Move logic for URL redirection sinks

owen-mc · owen-mc · commit 5d00bb23e462 · 2021-06-16T12:48:11.000+01:00
diff --git a/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql b/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
@@ -13,19 +13,14 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.UrlRedirect
-import semmle.code.java.dataflow.ExternalFlow
 import DataFlow::PathGraph
 
 class UrlRedirectConfig extends TaintTracking::Configuration {
   UrlRedirectConfig() { this = "UrlRedirectConfig" }
 
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) {
-    sink instanceof UrlRedirectSink
-    or
-    sinkNode(sink, "url-redirect")
-  }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof UrlRedirectSink }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, UrlRedirectConfig conf
diff --git a/java/ql/src/semmle/code/java/security/UrlRedirect.qll b/java/ql/src/semmle/code/java/security/UrlRedirect.qll
@@ -2,13 +2,19 @@
 
 import java
 import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.frameworks.Servlets
 import semmle.code.java.frameworks.ApacheHttp
 private import semmle.code.java.frameworks.JaxWS
 
-/** A URL redirection sink */
+/** A URL redirection sink. */
 abstract class UrlRedirectSink extends DataFlow::Node { }
 
+/** A default sink represeting methods susceptible to URL redirection attacks. */
+private class DefaultUrlRedirectSink extends UrlRedirectSink {
+  DefaultUrlRedirectSink() { sinkNode(this, "url-redirect") }
+}
+
 /** A Servlet URL redirection sink. */
 private class ServletUrlRedirectSink extends UrlRedirectSink {
   ServletUrlRedirectSink() {
