Always bind arguments in TaintPropagatingCall

artem-smotrakov · artem-smotrakov · commit a764a79090e1 · 2021-04-07T21:12:21.000+03:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjectionLib.qll
@@ -56,15 +56,17 @@ private class TaintPropagatingCall extends Call {
 
   TaintPropagatingCall() {
     taintFromExpr = this.getArgument(1) and
-    exists(Method m | this.(MethodAccess).getMethod() = m |
-      m.getDeclaringType() instanceof ExpressionFactory and
-      m.hasName(["createValueExpression", "createMethodExpression"]) and
-      taintFromExpr.getType() instanceof TypeString
-    )
-    or
-    exists(Constructor c | this.(ConstructorCall).getConstructor() = c |
-      c.getDeclaringType() instanceof LambdaExpression and
-      taintFromExpr.getType() instanceof ValueExpression
+    (
+      exists(Method m | this.(MethodAccess).getMethod() = m |
+        m.getDeclaringType() instanceof ExpressionFactory and
+        m.hasName(["createValueExpression", "createMethodExpression"]) and
+        taintFromExpr.getType() instanceof TypeString
+      )
+      or
+      exists(Constructor c | this.(ConstructorCall).getConstructor() = c |
+        c.getDeclaringType() instanceof LambdaExpression and
+        taintFromExpr.getType() instanceof ValueExpression
+      )
     )
   }
 
diff --git a/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected
@@ -10,22 +10,9 @@ edges
 | JakartaExpressionInjection.java:30:24:30:33 | expression : String | JakartaExpressionInjection.java:32:28:32:37 | expression |
 | JakartaExpressionInjection.java:37:24:37:33 | expression : String | JakartaExpressionInjection.java:39:32:39:41 | expression |
 | JakartaExpressionInjection.java:44:24:44:33 | expression : String | JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression |
-| JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression | JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression |
 | JakartaExpressionInjection.java:54:24:54:33 | expression : String | JakartaExpressionInjection.java:56:32:56:41 | expression |
-| JakartaExpressionInjection.java:61:24:61:33 | expression : String | JakartaExpressionInjection.java:64:33:64:96 | createValueExpression(...) : ValueExpression |
 | JakartaExpressionInjection.java:61:24:61:33 | expression : String | JakartaExpressionInjection.java:65:13:65:13 | e |
-| JakartaExpressionInjection.java:61:24:61:33 | expression : String | JakartaExpressionInjection.java:65:13:65:13 | e : ValueExpression |
-| JakartaExpressionInjection.java:64:33:64:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression |
-| JakartaExpressionInjection.java:64:33:64:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:65:13:65:13 | e |
-| JakartaExpressionInjection.java:64:33:64:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:65:13:65:13 | e : ValueExpression |
-| JakartaExpressionInjection.java:65:13:65:13 | e : ValueExpression | JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression |
-| JakartaExpressionInjection.java:70:24:70:33 | expression : String | JakartaExpressionInjection.java:73:33:73:96 | createValueExpression(...) : ValueExpression |
 | JakartaExpressionInjection.java:70:24:70:33 | expression : String | JakartaExpressionInjection.java:74:13:74:13 | e |
-| JakartaExpressionInjection.java:70:24:70:33 | expression : String | JakartaExpressionInjection.java:74:13:74:13 | e : ValueExpression |
-| JakartaExpressionInjection.java:73:33:73:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression |
-| JakartaExpressionInjection.java:73:33:73:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:74:13:74:13 | e |
-| JakartaExpressionInjection.java:73:33:73:96 | createValueExpression(...) : ValueExpression | JakartaExpressionInjection.java:74:13:74:13 | e : ValueExpression |
-| JakartaExpressionInjection.java:74:13:74:13 | e : ValueExpression | JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression |
 | JakartaExpressionInjection.java:79:24:79:33 | expression : String | JakartaExpressionInjection.java:83:13:83:13 | e |
 nodes
 | JakartaExpressionInjection.java:22:25:22:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
@@ -35,18 +22,13 @@ nodes
 | JakartaExpressionInjection.java:37:24:37:33 | expression : String | semmle.label | expression : String |
 | JakartaExpressionInjection.java:39:32:39:41 | expression | semmle.label | expression |
 | JakartaExpressionInjection.java:44:24:44:33 | expression : String | semmle.label | expression : String |
-| JakartaExpressionInjection.java:48:49:48:104 | new LambdaExpression(...) : LambdaExpression | semmle.label | new LambdaExpression(...) : LambdaExpression |
 | JakartaExpressionInjection.java:49:13:49:28 | lambdaExpression | semmle.label | lambdaExpression |
 | JakartaExpressionInjection.java:54:24:54:33 | expression : String | semmle.label | expression : String |
 | JakartaExpressionInjection.java:56:32:56:41 | expression | semmle.label | expression |
 | JakartaExpressionInjection.java:61:24:61:33 | expression : String | semmle.label | expression : String |
-| JakartaExpressionInjection.java:64:33:64:96 | createValueExpression(...) : ValueExpression | semmle.label | createValueExpression(...) : ValueExpression |
 | JakartaExpressionInjection.java:65:13:65:13 | e | semmle.label | e |
-| JakartaExpressionInjection.java:65:13:65:13 | e : ValueExpression | semmle.label | e : ValueExpression |
 | JakartaExpressionInjection.java:70:24:70:33 | expression : String | semmle.label | expression : String |
-| JakartaExpressionInjection.java:73:33:73:96 | createValueExpression(...) : ValueExpression | semmle.label | createValueExpression(...) : ValueExpression |
 | JakartaExpressionInjection.java:74:13:74:13 | e | semmle.label | e |
-| JakartaExpressionInjection.java:74:13:74:13 | e : ValueExpression | semmle.label | e : ValueExpression |
 | JakartaExpressionInjection.java:79:24:79:33 | expression : String | semmle.label | expression : String |
 | JakartaExpressionInjection.java:83:13:83:13 | e | semmle.label | e |
 #select
