Delete existsFilterVerificationMethod and existsServletVerificationMethod, add from get handler to filter

Author: haby0

java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql

@@ -16,31 +16,6 @@ import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.deadcode.WebEntryPoints
 import DataFlow::PathGraph
 
-/**
- * Holds if some `Filter.doFilter` method exists in the whole program that takes some user-controlled
- * input and tests it with what appears to be a token- or authentication-checking function.
- */
-predicate existsFilterVerificationMethod() {
-  exists(DataFlow::Node source, DataFlow::Node sink, VerificationMethodFlowConfig vmfc, Method m |
-    vmfc.hasFlow(source, sink) and
-    m = getACallingCallableOrSelf(source.getEnclosingCallable()) and
-    isDoFilterMethod(m)
-  )
-}
-
-/**
- * Holds if somewhere in the whole program some user-controlled
- * input is tested with what appears to be a token- or authentication-checking function,
- * and `checkNode` is reachable from any function that can reach the user-controlled input source.
- */
-predicate existsServletVerificationMethod(Node checkNode) {
-  exists(DataFlow::Node source, DataFlow::Node sink, VerificationMethodFlowConfig vmfc |
-    vmfc.hasFlow(source, sink) and
-    getACallingCallableOrSelf(source.getEnclosingCallable()) =
-      getACallingCallableOrSelf(checkNode.getEnclosingCallable())
-  )
-}
-
 /** Taint-tracking configuration tracing flow from get method request sources to output jsonp data. */
 class RequestResponseFlowConfig extends TaintTracking::Configuration {
   RequestResponseFlowConfig() { this = "RequestResponseFlowConfig" }
@@ -64,8 +39,6 @@ class RequestResponseFlowConfig extends TaintTracking::Configuration {
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, RequestResponseFlowConfig conf
 where
-  not existsServletVerificationMethod(source.getNode()) and
-  not existsFilterVerificationMethod() and
   conf.hasFlowPath(source, sink) and
   exists(JsonpInjectionFlowConfig jhfc | jhfc.hasFlowTo(sink.getNode()))
 select sink.getNode(), source, sink, "Jsonp response might include code from $@.", source.getNode(),

java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll

@@ -42,17 +42,21 @@ class VerificationMethodFlowConfig extends TaintTracking2::Configuration {
   }
 }
 
-/** Get Callable by recursive method. */
-Callable getACallingCallableOrSelf(Callable call) {
-  result = call
-  or
-  result = getACallingCallableOrSelf(call.getAReference().getEnclosingCallable())
-}
-
 /**
  * A method that is called to handle an HTTP GET request.
  */
-abstract class RequestGetMethod extends Method { }
+abstract class RequestGetMethod extends Method {
+  RequestGetMethod() {
+    not exists(DataFlow::Node source, DataFlow::Node sink, VerificationMethodFlowConfig vmfc |
+      vmfc.hasFlow(source, sink) and
+      any(this).polyCalls*(source.getEnclosingCallable())
+    ) and
+    not exists(MethodAccess ma |
+      ma.getMethod() instanceof ServletRequestGetBodyMethod and
+      any(this).polyCalls*(ma.getEnclosingCallable())
+    )
+  }
+}
 
 /** Override method of `doGet` of `Servlet` subclass. */
 private class ServletGetMethod extends RequestGetMethod {
@@ -81,10 +85,6 @@ class SpringControllerRequestMappingGetMethod extends SpringControllerGetMethod
       this.getAnAnnotation().getValue("method").(VarAccess).getVariable().getName() = "GET" or
       this.getAnAnnotation().getValue("method").(ArrayInit).getSize() = 0 //Java code example: @RequestMapping(value = "test")
     ) and
-    not exists(MethodAccess ma |
-      ma.getMethod() instanceof ServletRequestGetBodyMethod and
-      any(this).polyCalls*(ma.getEnclosingCallable())
-    ) and
     not this.getAParamType().getName() = "MultipartFile"
   }
 }