Getters called on parameters propagate taint

atorralba · atorralba · commit 745a6f6fb4a8 · 2021-05-03T17:43:33.000+02:00
diff --git a/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql b/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
@@ -28,7 +28,7 @@ class JexlInjectionConfig extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }
 
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    any(JexlInjectionAdditionalTaintStep c).step(node1, node2) 
+    any(JexlInjectionAdditionalTaintStep c).step(node1, node2)
   }
 }
 
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -14,6 +14,7 @@ private import semmle.code.java.dataflow.ExternalFlow
 private import semmle.code.java.dataflow.internal.DataFlowPrivate
 import semmle.code.java.dataflow.FlowSteps
 private import FlowSummaryImpl as FlowSummaryImpl
+private import semmle.code.java.frameworks.JaxWS
 
 /**
  * Holds if taint can flow from `src` to `sink` in zero or more
@@ -263,6 +264,8 @@ private predicate taintPreservingQualifierToMethod(Method m) {
   )
   or
   m.(TaintPreservingCallable).returnsTaintFrom(-1)
+  or
+  exists(JaxRsResourceMethod resourceMethod | m.(GetterMethod).getDeclaringType() = resourceMethod.getAParameter().getType())
 }
 
 private class StringReplaceMethod extends TaintPreservingCallable {

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ class JexlInjectionConfig extends TaintTracking::Configuration {`
`28`	`28`	`override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }`
`29`	`29`
`30`	`30`	`override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {`
`31`		`- any(JexlInjectionAdditionalTaintStep c).step(node1, node2)`
	`31`	`+ any(JexlInjectionAdditionalTaintStep c).step(node1, node2)`
`32`	`32`	`}`
`33`	`33`	`}`
`34`	`34`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@ private import semmle.code.java.dataflow.ExternalFlow`
`14`	`14`	`private import semmle.code.java.dataflow.internal.DataFlowPrivate`
`15`	`15`	`import semmle.code.java.dataflow.FlowSteps`
`16`	`16`	`private import FlowSummaryImpl as FlowSummaryImpl`
	`17`	`+private import semmle.code.java.frameworks.JaxWS`
`17`	`18`
`18`	`19`	`/**`
`19`	`20`	* Holds if taint can flow from `src` to `sink` in zero or more
`@@ -263,6 +264,8 @@ private predicate taintPreservingQualifierToMethod(Method m) {`
`263`	`264`	`)`
`264`	`265`	`or`
`265`	`266`	`m.(TaintPreservingCallable).returnsTaintFrom(-1)`
	`267`	`+ or`
	`268`	`+ exists(JaxRsResourceMethod resourceMethod \| m.(GetterMethod).getDeclaringType() = resourceMethod.getAParameter().getType())`
`266`	`269`	`}`
`267`	`270`
`268`	`271`	`private class StringReplaceMethod extends TaintPreservingCallable {`