refactor to meet experimental guidelines.

Porcuiney Hairs · Porcuiney Hairs · commit 14ec1482721b · 2021-03-01T18:46:33.000+05:30
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll
@@ -20,6 +20,22 @@ predicate thymeleafIsUsed() {
   exists(SpringBean b | b.getClassNameRaw().matches("org.thymeleaf.spring%"))
 }
 
+/** Models methods from the `javax.portlet.RenderState` package which return data from externally controlled sources. */
+class PortletRenderRequestMethod extends Method {
+  PortletRenderRequestMethod() {
+    exists(RefType c, Interface t |
+      c.extendsOrImplements*(t) and
+      t.hasQualifiedName("javax.portlet", "RenderState") and
+      this = c.getAMethod()
+    |
+      this.hasName([
+          "getCookies", "getParameter", "getRenderParameters", "getParameterNames",
+          "getParameterValues", "getParameterMap"
+        ])
+    )
+  }
+}
+
 /**
  * A taint-tracking configuration for unsafe user input
  * that can lead to Spring View Manipulation vulnerabilities.
@@ -29,7 +45,8 @@ class SpringViewManipulationConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) {
     source instanceof RemoteFlowSource or
-    source instanceof WebRequestSource
+    source instanceof WebRequestSource or
+    source.asExpr().(MethodAccess).getMethod() instanceof PortletRenderRequestMethod
   }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof SpringViewManipulationSink }
diff --git a/java/ql/src/semmle/code/java/dataflow/FlowSources.qll b/java/ql/src/semmle/code/java/dataflow/FlowSources.qll
@@ -256,7 +256,6 @@ private class RemoteTaintedMethod extends Method {
     this instanceof ServletRequestGetParameterMethod or
     this instanceof ServletRequestGetParameterMapMethod or
     this instanceof ServletRequestGetParameterNamesMethod or
-    this instanceof PortletRenderRequestGetParameterMethod or
     this instanceof HttpServletRequestGetQueryStringMethod or
     this instanceof HttpServletRequestGetHeaderMethod or
     this instanceof HttpServletRequestGetPathMethod or
@@ -309,21 +308,6 @@ class EnvReadMethod extends Method {
   }
 }
 
-private class PortletRenderRequestGetParameterMethod extends Method {
-  PortletRenderRequestGetParameterMethod() {
-    exists(RefType c, Interface t |
-      c.extendsOrImplements*(t) and
-      t.hasQualifiedName("javax.portlet", "RenderState") and
-      this = c.getAMethod()
-    |
-      this.hasName([
-          "getCookies", "getParameter", "getRenderParameters", "getParameterNames",
-          "getParameterValues", "getParameterMap"
-        ])
-    )
-  }
-}
-
 /** The type `java.net.InetAddress`. */
 class TypeInetAddr extends RefType {
   TypeInetAddr() { this.getQualifiedName() = "java.net.InetAddress" }
