Join ServletUrlRedirectSink with UrlRedirectSink

rvermeulen · rvermeulen · commit ba9f3e2a1ed7 · 2020-07-09T14:08:43.000+02:00
diff --git a/java/ql/src/Security/CWE/CWE-601/ServletUrlRedirect.qll b/java/ql/src/Security/CWE/CWE-601/ServletUrlRedirect.qll
diff --git a/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql b/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
@@ -12,7 +12,7 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
-import ServletUrlRedirect
+import semmle.code.java.security.UrlRedirect
 import DataFlow::PathGraph
 
 class UrlRedirectConfig extends TaintTracking::Configuration {
diff --git a/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql b/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql
@@ -12,7 +12,7 @@
 
 import java
 import semmle.code.java.dataflow.FlowSources
-import ServletUrlRedirect
+import semmle.code.java.security.UrlRedirect
 import DataFlow::PathGraph
 
 class UrlRedirectLocalConfig extends TaintTracking::Configuration {
diff --git a/java/ql/src/semmle/code/java/security/UrlRedirect.qll b/java/ql/src/semmle/code/java/security/UrlRedirect.qll
@@ -1,5 +1,24 @@
 import java
 import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.frameworks.Servlets
 
 /** A URL redirection sink */
 abstract class UrlRedirectSink extends DataFlow::Node { }
+
+/** A Servlet URL redirection sink. */
+class ServletUrlRedirectSink extends UrlRedirectSink {
+  ServletUrlRedirectSink() {
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof HttpServletResponseSendRedirectMethod and
+      this.asExpr() = ma.getArgument(0)
+    )
+    or
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof ResponseSetHeaderMethod or
+      ma.getMethod() instanceof ResponseAddHeaderMethod
+    |
+      ma.getArgument(0).(CompileTimeConstantExpr).getStringValue() = "Location" and
+      this.asExpr() = ma.getArgument(1)
+    )
+  }
+}
