Skip to content

Commit 7134eb9

Browse files
committed
Improve documentation of csv sink models
1 parent 1caa5c4 commit 7134eb9

File tree

4 files changed

+26
-3
lines changed

4 files changed

+26
-3
lines changed

java/ql/src/Security/CWE/CWE-022/ZipSlip.ql

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -124,7 +124,7 @@ class ZipSlipConfiguration extends TaintTracking::Configuration {
124124
source.asExpr().(MethodAccess).getMethod() instanceof ArchiveEntryNameMethod
125125
}
126126

127-
override predicate isSink(Node sink) { sinkNode(sink, "create-file") }
127+
override predicate isSink(Node sink) { sink instanceof FileCreationSink }
128128

129129
override predicate isAdditionalTaintStep(Node n1, Node n2) {
130130
filePathStep(n1, n2) or fileTaintStep(n1, n2)
@@ -146,6 +146,13 @@ class ZipSlipConfiguration extends TaintTracking::Configuration {
146146
}
147147
}
148148

149+
/**
150+
* A sink that represents a file creation, such as a file write, copy or move operation.
151+
*/
152+
private class FileCreationSink extends DataFlow::Node {
153+
FileCreationSink() { sinkNode(this, "create-file") }
154+
}
155+
149156
from PathNode source, PathNode sink
150157
where any(ZipSlipConfiguration c).hasFlowPath(source, sink)
151158
select source.getNode(), source, sink,

java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,15 @@ class BeanValidationConfig extends TaintTracking::Configuration {
6060

6161
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
6262

63-
override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "bean-validation") }
63+
override predicate isSink(DataFlow::Node sink) { sink instanceof BeanValidationSink }
64+
}
65+
66+
/**
67+
* A bean validation sink, such as method `buildConstraintViolationWithTemplate`
68+
* declared on a subtype of `javax.validation.ConstraintValidatorContext`.
69+
*/
70+
private class BeanValidationSink extends DataFlow::Node {
71+
BeanValidationSink() { sinkNode(this, "bean-validation") }
6472
}
6573

6674
from BeanValidationConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink

java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ class TrustAllHostnameVerifierConfiguration extends DataFlow::Configuration {
5050
source.asExpr().(ClassInstanceExpr).getConstructedType() instanceof TrustAllHostnameVerifier
5151
}
5252

53-
override predicate isSink(DataFlow::Node sink) { sinkNode(sink, "set-hostname-verifier") }
53+
override predicate isSink(DataFlow::Node sink) { sink instanceof HostnameVerifierSink }
5454

5555
override predicate isBarrier(DataFlow::Node barrier) {
5656
// ignore nodes that are in functions that intentionally disable hostname verification
@@ -78,6 +78,13 @@ class TrustAllHostnameVerifierConfiguration extends DataFlow::Configuration {
7878
}
7979
}
8080

81+
/**
82+
* A sink that sets the `HostnameVerifier` on `HttpsURLConnection`.
83+
*/
84+
private class HostnameVerifierSink extends DataFlow::Node {
85+
HostnameVerifierSink() { sinkNode(this, "set-hostname-verifier") }
86+
}
87+
8188
bindingset[result]
8289
private string getAFlagName() {
8390
result

java/ql/src/semmle/code/java/security/XSS.qll

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ class XssAdditionalTaintStep extends Unit {
2929
abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
3030
}
3131

32+
/** CSV sink models representing methods susceptible to XSS attacks. */
3233
private class DefaultXssSinkModel extends SinkModelCsv {
3334
override predicate row(string row) {
3435
row =

0 commit comments

Comments
 (0)