Skip to content

Commit 14ec148

Browse files
author
Porcuiney Hairs
committed
refactor to meet experimental guidelines.
1 parent 602f63a commit 14ec148

File tree

2 files changed

+18
-17
lines changed

2 files changed

+18
-17
lines changed

java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulationLib.qll

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,22 @@ predicate thymeleafIsUsed() {
2020
exists(SpringBean b | b.getClassNameRaw().matches("org.thymeleaf.spring%"))
2121
}
2222

23+
/** Models methods from the `javax.portlet.RenderState` package which return data from externally controlled sources. */
24+
class PortletRenderRequestMethod extends Method {
25+
PortletRenderRequestMethod() {
26+
exists(RefType c, Interface t |
27+
c.extendsOrImplements*(t) and
28+
t.hasQualifiedName("javax.portlet", "RenderState") and
29+
this = c.getAMethod()
30+
|
31+
this.hasName([
32+
"getCookies", "getParameter", "getRenderParameters", "getParameterNames",
33+
"getParameterValues", "getParameterMap"
34+
])
35+
)
36+
}
37+
}
38+
2339
/**
2440
* A taint-tracking configuration for unsafe user input
2541
* that can lead to Spring View Manipulation vulnerabilities.
@@ -29,7 +45,8 @@ class SpringViewManipulationConfig extends TaintTracking::Configuration {
2945

3046
override predicate isSource(DataFlow::Node source) {
3147
source instanceof RemoteFlowSource or
32-
source instanceof WebRequestSource
48+
source instanceof WebRequestSource or
49+
source.asExpr().(MethodAccess).getMethod() instanceof PortletRenderRequestMethod
3350
}
3451

3552
override predicate isSink(DataFlow::Node sink) { sink instanceof SpringViewManipulationSink }

java/ql/src/semmle/code/java/dataflow/FlowSources.qll

Lines changed: 0 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -256,7 +256,6 @@ private class RemoteTaintedMethod extends Method {
256256
this instanceof ServletRequestGetParameterMethod or
257257
this instanceof ServletRequestGetParameterMapMethod or
258258
this instanceof ServletRequestGetParameterNamesMethod or
259-
this instanceof PortletRenderRequestGetParameterMethod or
260259
this instanceof HttpServletRequestGetQueryStringMethod or
261260
this instanceof HttpServletRequestGetHeaderMethod or
262261
this instanceof HttpServletRequestGetPathMethod or
@@ -309,21 +308,6 @@ class EnvReadMethod extends Method {
309308
}
310309
}
311310

312-
private class PortletRenderRequestGetParameterMethod extends Method {
313-
PortletRenderRequestGetParameterMethod() {
314-
exists(RefType c, Interface t |
315-
c.extendsOrImplements*(t) and
316-
t.hasQualifiedName("javax.portlet", "RenderState") and
317-
this = c.getAMethod()
318-
|
319-
this.hasName([
320-
"getCookies", "getParameter", "getRenderParameters", "getParameterNames",
321-
"getParameterValues", "getParameterMap"
322-
])
323-
)
324-
}
325-
}
326-
327311
/** The type `java.net.InetAddress`. */
328312
class TypeInetAddr extends RefType {
329313
TypeInetAddr() { this.getQualifiedName() = "java.net.InetAddress" }

0 commit comments

Comments
 (0)