Skip to content

Commit 13e1cc5

Browse files
egregius313egregius313
committed
Add SpringUrlRedirect
1 parent 30cfbb8 commit 13e1cc5

File tree

1 file changed

+10
-10
lines changed

1 file changed

+10
-10
lines changed

java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ import java
1515
import experimental.semmle.code.java.security.SpringUrlRedirect
1616
import semmle.code.java.dataflow.FlowSources
1717
import semmle.code.java.controlflow.Guards
18-
import DataFlow::PathGraph
18+
import SpringUrlRedirectFlow::PathGraph
1919

2020
private predicate startsWithSanitizer(Guard g, Expr e, boolean branch) {
2121
g.(MethodAccess).getMethod().hasName("startsWith") and
@@ -25,18 +25,16 @@ private predicate startsWithSanitizer(Guard g, Expr e, boolean branch) {
2525
branch = true
2626
}
2727

28-
class SpringUrlRedirectFlowConfig extends TaintTracking::Configuration {
29-
SpringUrlRedirectFlowConfig() { this = "SpringUrlRedirectFlowConfig" }
28+
module SpringUrlRedirectFlowConfig implements DataFlow::ConfigSig {
29+
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
3030

31-
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
31+
predicate isSink(DataFlow::Node sink) { sink instanceof SpringUrlRedirectSink }
3232

33-
override predicate isSink(DataFlow::Node sink) { sink instanceof SpringUrlRedirectSink }
34-
35-
override predicate isAdditionalTaintStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
33+
predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
3634
springUrlRedirectTaintStep(fromNode, toNode)
3735
}
3836

39-
override predicate isSanitizer(DataFlow::Node node) {
37+
predicate isBarrier(DataFlow::Node node) {
4038
// Exclude the case where the left side of the concatenated string is not `redirect:`.
4139
// E.g: `String url = "/path?token=" + request.getParameter("token");`
4240
// Note this is quite a broad sanitizer (it will also sanitize the right-hand side of `url = "http://" + request.getParameter("token")`);
@@ -62,7 +60,9 @@ class SpringUrlRedirectFlowConfig extends TaintTracking::Configuration {
6260
}
6361
}
6462

65-
from DataFlow::PathNode source, DataFlow::PathNode sink, SpringUrlRedirectFlowConfig conf
66-
where conf.hasFlowPath(source, sink)
63+
module SpringUrlRedirectFlow = TaintTracking::Global<SpringUrlRedirectFlowConfig>;
64+
65+
from SpringUrlRedirectFlow::PathNode source, SpringUrlRedirectFlow::PathNode sink
66+
where SpringUrlRedirectFlow::flowPath(source, sink)
6767
select sink.getNode(), source, sink, "Potentially untrusted URL redirection due to $@.",
6868
source.getNode(), "user-provided value"

0 commit comments

Comments
 (0)