Cover both javax.el and jakarta.el packages

artem-smotrakov · artem-smotrakov · commit 6c246994035a · 2021-03-21T21:19:39.000+03:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
@@ -77,22 +77,26 @@ private class TaintPropagatingCall extends Call {
   }
 }
 
-private class ELProcessor extends RefType {
-  ELProcessor() { hasQualifiedName("javax.el", "ELProcessor") }
+private class JakartaType extends RefType {
+  JakartaType() { getPackage().hasName(["javax.el", "jakarta.el"]) }
 }
 
-private class ExpressionFactory extends RefType {
-  ExpressionFactory() { hasQualifiedName("javax.el", "ExpressionFactory") }
+private class ELProcessor extends JakartaType {
+  ELProcessor() { hasName("ELProcessor") }
 }
 
-private class ValueExpression extends RefType {
-  ValueExpression() { hasQualifiedName("javax.el", "ValueExpression") }
+private class ExpressionFactory extends JakartaType {
+  ExpressionFactory() { hasName("ExpressionFactory") }
 }
 
-private class MethodExpression extends RefType {
-  MethodExpression() { hasQualifiedName("javax.el", "MethodExpression") }
+private class ValueExpression extends JakartaType {
+  ValueExpression() { hasName("ValueExpression") }
+}
+
+private class MethodExpression extends JakartaType {
+  MethodExpression() { hasName("MethodExpression") }
 }
 
 private class LambdaExpression extends RefType {
-  LambdaExpression() { hasQualifiedName("javax.el", "LambdaExpression") }
+  LambdaExpression() { hasName("LambdaExpression") }
 }

Original file line number	Diff line number	Diff line change
`@@ -77,22 +77,26 @@ private class TaintPropagatingCall extends Call {`
`77`	`77`	`}`
`78`	`78`	`}`
`79`	`79`
`80`		`-private class ELProcessor extends RefType {`
`81`		`- ELProcessor() { hasQualifiedName("javax.el", "ELProcessor") }`
	`80`	`+private class JakartaType extends RefType {`
	`81`	`+ JakartaType() { getPackage().hasName(["javax.el", "jakarta.el"]) }`
`82`	`82`	`}`
`83`	`83`
`84`		`-private class ExpressionFactory extends RefType {`
`85`		`- ExpressionFactory() { hasQualifiedName("javax.el", "ExpressionFactory") }`
	`84`	`+private class ELProcessor extends JakartaType {`
	`85`	`+ ELProcessor() { hasName("ELProcessor") }`
`86`	`86`	`}`
`87`	`87`
`88`		`-private class ValueExpression extends RefType {`
`89`		`- ValueExpression() { hasQualifiedName("javax.el", "ValueExpression") }`
	`88`	`+private class ExpressionFactory extends JakartaType {`
	`89`	`+ ExpressionFactory() { hasName("ExpressionFactory") }`
`90`	`90`	`}`
`91`	`91`
`92`		`-private class MethodExpression extends RefType {`
`93`		`- MethodExpression() { hasQualifiedName("javax.el", "MethodExpression") }`
	`92`	`+private class ValueExpression extends JakartaType {`
	`93`	`+ ValueExpression() { hasName("ValueExpression") }`
	`94`	`+}`
	`95`	`+`
	`96`	`+private class MethodExpression extends JakartaType {`
	`97`	`+ MethodExpression() { hasName("MethodExpression") }`
`94`	`98`	`}`
`95`	`99`
`96`	`100`	`private class LambdaExpression extends RefType {`
`97`		`- LambdaExpression() { hasQualifiedName("javax.el", "LambdaExpression") }`
	`101`	`+ LambdaExpression() { hasName("LambdaExpression") }`
`98`	`102`	`}`