Skip to content

Commit ad8b766

Browse files
owen-mcowen-mc
committed
Allow MaD sanitizers for java/ognl-injection 
1 parent 6c458a1 commit ad8b766

File tree

2 files changed

+11
-2
lines changed

2 files changed

+11
-2
lines changed

java/ql/lib/semmle/code/java/security/OgnlInjection.qll

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ private import semmle.code.java.dataflow.DataFlow
77
private import semmle.code.java.dataflow.FlowSinks
88
private import semmle.code.java.dataflow.ExternalFlow
99
private import semmle.code.java.frameworks.MyBatis
10+
private import semmle.code.java.security.Sanitizers
1011

1112
/**
1213
* A data flow sink for unvalidated user input that is used in OGNL EL evaluation.
@@ -15,6 +16,8 @@ private import semmle.code.java.frameworks.MyBatis
1516
*/
1617
abstract class OgnlInjectionSink extends ApiSinkNode { }
1718

19+
abstract class OgnlInjectionSanitizer extends DataFlow::Node { }
20+
1821
/**
1922
* A unit class for adding additional taint steps.
2023
*
@@ -32,6 +35,13 @@ private class DefaultOgnlInjectionSink extends OgnlInjectionSink {
3235
DefaultOgnlInjectionSink() { sinkNode(this, "ognl-injection") }
3336
}
3437

38+
private class SimpleTypeOgnlInjectionSanitizer extends OgnlInjectionSanitizer instanceof SimpleTypeSanitizer
39+
{ }
40+
41+
private class ExternalOgnlInjectionSanitizer extends OgnlInjectionSanitizer {
42+
ExternalOgnlInjectionSanitizer() { barrierNode(this, "ognl-injection") }
43+
}
44+
3545
/** The class `org.apache.commons.ognl.Ognl` or `ognl.Ognl`. */
3646
private class TypeOgnl extends Class {
3747
TypeOgnl() { this.hasQualifiedName(["org.apache.commons.ognl", "ognl"], "Ognl") }

java/ql/lib/semmle/code/java/security/OgnlInjectionQuery.qll

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,6 @@
33
import java
44
import semmle.code.java.dataflow.FlowSources
55
import semmle.code.java.security.OgnlInjection
6-
private import semmle.code.java.security.Sanitizers
76

87
/**
98
* A taint-tracking configuration for unvalidated user input that is used in OGNL EL evaluation.
@@ -13,7 +12,7 @@ module OgnlInjectionFlowConfig implements DataFlow::ConfigSig {
1312

1413
predicate isSink(DataFlow::Node sink) { sink instanceof OgnlInjectionSink }
1514

16-
predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
15+
predicate isBarrier(DataFlow::Node node) { node instanceof OgnlInjectionSanitizer }
1716

1817
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
1918
any(OgnlInjectionAdditionalTaintStep c).step(node1, node2)

0 commit comments

Comments
 (0)