Resolve ambiguous method access

luchua-bc · luchua-bc · commit 56e3b301e9c5 · 2021-02-23T15:18:07.000Z
diff --git a/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql b/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
@@ -24,7 +24,9 @@ class SensitiveInfoExpr extends Expr {
 }
 
 /** Holds if `m` is a method of some override of `HttpServlet.doGet`. */
-private predicate isGetServletMethod(Method m) { isServletMethod(m) and m.getName() = "doGet" }
+private predicate isGetServletMethod(Method m) {
+  isServletRequestMethod(m) and m.getName() = "doGet"
+}
 
 /** The `doGet` method of `HttpServlet`. */
 class DoGetServletMethod extends Method {
@@ -63,7 +65,7 @@ class SensitiveGetQueryConfiguration extends TaintTracking::Configuration {
 
   /** Holds if the node is in a servlet method other than `doGet`. */
   override predicate isSanitizer(DataFlow::Node node) {
-    isServletMethod(node.getEnclosingCallable()) and
+    isServletRequestMethod(node.getEnclosingCallable()) and
     not isGetServletMethod(node.getEnclosingCallable())
   }
 }
diff --git a/java/ql/src/semmle/code/java/frameworks/Servlets.qll b/java/ql/src/semmle/code/java/frameworks/Servlets.qll
@@ -324,7 +324,7 @@ class ServletWebXMLListenerType extends RefType {
 }
 
 /** Holds if `m` is a request handler method (for example `doGet` or `doPost`). */
-predicate isServletMethod(Method m) {
+predicate isServletRequestMethod(Method m) {
   m.getDeclaringType() instanceof ServletClass and
   m.getNumberOfParameters() = 2 and
   m.getParameter(0).getType() instanceof ServletRequest and

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,9 @@ class SensitiveInfoExpr extends Expr {`
`24`	`24`	`}`
`25`	`25`
`26`	`26`	/** Holds if `m` is a method of some override of `HttpServlet.doGet`. */
`27`		`-private predicate isGetServletMethod(Method m) { isServletMethod(m) and m.getName() = "doGet" }`
	`27`	`+private predicate isGetServletMethod(Method m) {`
	`28`	`+ isServletRequestMethod(m) and m.getName() = "doGet"`
	`29`	`+}`
`28`	`30`
`29`	`31`	/** The `doGet` method of `HttpServlet`. */
`30`	`32`	`class DoGetServletMethod extends Method {`
`@@ -63,7 +65,7 @@ class SensitiveGetQueryConfiguration extends TaintTracking::Configuration {`
`63`	`65`
`64`	`66`	/** Holds if the node is in a servlet method other than `doGet`. */
`65`	`67`	`override predicate isSanitizer(DataFlow::Node node) {`
`66`		`- isServletMethod(node.getEnclosingCallable()) and`
	`68`	`+ isServletRequestMethod(node.getEnclosingCallable()) and`
`67`	`69`	`not isGetServletMethod(node.getEnclosingCallable())`
`68`	`70`	`}`
`69`	`71`	`}`
Original file line number	Diff line number	Diff line change
`@@ -324,7 +324,7 @@ class ServletWebXMLListenerType extends RefType {`
`324`	`324`	`}`
`325`	`325`
`326`	`326`	/** Holds if `m` is a request handler method (for example `doGet` or `doPost`). */
`327`		`-predicate isServletMethod(Method m) {`
	`327`	`+predicate isServletRequestMethod(Method m) {`
`328`	`328`	`m.getDeclaringType() instanceof ServletClass and`
`329`	`329`	`m.getNumberOfParameters() = 2 and`
`330`	`330`	`m.getParameter(0).getType() instanceof ServletRequest and`