rm VerificationMethodFlowConfig, use springframework-5.2.3 stub

Author: haby0

java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.java

@@ -105,52 +105,9 @@ public String bad7(HttpServletRequest request) {
         return resultStr;
     }
 
-    @GetMapping(value = "jsonp8")
-    @ResponseBody
-    public String bad8(HttpServletRequest request) {
-        String resultStr = null;
-        String token = request.getParameter("token");
-        boolean result = verifToken(token); //Just check.
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
-        return resultStr;
-    }
-
-
-    @GetMapping(value = "jsonp9")
-    @ResponseBody
-    public String good1(HttpServletRequest request) {
-        String resultStr = null;
-        String referer = request.getParameter("referer");
-        if (verifReferer(referer)){
-            String jsonpCallback = request.getParameter("jsonpCallback");
-            String jsonStr = getJsonStr(hashMap);
-            resultStr = jsonpCallback + "(" + jsonStr + ")";
-            return resultStr;
-        }
-        return "error";
-    }
-
-
-    @GetMapping(value = "jsonp10")
-    @ResponseBody
-    public String good2(HttpServletRequest request) {
-        String resultStr = null;
-        String token = request.getParameter("token");
-        boolean result = verifToken(token);
-        if (result){
-            return "";
-        }
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
-        return resultStr;
-    }
-
     @RequestMapping(value = "jsonp11")
     @ResponseBody
-    public String good3(HttpServletRequest request) {
+    public String good1(HttpServletRequest request) {
         JSONObject parameterObj = readToJSONObect(request);
         String resultStr = null;
         String jsonpCallback = request.getParameter("jsonpCallback");
@@ -161,7 +118,7 @@ public String good3(HttpServletRequest request) {
 
     @RequestMapping(value = "jsonp12")
     @ResponseBody
-    public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
+    public String good2(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
         if(null == file){
             return "upload file error";
         }
@@ -201,18 +158,4 @@ public static String readPostContent(HttpServletRequest request){
     public static String getJsonStr(Object result) {
         return JSONObject.toJSONString(result);
     }
-
-    public static boolean verifToken(String token){
-        if (token != "xxxx"){
-            return false;
-        }
-        return true;
-    }
-
-    public static boolean verifReferer(String str){
-        if (str != "xxxx"){
-            return false;
-        }
-        return true;
-    }
 }

java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp

@@ -14,10 +14,9 @@ When there is a cross-domain problem, this could lead to information leakage.</p
 </recommendation>
 <example>
 
-<p>The following examples show the bad case and the good case respectively. Bad cases, such as <code>bad1</code> to <code>bad8</code>, 
+<p>The following examples show the bad case and the good case respectively. Bad cases, such as <code>bad1</code> to <code>bad7</code>, 
 will cause information leakage when there are cross-domain problems. In a good case, for example, in the <code>good1</code> 
-method and the <code>good2</code> method, using the <code>verifToken</code> method to do random <code>token</code> verification
-solves the problem of information leakage even in the presence of cross-domain access issues.</p>
+method and the <code>good2</code> method, When these two methods process the request, there must be a request body in the request, which does not meet the conditions of Jsonp injection.</p>
 
 <sample src="JsonpInjection.java" />
 

java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll

@@ -7,62 +7,11 @@ import semmle.code.java.dataflow.DataFlow3
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.spring.SpringController
 
