Skip to content

Commit 4397371

Browse files
smowtonsmowton
committed
Spring constant media types: recognise constant string versions
Previously we only recognised the constant MediaTypes
1 parent b9b34eb commit 4397371

File tree

1 file changed

+28
-26
lines changed

1 file changed

+28
-26
lines changed

java/ql/lib/semmle/code/java/frameworks/spring/SpringHttp.qll

Lines changed: 28 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -194,58 +194,60 @@ private class SpringXssSink extends XSS::XssSink {
194194
private string getSpringConstantContentType(FieldAccess e) {
195195
e.getQualifier().getType().(RefType).hasQualifiedName("org.springframework.http", "MediaType") and
196196
exists(string fieldName | e.getField().hasName(fieldName) |
197-
fieldName = "APPLICATION_ATOM_XML" and result = "application/atom+xml"
197+
fieldName = "APPLICATION_ATOM_XML" + ["", "_VALUE"] and result = "application/atom+xml"
198198
or
199-
fieldName = "APPLICATION_CBOR" and result = "application/cbor"
199+
fieldName = "APPLICATION_CBOR" + ["", "_VALUE"] and result = "application/cbor"
200200
or
201-
fieldName = "APPLICATION_FORM_URLENCODED" and result = "application/x-www-form-urlencoded"
201+
fieldName = "APPLICATION_FORM_URLENCODED" + ["", "_VALUE"] and
202+
result = "application/x-www-form-urlencoded"
202203
or
203-
fieldName = "APPLICATION_JSON" and result = "application/json"
204+
fieldName = "APPLICATION_JSON" + ["", "_VALUE"] and result = "application/json"
204205
or
205-
fieldName = "APPLICATION_JSON_UTF8" and result = "application/json;charset=UTF-8"
206+
fieldName = "APPLICATION_JSON_UTF8" + ["", "_VALUE"] and
207+
result = "application/json;charset=UTF-8"
206208
or
207-
fieldName = "APPLICATION_NDJSON" and result = "application/x-ndjson"
209+
fieldName = "APPLICATION_NDJSON" + ["", "_VALUE"] and result = "application/x-ndjson"
208210
or
209-
fieldName = "APPLICATION_OCTET_STREAM" and result = "application/octet-stream"
211+
fieldName = "APPLICATION_OCTET_STREAM" + ["", "_VALUE"] and result = "application/octet-stream"
210212
or
211-
fieldName = "APPLICATION_PDF" and result = "application/pdf"
213+
fieldName = "APPLICATION_PDF" + ["", "_VALUE"] and result = "application/pdf"
212214
or
213-
fieldName = "APPLICATION_PROBLEM_JSON" and result = "application/problem+json"
215+
fieldName = "APPLICATION_PROBLEM_JSON" + ["", "_VALUE"] and result = "application/problem+json"
214216
or
215-
fieldName = "APPLICATION_PROBLEM_JSON_UTF8" and
217+
fieldName = "APPLICATION_PROBLEM_JSON_UTF8" + ["", "_VALUE"] and
216218
result = "application/problem+json;charset=UTF-8"
217219
or
218-
fieldName = "APPLICATION_PROBLEM_XML" and result = "application/problem+xml"
220+
fieldName = "APPLICATION_PROBLEM_XML" + ["", "_VALUE"] and result = "application/problem+xml"
219221
or
220-
fieldName = "APPLICATION_RSS_XML" and result = "application/rss+xml"
222+
fieldName = "APPLICATION_RSS_XML" + ["", "_VALUE"] and result = "application/rss+xml"
221223
or
222-
fieldName = "APPLICATION_STREAM_JSON" and result = "application/stream+json"
224+
fieldName = "APPLICATION_STREAM_JSON" + ["", "_VALUE"] and result = "application/stream+json"
223225
or
224-
fieldName = "APPLICATION_XHTML_XML" and result = "application/xhtml+xml"
226+
fieldName = "APPLICATION_XHTML_XML" + ["", "_VALUE"] and result = "application/xhtml+xml"
225227
or
226-
fieldName = "APPLICATION_XML" and result = "application/xml"
228+
fieldName = "APPLICATION_XML" + ["", "_VALUE"] and result = "application/xml"
227229
or
228-
fieldName = "IMAGE_GIF" and result = "image/gif"
230+
fieldName = "IMAGE_GIF" + ["", "_VALUE"] and result = "image/gif"
229231
or
230-
fieldName = "IMAGE_JPEG" and result = "image/jpeg"
232+
fieldName = "IMAGE_JPEG" + ["", "_VALUE"] and result = "image/jpeg"
231233
or
232-
fieldName = "IMAGE_PNG" and result = "image/png"
234+
fieldName = "IMAGE_PNG" + ["", "_VALUE"] and result = "image/png"
233235
or
234-
fieldName = "MULTIPART_FORM_DATA" and result = "multipart/form-data"
236+
fieldName = "MULTIPART_FORM_DATA" + ["", "_VALUE"] and result = "multipart/form-data"
235237
or
236-
fieldName = "MULTIPART_MIXED" and result = "multipart/mixed"
238+
fieldName = "MULTIPART_MIXED" + ["", "_VALUE"] and result = "multipart/mixed"
237239
or
238-
fieldName = "MULTIPART_RELATED" and result = "multipart/related"
240+
fieldName = "MULTIPART_RELATED" + ["", "_VALUE"] and result = "multipart/related"
239241
or
240-
fieldName = "TEXT_EVENT_STREAM" and result = "text/event-stream"
242+
fieldName = "TEXT_EVENT_STREAM" + ["", "_VALUE"] and result = "text/event-stream"
241243
or
242-
fieldName = "TEXT_HTML" and result = "text/html"
244+
fieldName = "TEXT_HTML" + ["", "_VALUE"] and result = "text/html"
243245
or
244-
fieldName = "TEXT_MARKDOWN" and result = "text/markdown"
246+
fieldName = "TEXT_MARKDOWN" + ["", "_VALUE"] and result = "text/markdown"
245247
or
246-
fieldName = "TEXT_PLAIN" and result = "text/plain"
248+
fieldName = "TEXT_PLAIN" + ["", "_VALUE"] and result = "text/plain"
247249
or
248-
fieldName = "TEXT_XML" and result = "text/xml"
250+
fieldName = "TEXT_XML" + ["", "_VALUE"] and result = "text/xml"
249251
)
250252
}
251253

0 commit comments

Comments
 (0)