@@ -18,10 +18,10 @@ module RequestForgery {
18
18
abstract private class Sink extends DataFlow:: ExprNode { }
19
19
20
20
/**
21
- * A data flow BarrierGuard which blocks the flow of taint for
21
+ * A data flow Barrier that blocks the flow of taint for
22
22
* server side request forgery vulnerabilities.
23
23
*/
24
- abstract private class BarrierGuard extends DataFlow:: BarrierGuard { }
24
+ abstract private class Barrier extends DataFlow:: Node { }
25
25
26
26
/**
27
27
* A data flow configuration for detecting server side request forgery vulnerabilities.
@@ -51,9 +51,7 @@ module RequestForgery {
51
51
pathCombineStep ( prev , succ )
52
52
}
53
53
54
- override predicate isBarrierGuard ( DataFlow:: BarrierGuard guard ) {
55
- guard instanceof BarrierGuard
56
- }
54
+ override predicate isBarrier ( DataFlow:: Node node ) { node instanceof Barrier }
57
55
}
58
56
59
57
/**
@@ -129,36 +127,38 @@ module RequestForgery {
129
127
* to be a guard for Server Side Request Forgery(SSRF) Vulnerabilities.
130
128
* This guard considers all checks as valid.
131
129
*/
132
- private class BaseUriGuard extends BarrierGuard , MethodCall {
133
- BaseUriGuard ( ) { this .getTarget ( ) .hasQualifiedName ( "System.Uri" , "IsBaseOf" ) }
134
-
135
- override predicate checks ( Expr e , AbstractValue v ) {
136
- // we consider any checks against the tainted value to sainitize the taint.
137
- // This implies any check such as shown below block the taint flow.
138
- // Uri url = new Uri("whitelist.com")
139
- // if (url.isBaseOf(`taint1))
140
- ( e = this .getArgument ( 0 ) or e = this .getQualifier ( ) ) and
141
- v .( AbstractValues:: BooleanValue ) .getValue ( ) = true
142
- }
130
+ private predicate baseUriGuard ( Guard g , Expr e , AbstractValue v ) {
131
+ g .( MethodCall ) .getTarget ( ) .hasQualifiedName ( "System.Uri" , "IsBaseOf" ) and
132
+ // we consider any checks against the tainted value to sainitize the taint.
133
+ // This implies any check such as shown below block the taint flow.
134
+ // Uri url = new Uri("whitelist.com")
135
+ // if (url.isBaseOf(`taint1))
136
+ ( e = g .( MethodCall ) .getArgument ( 0 ) or e = g .( MethodCall ) .getQualifier ( ) ) and
137
+ v .( AbstractValues:: BooleanValue ) .getValue ( ) = true
138
+ }
139
+
140
+ private class BaseUriBarrier extends Barrier {
141
+ BaseUriBarrier ( ) { this = DataFlow:: BarrierGuard< baseUriGuard / 3 > :: getABarrierNode ( ) }
143
142
}
144
143
145
144
/**
146
145
* A method call which checks if the Uri starts with a white-listed string is assumed
147
146
* to be a guard for Server Side Request Forgery(SSRF) Vulnerabilities.
148
147
* This guard considers all checks as valid.
149
148
*/
150
- private class StringStartsWithBarrierGuard extends BarrierGuard , MethodCall {
151
- StringStartsWithBarrierGuard ( ) {
152
- this .getTarget ( ) .hasQualifiedName ( "System.String" , "StartsWith" )
153
- }
154
-
155
- override predicate checks ( Expr e , AbstractValue v ) {
156
- // Any check such as the ones shown below
157
- // "https://myurl.com/".startsWith(`taint`)
158
- // `taint`.startsWith("https://myurl.com/")
159
- // are assumed to sainitize the taint
160
- ( e = this .getQualifier ( ) or this .getArgument ( 0 ) = e ) and
161
- v .( AbstractValues:: BooleanValue ) .getValue ( ) = true
149
+ private predicate stringStartsWithGuard ( Guard g , Expr e , AbstractValue v ) {
150
+ g .( MethodCall ) .getTarget ( ) .hasQualifiedName ( "System.String" , "StartsWith" ) and
151
+ // Any check such as the ones shown below
152
+ // "https://myurl.com/".startsWith(`taint`)
153
+ // `taint`.startsWith("https://myurl.com/")
154
+ // are assumed to sainitize the taint
155
+ ( e = g .( MethodCall ) .getQualifier ( ) or g .( MethodCall ) .getArgument ( 0 ) = e ) and
156
+ v .( AbstractValues:: BooleanValue ) .getValue ( ) = true
157
+ }
158
+
159
+ private class StringStartsWithBarrier extends Barrier {
160
+ StringStartsWithBarrier ( ) {
161
+ this = DataFlow:: BarrierGuard< stringStartsWithGuard / 3 > :: getABarrierNode ( )
162
162
}
163
163
}
164
164
0 commit comments