Extend source and sink from DataFlow::Node instead of DataFlow::exprNode

rvermeulen · rvermeulen · commit b66f391c31b9 · 2020-07-09T14:39:08.000+02:00
diff --git a/java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll b/java/ql/src/Security/CWE/CWE-113/ServletResponseSplitting.qll
@@ -10,23 +10,23 @@ class ServletHeaderSplittingSink extends HeaderSplittingSink {
   ServletHeaderSplittingSink() {
     exists(ResponseAddCookieMethod m, MethodAccess ma |
       ma.getMethod() = m and
-      this.getExpr() = ma.getArgument(0)
+      this.asExpr() = ma.getArgument(0)
     )
     or
     exists(ResponseAddHeaderMethod m, MethodAccess ma |
       ma.getMethod() = m and
-      this.getExpr() = ma.getAnArgument()
+      this.asExpr() = ma.getAnArgument()
     )
     or
     exists(ResponseSetHeaderMethod m, MethodAccess ma |
       ma.getMethod() = m and
-      this.getExpr() = ma.getAnArgument()
+      this.asExpr() = ma.getAnArgument()
     )
     or
     exists(JaxRsResponseBuilder builder, Method m |
       m = builder.getAMethod() and m.getName() = "header"
     |
-      this.getExpr() = m.getAReference().getArgument(1)
+      this.asExpr() = m.getAReference().getArgument(1)
     )
   }
 }
diff --git a/java/ql/src/semmle/code/java/security/ResponseSplitting.qll b/java/ql/src/semmle/code/java/security/ResponseSplitting.qll
@@ -3,9 +3,9 @@ import semmle.code.java.dataflow.DataFlow
 /**
  * Header-splitting sinks. Expressions that end up in an HTTP header.
  */
-abstract class HeaderSplittingSink extends DataFlow::ExprNode { }
+abstract class HeaderSplittingSink extends DataFlow::Node { }
 
 /**
  * Sources that cannot be used to perform a header splitting attack.
  */
-abstract class SafeHeaderSplittingSource extends DataFlow::ExprNode { }
+abstract class SafeHeaderSplittingSource extends DataFlow::Node { }

Original file line number	Diff line number	Diff line change
`@@ -10,23 +10,23 @@ class ServletHeaderSplittingSink extends HeaderSplittingSink {`
`10`	`10`	`ServletHeaderSplittingSink() {`
`11`	`11`	`exists(ResponseAddCookieMethod m, MethodAccess ma \|`
`12`	`12`	`ma.getMethod() = m and`
`13`		`- this.getExpr() = ma.getArgument(0)`
	`13`	`+ this.asExpr() = ma.getArgument(0)`
`14`	`14`	`)`
`15`	`15`	`or`
`16`	`16`	`exists(ResponseAddHeaderMethod m, MethodAccess ma \|`
`17`	`17`	`ma.getMethod() = m and`
`18`		`- this.getExpr() = ma.getAnArgument()`
	`18`	`+ this.asExpr() = ma.getAnArgument()`
`19`	`19`	`)`
`20`	`20`	`or`
`21`	`21`	`exists(ResponseSetHeaderMethod m, MethodAccess ma \|`
`22`	`22`	`ma.getMethod() = m and`
`23`		`- this.getExpr() = ma.getAnArgument()`
	`23`	`+ this.asExpr() = ma.getAnArgument()`
`24`	`24`	`)`
`25`	`25`	`or`
`26`	`26`	`exists(JaxRsResponseBuilder builder, Method m \|`
`27`	`27`	`m = builder.getAMethod() and m.getName() = "header"`
`28`	`28`	`\|`
`29`		`- this.getExpr() = m.getAReference().getArgument(1)`
	`29`	`+ this.asExpr() = m.getAReference().getArgument(1)`
`30`	`30`	`)`
`31`	`31`	`}`
`32`	`32`	`}`