Skip to content

Commit 8dc522f

Browse files
masterofnowmasterofnow
committed
Merge remote-tracking branch 'origin/LoadClassNoSignatureCheck' into LoadClassNoSignatureCheck
2 parents 25c818f + 3970852 commit 8dc522f

File tree

1 file changed

+6
-8
lines changed

1 file changed

+6
-8
lines changed

java/ql/src/experimental/Security/CWE/CWE-470/LoadClassNoSignatureCheck.ql

Lines changed: 6 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -7,21 +7,20 @@
77
* @problem.severity error
88
* @precision high
99
* @kind path-problem
10-
* @id java/unsafe-reflection
10+
* @id java/android/unsafe-reflection
1111
* @tags security
1212
* experimental
1313
* external/cwe/cwe-470
1414
*/
1515

1616
import java
17-
import semmle.code.java.dataflow.DataFlow
1817
import semmle.code.java.dataflow.TaintTracking
1918
import semmle.code.java.controlflow.Guards
2019
import semmle.code.java.dataflow.SSA
2120
import semmle.code.java.frameworks.android.Intent
2221

2322
class CheckSignaturesGuard extends Guard instanceof EqualityTest {
24-
MethodAccess checkSignatures;
23+
MethodCall checkSignatures;
2524

2625
CheckSignaturesGuard() {
2726
this.getAnOperand() = checkSignatures and
@@ -52,23 +51,23 @@ predicate signatureChecked(Expr safe) {
5251

5352
module InsecureLoadingConfig implements DataFlow::ConfigSig {
5453
predicate isSource(DataFlow::Node src) {
55-
exists(Method m | m = src.asExpr().(MethodAccess).getMethod() |
54+
exists(Method m | m = src.asExpr().(MethodCall).getMethod() |
5655
m.getDeclaringType().getASourceSupertype*() instanceof TypeContext and
5756
m.hasName("createPackageContext") and
58-
not signatureChecked(src.asExpr().(MethodAccess).getArgument(0))
57+
not signatureChecked(src.asExpr().(MethodCall).getArgument(0))
5958
)
6059
}
6160

6261
predicate isSink(DataFlow::Node sink) {
63-
exists(MethodAccess ma |
62+
exists(MethodCall ma |
6463
ma.getMethod().hasQualifiedName("java.lang", "ClassLoader", "loadClass")
6564
|
6665
sink.asExpr() = ma.getQualifier()
6766
)
6867
}
6968

7069
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
71-
exists(MethodAccess ma, Method m |
70+
exists(MethodCall ma, Method m |
7271
ma.getMethod() = m and
7372
m.getDeclaringType().getASourceSupertype*() instanceof TypeContext and
7473
m.hasName("getClassLoader")
@@ -87,4 +86,3 @@ from InsecureLoadFlow::PathNode source, InsecureLoadFlow::PathNode sink
8786
where InsecureLoadFlow::flowPath(source, sink)
8887
select sink.getNode(), source, sink, "Class loaded from a $@ without signature check",
8988
source.getNode(), "third party library"
90-

0 commit comments

Comments
 (0)