Java: adjust BarrierPrefix to handle prepended chars

Jami Cogswell · Jami Cogswell · commit 1b01f26d09dc · 2024-03-13T16:28:45.000-04:00
diff --git a/java/ql/lib/semmle/code/java/security/UrlForward.qll b/java/ql/lib/semmle/code/java/security/UrlForward.qll
@@ -71,6 +71,8 @@ private class BarrierPrefix extends InterestingPrefix {
     // Matches strings that look like when prepended to untrusted input, they will restrict
     // the path of a URL: for example, anything containing `?` or `#`.
     exists(this.getStringValue().regexpFind("[?#]", 0, offset))
+    or
+    this.(CharacterLiteral).getValue() = ["?", "#"] and offset = 0
   }
 
   override int getOffset() { result = offset }
diff --git a/java/ql/test/query-tests/security/CWE-552/UrlForwardTest.java b/java/ql/test/query-tests/security/CWE-552/UrlForwardTest.java
@@ -389,7 +389,7 @@ protected void doGet2(HttpServletRequest request, HttpServletResponse response)
 		}
 	}
 
-	// Test `StringBuilder.append` sequence with `?` appended before the user input
+	// GOOD: char `?` appended before the user input
 	private static final String LOGIN_URL = "/UI/Login";
 
 	public void doPost2(HttpServletRequest request, HttpServletResponse response)
@@ -399,14 +399,13 @@ public void doPost2(HttpServletRequest request, HttpServletResponse response)
 
 		String queryString = request.getQueryString();
 
-		// should be sanitized due to the `?` appended
 		forwardUrl.append('?').append(queryString);
 
 		String fUrl = forwardUrl.toString();
 
 		ServletConfig config = getServletConfig();
 
-        RequestDispatcher dispatcher = config.getServletContext().getRequestDispatcher(fUrl); // $ SPURIOUS: hasUrlForward
+        RequestDispatcher dispatcher = config.getServletContext().getRequestDispatcher(fUrl);
         dispatcher.forward(request, response);
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -71,6 +71,8 @@ private class BarrierPrefix extends InterestingPrefix {`
`71`	`71`	`// Matches strings that look like when prepended to untrusted input, they will restrict`
`72`	`72`	// the path of a URL: for example, anything containing `?` or `#`.
`73`	`73`	`exists(this.getStringValue().regexpFind("[?#]", 0, offset))`
	`74`	`+ or`
	`75`	`+ this.(CharacterLiteral).getValue() = ["?", "#"] and offset = 0`
`74`	`76`	`}`
`75`	`77`
`76`	`78`	`override int getOffset() { result = offset }`
Original file line number	Diff line number	Diff line change
`@@ -389,7 +389,7 @@ protected void doGet2(HttpServletRequest request, HttpServletResponse response)`
`389`	`389`	`}`
`390`	`390`	`}`
`391`	`391`
`392`		- // Test `StringBuilder.append` sequence with `?` appended before the user input
	`392`	+ // GOOD: char `?` appended before the user input
`393`	`393`	`private static final String LOGIN_URL = "/UI/Login";`
`394`	`394`
`395`	`395`	`public void doPost2(HttpServletRequest request, HttpServletResponse response)`
`@@ -399,14 +399,13 @@ public void doPost2(HttpServletRequest request, HttpServletResponse response)`
`399`	`399`
`400`	`400`	`String queryString = request.getQueryString();`
`401`	`401`
`402`		- // should be sanitized due to the `?` appended
`403`	`402`	`forwardUrl.append('?').append(queryString);`
`404`	`403`
`405`	`404`	`String fUrl = forwardUrl.toString();`
`406`	`405`
`407`	`406`	`ServletConfig config = getServletConfig();`
`408`	`407`
`409`		`- RequestDispatcher dispatcher = config.getServletContext().getRequestDispatcher(fUrl); // $ SPURIOUS: hasUrlForward`
	`408`	`+ RequestDispatcher dispatcher = config.getServletContext().getRequestDispatcher(fUrl);`
`410`	`409`	`dispatcher.forward(request, response);`
`411`	`410`	`}`
`412`	`411`	`}`