Merge pull request github#12643 from chmodxxx/sbaddou/jndisanitizer

atorralba · web-flow · commit c395779b85f0 · 2023-03-24T09:04:54.000+01:00
Java : Add JndiInjection Sanitizer Class
diff --git a/java/ql/lib/change-notes/2023-03-23-jndi-sanitizer.md b/java/ql/lib/change-notes/2023-03-23-jndi-sanitizer.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added the extensible abstract class `JndiInjectionSanitizer`. Now this class can be extended to add more sanitizers to the `java/jndi-injection` query.
diff --git a/java/ql/lib/semmle/code/java/security/JndiInjection.qll b/java/ql/lib/semmle/code/java/security/JndiInjection.qll
@@ -9,6 +9,9 @@ private import semmle.code.java.frameworks.SpringLdap
 /** A data flow sink for unvalidated user input that is used in JNDI lookup. */
 abstract class JndiInjectionSink extends DataFlow::Node { }
 
+/** A sanitizer for JNDI injection vulnerabilities. */
+abstract class JndiInjectionSanitizer extends DataFlow::Node { }
+
 /**
  * A unit class for adding additional taint steps.
  *
diff --git a/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/JndiInjectionQuery.qll
@@ -17,7 +17,9 @@ class JndiInjectionFlowConfig extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink }
 
   override predicate isSanitizer(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
+    node.getType() instanceof PrimitiveType or
+    node.getType() instanceof BoxedType or
+    node instanceof JndiInjectionSanitizer
   }
 
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added the extensible abstract class `JndiInjectionSanitizer`. Now this class can be extended to add more sanitizers to the `java/jndi-injection` query.
Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,9 @@ private import semmle.code.java.frameworks.SpringLdap`
`9`	`9`	`/** A data flow sink for unvalidated user input that is used in JNDI lookup. */`
`10`	`10`	`abstract class JndiInjectionSink extends DataFlow::Node { }`
`11`	`11`
	`12`	`+/** A sanitizer for JNDI injection vulnerabilities. */`
	`13`	`+abstract class JndiInjectionSanitizer extends DataFlow::Node { }`
	`14`	`+`
`12`	`15`	`/**`
`13`	`16`	`* A unit class for adding additional taint steps.`
`14`	`17`	`*`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,9 @@ class JndiInjectionFlowConfig extends TaintTracking::Configuration {`
`17`	`17`	`override predicate isSink(DataFlow::Node sink) { sink instanceof JndiInjectionSink }`
`18`	`18`
`19`	`19`	`override predicate isSanitizer(DataFlow::Node node) {`
`20`		`- node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType`
	`20`	`+ node.getType() instanceof PrimitiveType or`
	`21`	`+ node.getType() instanceof BoxedType or`
	`22`	`+ node instanceof JndiInjectionSanitizer`
`21`	`23`	`}`
`22`	`24`
`23`	`25`	`override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {`