Use RemoteFlowSource instead of UserInput

atorralba · atorralba · commit a484e9fb0689 · 2021-09-14T13:16:09.000+02:00
diff --git a/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql b/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql
@@ -35,7 +35,7 @@ predicate conditionControlsMethod(MethodAccess m, Expr e) {
 class ConditionalBypassFlowConfig extends TaintTracking::Configuration {
   ConditionalBypassFlowConfig() { this = "ConditionalBypassFlowConfig" }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof UserInput }
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { conditionControlsMethod(_, sink.asExpr()) }
 }

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ predicate conditionControlsMethod(MethodAccess m, Expr e) {`
`35`	`35`	`class ConditionalBypassFlowConfig extends TaintTracking::Configuration {`
`36`	`36`	`ConditionalBypassFlowConfig() { this = "ConditionalBypassFlowConfig" }`
`37`	`37`
`38`		`- override predicate isSource(DataFlow::Node source) { source instanceof UserInput }`
	`38`	`+ override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }`
`39`	`39`
`40`	`40`	`override predicate isSink(DataFlow::Node sink) { conditionControlsMethod(_, sink.asExpr()) }`
`41`	`41`	`}`