.code.java.dataflow.TaintTracking2
78

89
/*
910
* Definitions for XSS sinks
1011
*/
1112

12-
class XssSink extends DataFlow::ExprNode {
13-
XssSink() {
13+
abstract class XssSink extends DataFlow::Node { }
14+
15+
private class DefaultXssSink extends XssSink {
16+
DefaultXssSink() {
1417
exists(HttpServletResponseSendErrorMethod m, MethodAccess ma |
1518
ma.getMethod() = m and
16-
this.getExpr() = ma.getArgument(1)
19+
this.asExpr() = ma.getArgument(1)
1720
)
1821
or
1922
exists(ServletWriterSourceToWritingMethodFlowConfig writer, MethodAccess ma |
2023
ma.getMethod() instanceof WritingMethod and
2124
writer.hasFlowToExpr(ma.getQualifier()) and
22-
this.getExpr() = ma.getArgument(_)
25+
this.asExpr() = ma.getArgument(_)
2326
)
2427
or
2528
exists(Method m |
2629
m.getDeclaringType() instanceof TypeWebView and
2730
(
28-
m.getAReference().getArgument(0) = this.getExpr() and m.getName() = "loadData"
31+
m.getAReference().getArgument(0) = this.asExpr() and m.getName() = "loadData"
2932
or
30-
m.getAReference().getArgument(0) = this.getExpr() and m.getName() = "loadUrl"
33+
m.getAReference().getArgument(0) = this.asExpr() and m.getName() = "loadUrl"
3134
or
32-
m.getAReference().getArgument(1) = this.getExpr() and m.getName() = "loadDataWithBaseURL"
35+
m.getAReference().getArgument(1) = this.asExpr() and m.getName() = "loadDataWithBaseURL"
3336
)
3437
)
3538
or
@@ -77,7 +80,7 @@ class XssSink extends DataFlow::ExprNode {
7780
}
7881
}
7982

80-
class ServletWriterSourceToWritingMethodFlowConfig extends TaintTracking::Configuration {
83+
private class ServletWriterSourceToWritingMethodFlowConfig extends TaintTracking2::Configuration {
8184
ServletWriterSourceToWritingMethodFlowConfig() {
8285
this = "XSS::ServletWriterSourceToWritingMethodFlowConfig"
8386
}
@@ -91,7 +94,7 @@ class ServletWriterSourceToWritingMethodFlowConfig extends TaintTracking::Config
9194
}
9295
}
9396

94-
class WritingMethod extends Method {
97+
private class WritingMethod extends Method {
9598
WritingMethod() {
9699
getDeclaringType().getASupertype*().hasQualifiedName("java.io", _) and
97100
(

0 commit comments

Comments
 (0)