-/** A data flow configuration tracing flow from the result of a method whose name includes token/auth/referer/origin to an if-statement condition. */
-class VerificationMethodToIfFlowConfig extends DataFlow3::Configuration {
-  VerificationMethodToIfFlowConfig() { this = "VerificationMethodToIfFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) {
-    exists(MethodAccess ma | ma instanceof BarrierGuard |
-      (
-        ma.getMethod().getAParameter().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
-        or
-        ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
-      ) and
-      ma = src.asExpr()
-    )
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(IfStmt is | is.getCondition() = sink.asExpr())
-  }
-}
-
-/**
- * Taint-tracking configuration tracing flow from untrusted inputs to an argument of a function whose result is used as an if-statement condition.
- *
- * For example, in the context `String userControlled = request.getHeader("xyz"); boolean isGood = checkToken(userControlled); if(isGood) { ...`,
- * the flow from `checkToken`'s result to the condition of `if(isGood)` matches the configuration `VerificationMethodToIfFlowConfig` above,
- * and so the flow from `getHeader(...)` to the argument to `checkToken` matches this configuration.
- */
-class VerificationMethodFlowConfig extends TaintTracking2::Configuration {
-  VerificationMethodFlowConfig() { this = "VerificationMethodFlowConfig" }
-
-  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) {
-    exists(MethodAccess ma, int i, VerificationMethodToIfFlowConfig vmtifc |
-      ma instanceof BarrierGuard
-    |
-      (
-        ma.getMethod().getParameter(i).getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
-        or
-        ma.getMethod().getName().regexpMatch("(?i).*(token|auth|referer|origin).*")
-      ) and
-      ma.getArgument(i) = sink.asExpr() and
-      vmtifc.hasFlow(exprNode(ma), _)
-    )
-  }
-}
-
 /**
  * A method that is called to handle an HTTP GET request.
  */
 abstract class RequestGetMethod extends Method {
   RequestGetMethod() {
-    not exists(DataFlow::Node source, DataFlow::Node sink, VerificationMethodFlowConfig vmfc |
-      vmfc.hasFlow(source, sink) and
-      any(this).polyCalls*(source.getEnclosingCallable())
-    ) and
     not exists(MethodAccess ma |
       ma.getMethod() instanceof ServletRequestGetBodyMethod and
       any(this).polyCalls*(ma.getEnclosingCallable())

java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpController.java renamed to java/ql/test/experimental/query-tests/security/CWE-352/JsonpController.java

@@ -105,52 +105,9 @@ public String bad7(HttpServletRequest request) {
         return resultStr;
     }
 
-    @GetMapping(value = "jsonp8")
-    @ResponseBody
-    public String bad8(HttpServletRequest request) {
-        String resultStr = null;
-        String token = request.getParameter("token");
-        boolean result = verifToken(token); //Just check.
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
-        return resultStr;
-    }
-
-
-    @GetMapping(value = "jsonp9")
-    @ResponseBody
-    public String good1(HttpServletRequest request) {
-        String resultStr = null;
-        String referer = request.getParameter("referer");
-        if (verifReferer(referer)){
-            String jsonpCallback = request.getParameter("jsonpCallback");
-            String jsonStr = getJsonStr(hashMap);
-            resultStr = jsonpCallback + "(" + jsonStr + ")";
-            return resultStr;
-        }
-        return "error";
-    }
-
-
-    @GetMapping(value = "jsonp10")
-    @ResponseBody
-    public String good2(HttpServletRequest request) {
-        String resultStr = null;
-        String token = request.getParameter("token");
-        boolean result = verifToken(token);
-        if (result){
-            return "";
-        }
-        String jsonpCallback = request.getParameter("jsonpCallback");
-        String jsonStr = getJsonStr(hashMap);
-        resultStr = jsonpCallback + "(" + jsonStr + ")";
-        return resultStr;
-    }
-
     @RequestMapping(value = "jsonp11")
     @ResponseBody
-    public String good3(HttpServletRequest request) {
+    public String good1(HttpServletRequest request) {
         JSONObject parameterObj = readToJSONObect(request);
         String resultStr = null;
         String jsonpCallback = request.getParameter("jsonpCallback");
@@ -161,7 +118,7 @@ public String good3(HttpServletRequest request) {
 
     @RequestMapping(value = "jsonp12")
     @ResponseBody
-    public String good4(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
+    public String good2(@RequestParam("file") MultipartFile file,HttpServletRequest request) {
         if(null == file){
             return "upload file error";
         }
@@ -201,18 +158,4 @@ public static String readPostContent(HttpServletRequest request){
     public static String getJsonStr(Object result) {
         return JSONObject.toJSONString(result);
     }
-
-    public static boolean verifToken(String token){
-        if (token != "xxxx"){
-            return false;
-        }
-        return true;
-    }
-
-    public static boolean verifReferer(String str){
-        if (str != "xxxx"){
-            return false;
-        }
-        return true;
-    }
 }

java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjectionWithSpringController/JsonpInjection.expected renamed to java/ql/test/experimental/query-tests/security/CWE-352/JsonpInjection.expected

