Skip to content

Commit 98dcd4e

Browse files
intrigusintrigus
committed
Java: Tighten definition of sink.
1 parent a385b30 commit 98dcd4e

File tree

1 file changed

+12
-6
lines changed

1 file changed

+12
-6
lines changed

java/ql/src/experimental/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql

Lines changed: 12 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -119,10 +119,14 @@ private class JwtParserInsecureParseMethodAccess extends MethodAccess {
119119
* In this case, the signing key is set on a `JwtParserBuilder` indirectly setting the key of `JwtParser` that is created by the call to `build`.
120120
*/
121121
private predicate isSigningKeySetter(Expr expr, MethodAccess signingMa) {
122-
any(SigningToExprDataFlow s).hasFlow(DataFlow::exprNode(signingMa), DataFlow::exprNode(expr))
122+
any(SigningToInsecureMethodAccessDataFlow s)
123+
.hasFlow(DataFlow::exprNode(signingMa), DataFlow::exprNode(expr))
123124
}
124125

125-
/** An expr that is a `JwtParser` for which a signing key has been set. */
126+
/**
127+
* An expr that is a `JwtParser` for which a signing key has been set and which is used as
128+
* the qualifier to a `JwtParserInsecureParseMethodAccess`.
129+
*/
126130
private class JwtParserWithSigningKeyExpr extends Expr {
127131
MethodAccess signingMa;
128132

@@ -136,18 +140,20 @@ private class JwtParserWithSigningKeyExpr extends Expr {
136140
}
137141

138142
/**
139-
* Models flow from `SigningKeyMethodAccess`es to expressions that are a (sub-type of) `JwtParser`.
143+
* Models flow from `SigningKeyMethodAccess`es to expressions that are a
144+
* (sub-type of) `JwtParser` and which are also the qualifier to a `JwtParserInsecureParseMethodAccess`.
140145
* This is used to determine whether a `JwtParser` has a signing key set.
141146
*/
142-
private class SigningToExprDataFlow extends DataFlow::Configuration {
143-
SigningToExprDataFlow() { this = "SigningToExprDataFlow" }
147+
private class SigningToInsecureMethodAccessDataFlow extends DataFlow::Configuration {
148+
SigningToInsecureMethodAccessDataFlow() { this = "SigningToExprDataFlow" }
144149

145150
override predicate isSource(DataFlow::Node source) {
146151
source.asExpr() instanceof SigningKeyMethodAccess
147152
}
148153

149154
override predicate isSink(DataFlow::Node sink) {
150-
sink.asExpr().getType() instanceof TypeDerivedJwtParser
155+
sink.asExpr().getType() instanceof TypeDerivedJwtParser and
156+
any(JwtParserInsecureParseMethodAccess ma).getQualifier() = sink.asExpr()
151157
}
152158

153159
/** Models the builder style of `JwtParser` and `JwtParserBuilder`. */

0 commit comments

Comments
 (0)