Restrict addCookie to specific interface

egregius313 · egregius313 · commit ba3c38c2265b · 2023-12-11T11:18:38.000-05:00
diff --git a/java/ql/lib/semmle/code/java/security/WeakRandomnessQuery.qll b/java/ql/lib/semmle/code/java/security/WeakRandomnessQuery.qll
@@ -57,7 +57,9 @@ abstract class WeakRandomnessSink extends DataFlow::Node { }
 private class CookieSink extends WeakRandomnessSink {
   CookieSink() {
     this.getType() instanceof TypeCookie and
-    exists(MethodAccess ma | ma.getMethod().hasName("addCookie") |
+    exists(MethodAccess ma |
+      ma.getMethod().hasQualifiedName("javax.servlet.http", "HttpServletResponse", "addCookie")
+    |
       ma.getArgument(0) = this.asExpr()
     )
   }

Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,9 @@ abstract class WeakRandomnessSink extends DataFlow::Node { }`
`57`	`57`	`private class CookieSink extends WeakRandomnessSink {`
`58`	`58`	`CookieSink() {`
`59`	`59`	`this.getType() instanceof TypeCookie and`
`60`		`- exists(MethodAccess ma \| ma.getMethod().hasName("addCookie") \|`
	`60`	`+ exists(MethodAccess ma \|`
	`61`	`+ ma.getMethod().hasQualifiedName("javax.servlet.http", "HttpServletResponse", "addCookie")`
	`62`	`+ \|`
`61`	`63`	`ma.getArgument(0) = this.asExpr()`
`62`	`64`	`)`
`63`	`65`	`}`