@@ -13,12 +13,8 @@ edges
 | JsonpController.java:93:21:93:54 | ... + ... : String | JsonpController.java:94:20:94:28 | resultStr |
 | JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr |
 | JsonpController.java:104:21:104:54 | ... + ... : String | JsonpController.java:105:16:105:24 | resultStr |
-| JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr |
-| JsonpController.java:116:21:116:55 | ... + ... : String | JsonpController.java:117:16:117:24 | resultStr |
-| JsonpController.java:129:25:129:59 | ... + ... : String | JsonpController.java:130:20:130:28 | resultStr |
-| JsonpController.java:147:21:147:55 | ... + ... : String | JsonpController.java:148:16:148:24 | resultStr |
-| JsonpController.java:158:21:158:54 | ... + ... : String | JsonpController.java:159:16:159:24 | resultStr |
-| JsonpController.java:173:21:173:54 | ... + ... : String | JsonpController.java:174:16:174:24 | resultStr |
+| JsonpController.java:115:21:115:54 | ... + ... : String | JsonpController.java:116:16:116:24 | resultStr |
+| JsonpController.java:130:21:130:54 | ... + ... : String | JsonpController.java:131:16:131:24 | resultStr |
 nodes
 | JsonpController.java:33:32:33:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JsonpController.java:36:21:36:54 | ... + ... : String | semmle.label | ... + ... : String |
@@ -48,18 +44,10 @@ nodes
 | JsonpController.java:104:21:104:54 | ... + ... : String | semmle.label | ... + ... : String |
 | JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
 | JsonpController.java:105:16:105:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:114:32:114:68 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| JsonpController.java:116:21:116:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:117:16:117:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:129:25:129:59 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:130:20:130:28 | resultStr | semmle.label | resultStr |
-| JsonpController.java:147:21:147:55 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:148:16:148:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:158:21:158:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:159:16:159:24 | resultStr | semmle.label | resultStr |
-| JsonpController.java:173:21:173:54 | ... + ... : String | semmle.label | ... + ... : String |
-| JsonpController.java:174:16:174:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:115:21:115:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:116:16:116:24 | resultStr | semmle.label | resultStr |
+| JsonpController.java:130:21:130:54 | ... + ... : String | semmle.label | ... + ... : String |
+| JsonpController.java:131:16:131:24 | resultStr | semmle.label | resultStr |
 #select
 | JsonpController.java:37:16:37:24 | resultStr | JsonpController.java:33:32:33:68 | getParameter(...) : String | JsonpController.java:37:16:37:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:33:32:33:68 | getParameter(...) | this user input |
 | JsonpController.java:46:16:46:24 | resultStr | JsonpController.java:44:32:44:68 | getParameter(...) : String | JsonpController.java:46:16:46:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:44:32:44:68 | getParameter(...) | this user input |
@@ -68,4 +56,3 @@ nodes
 | JsonpController.java:80:20:80:28 | resultStr | JsonpController.java:73:32:73:68 | getParameter(...) : String | JsonpController.java:80:20:80:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:73:32:73:68 | getParameter(...) | this user input |
 | JsonpController.java:94:20:94:28 | resultStr | JsonpController.java:87:32:87:68 | getParameter(...) : String | JsonpController.java:94:20:94:28 | resultStr | Jsonp response might include code from $@. | JsonpController.java:87:32:87:68 | getParameter(...) | this user input |
 | JsonpController.java:105:16:105:24 | resultStr | JsonpController.java:101:32:101:68 | getParameter(...) : String | JsonpController.java:105:16:105:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:101:32:101:68 | getParameter(...) | this user input |
-| JsonpController.java:117:16:117:24 | resultStr | JsonpController.java:114:32:114:68 | getParameter(...) : String | JsonpController.java:117:16:117:24 | resultStr | Jsonp response might include code from $@. | JsonpController.java:114:32:114:68 | getParameter(...) | this user input |