Removed LocalUserInput in JexlInjectionLib.ql

artem-smotrakov · artem-smotrakov · commit 59f48ecea3d7 · 2021-01-29T12:38:51.000+01:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JexlInjectionLib.qll
@@ -12,8 +12,7 @@ class JexlInjectionConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) {
     source instanceof TaintedSpringRequestBody or
-    source instanceof RemoteFlowSource or
-    source instanceof LocalUserInput
+    source instanceof RemoteFlowSource
   }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }

Original file line number	Diff line number	Diff line change
`@@ -12,8 +12,7 @@ class JexlInjectionConfig extends TaintTracking::Configuration {`
`12`	`12`
`13`	`13`	`override predicate isSource(DataFlow::Node source) {`
`14`	`14`	`source instanceof TaintedSpringRequestBody or`
`15`		`- source instanceof RemoteFlowSource or`
`16`		`- source instanceof LocalUserInput`
	`15`	`+ source instanceof RemoteFlowSource`
`17`	`16`	`}`
`18`	`17`
`19`	`18`	`override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }`