Skip to content

Commit cc75a1a

Browse files
aschackmullaschackmull
committed
Java: Refactor RequestForgery.ql
1 parent 35beadc commit cc75a1a

File tree

2 files changed

+29
-4
lines changed

2 files changed

+29
-4
lines changed

java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll

Lines changed: 26 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,9 +8,11 @@ import semmle.code.java.dataflow.FlowSources
88
import semmle.code.java.security.RequestForgery
99

1010
/**
11+
* DEPRECATED: Use `RequestForgeryConfiguration` module instead.
12+
*
1113
* A taint-tracking configuration characterising request-forgery risks.
1214
*/
13-
class RequestForgeryConfiguration extends TaintTracking::Configuration {
15+
deprecated class RequestForgeryConfiguration extends TaintTracking::Configuration {
1416
RequestForgeryConfiguration() { this = "Server-Side Request Forgery" }
1517

1618
override predicate isSource(DataFlow::Node source) {
@@ -29,3 +31,26 @@ class RequestForgeryConfiguration extends TaintTracking::Configuration {
2931

3032
override predicate isSanitizer(DataFlow::Node node) { node instanceof RequestForgerySanitizer }
3133
}
34+
35+
/**
36+
* A taint-tracking configuration characterising request-forgery risks.
37+
*/
38+
module RequestForgeryConfiguration implements DataFlow::ConfigSig {
39+
predicate isSource(DataFlow::Node source) {
40+
source instanceof RemoteFlowSource and
41+
// Exclude results of remote HTTP requests: fetching something else based on that result
42+
// is no worse than following a redirect returned by the remote server, and typically
43+
// we're requesting a resource via https which we trust to only send us to safe URLs.
44+
not source.asExpr().(MethodAccess).getCallee() instanceof UrlConnectionGetInputStreamMethod
45+
}
46+
47+
predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
48+
49+
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
50+
any(RequestForgeryAdditionalTaintStep r).propagatesTaint(pred, succ)
51+
}
52+
53+
predicate isBarrier(DataFlow::Node node) { node instanceof RequestForgerySanitizer }
54+
}
55+
56+
module RequestForgeryFlow = TaintTracking::Make<RequestForgeryConfiguration>;

java/ql/src/Security/CWE/CWE-918/RequestForgery.ql

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -13,9 +13,9 @@
1313

1414
import java
1515
import semmle.code.java.security.RequestForgeryConfig
16-
import DataFlow::PathGraph
16+
import RequestForgeryFlow::PathGraph
1717

18-
from DataFlow::PathNode source, DataFlow::PathNode sink, RequestForgeryConfiguration conf
19-
where conf.hasFlowPath(source, sink)
18+
from RequestForgeryFlow::PathNode source, RequestForgeryFlow::PathNode sink
19+
where RequestForgeryFlow::hasFlowPath(source, sink)
2020
select sink.getNode(), source, sink, "Potential server-side request forgery due to a $@.",
2121
source.getNode(), "user-provided value"

0 commit comments

Comments
 (0)