Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql

haby0 · smowton · web-flow · commit 25b012db48c7 · 2021-04-13T23:58:28.000+08:00
Co-authored-by: Chris Smowton &lt;smowton@github.com&gt;
diff --git a/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
@@ -47,7 +47,7 @@ class RequestResponseFlowConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) {
     source instanceof RemoteFlowSource and
-    getACallingCallableOrSelf(source.getEnclosingCallable()) instanceof RequestGetMethod
+    any(RequestGetMethod m).polyCalls*(source.getEnclosingCallable())
   }
 
   override predicate isSink(DataFlow::Node sink) {

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ class RequestResponseFlowConfig extends TaintTracking::Configuration {`
`47`	`47`
`48`	`48`	`override predicate isSource(DataFlow::Node source) {`
`49`	`49`	`source instanceof RemoteFlowSource and`
`50`		`- getACallingCallableOrSelf(source.getEnclosingCallable()) instanceof RequestGetMethod`
	`50`	`+ any(RequestGetMethod m).polyCalls*(source.getEnclosingCallable())`
`51`	`51`	`}`
`52`	`52`
`53`	`53`	`override predicate isSink(DataFlow::Node sink) {`