@@ -26,18 +26,19 @@ class LocalSource extends Source {
26
26
27
27
from
28
28
TaintToObjectMethodTrackingConfig taintTracking , DataFlow:: PathNode userInput ,
29
- DataFlow:: PathNode deserializeCall
29
+ DataFlow:: PathNode deserializeCallArg
30
30
where
31
31
// all flows from user input to deserialization with weak and strong type serializers
32
- taintTracking .hasFlowPath ( userInput , deserializeCall ) and
32
+ taintTracking .hasFlowPath ( userInput , deserializeCallArg ) and
33
33
// intersect with strong types, but user controlled or weak types deserialization usages
34
34
(
35
35
exists (
36
36
DataFlow:: PathNode weakTypeCreation , DataFlow:: PathNode weakTypeUsage ,
37
37
WeakTypeCreationToUsageTrackingConfig weakTypeDeserializerTracking
38
38
|
39
39
weakTypeDeserializerTracking .hasFlowPath ( weakTypeCreation , weakTypeUsage ) and
40
- weakTypeUsage .getNode ( ) .asExpr ( ) .getParent ( ) = deserializeCall .getNode ( ) .asExpr ( ) .getParent ( )
40
+ weakTypeUsage .getNode ( ) .asExpr ( ) .getParent ( ) =
41
+ deserializeCallArg .getNode ( ) .asExpr ( ) .getParent ( )
41
42
)
42
43
or
43
44
exists (
46
47
|
47
48
userControlledTypeTracking .hasFlowPath ( userInput2 , taintedTypeUsage ) and
48
49
taintedTypeUsage .getNode ( ) .asExpr ( ) .getParent ( ) =
49
- deserializeCall .getNode ( ) .asExpr ( ) .getParent ( )
50
+ deserializeCallArg .getNode ( ) .asExpr ( ) .getParent ( )
50
51
)
51
52
) and
52
53
// exclude deserialization flows with safe instances (i.e. JavaScriptSerializer without resolver)
@@ -55,12 +56,12 @@ where
55
56
DataFlow:: PathNode safeTypeUsage
56
57
|
57
58
safeConstructorTracking .hasFlowPath ( safeCreation , safeTypeUsage ) and
58
- safeTypeUsage .getNode ( ) .asExpr ( ) .getParent ( ) = deserializeCall .getNode ( ) .asExpr ( ) .getParent ( )
59
+ safeTypeUsage .getNode ( ) .asExpr ( ) .getParent ( ) = deserializeCallArg .getNode ( ) .asExpr ( ) .getParent ( )
59
60
)
60
61
or
61
62
// no type check needed - straightforward taint -> sink
62
63
exists ( TaintToConstructorOrStaticMethodTrackingConfig taintTracking2 |
63
- taintTracking2 .hasFlowPath ( userInput , deserializeCall )
64
+ taintTracking2 .hasFlowPath ( userInput , deserializeCallArg )
64
65
)
65
- select deserializeCall , userInput , deserializeCall , "$@ flows to unsafe deserializer." , userInput ,
66
- "User-provided data"
66
+ select deserializeCallArg , userInput , deserializeCallArg , "$@ flows to unsafe deserializer." ,
67
+ userInput , "User-provided data"
0 commit comments