Skip to content

Commit 380888e

Browse files
egregius313egregius313
committed
Refactor ClientSuppliedIpUsedInSecurityCheck
1 parent 3c85ca9 commit 380888e

File tree

1 file changed

+13
-12
lines changed

1 file changed

+13
-12
lines changed

java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql

Lines changed: 13 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -12,29 +12,26 @@
1212
*/
1313

1414
import java
15-
import ClientSuppliedIpUsedInSecurityCheckLib
15+
import semmle.code.java.dataflow.TaintTracking
1616
import semmle.code.java.dataflow.FlowSources
17-
import DataFlow::PathGraph
17+
import ClientSuppliedIpUsedInSecurityCheckLib
18+
import ClientSuppliedIpUsedInSecurityCheckFlow::PathGraph
1819

1920
/**
2021
* Taint-tracking configuration tracing flow from obtaining a client ip from an HTTP header to a sensitive use.
2122
*/
22-
class ClientSuppliedIpUsedInSecurityCheckConfig extends TaintTracking::Configuration {
23-
ClientSuppliedIpUsedInSecurityCheckConfig() { this = "ClientSuppliedIpUsedInSecurityCheckConfig" }
24-
25-
override predicate isSource(DataFlow::Node source) {
23+
module ClientSuppliedIpUsedInSecurityCheckConfig implements DataFlow::ConfigSig {
24+
predicate isSource(DataFlow::Node source) {
2625
source instanceof ClientSuppliedIpUsedInSecurityCheck
2726
}
2827

29-
override predicate isSink(DataFlow::Node sink) {
30-
sink instanceof ClientSuppliedIpUsedInSecurityCheckSink
31-
}
28+
predicate isSink(DataFlow::Node sink) { sink instanceof ClientSuppliedIpUsedInSecurityCheckSink }
3229

3330
/**
3431
* Splitting a header value by `,` and taking an entry other than the first is sanitizing, because
3532
* later entries may originate from more-trustworthy intermediate proxies, not the original client.
3633
*/
37-
override predicate isSanitizer(DataFlow::Node node) {
34+
predicate isBarrier(DataFlow::Node node) {
3835
exists(ArrayAccess aa, MethodAccess ma | aa.getArray() = ma |
3936
ma.getQualifier() = node.asExpr() and
4037
ma.getMethod() instanceof SplitMethod and
@@ -47,8 +44,12 @@ class ClientSuppliedIpUsedInSecurityCheckConfig extends TaintTracking::Configura
4744
}
4845
}
4946

47+
module ClientSuppliedIpUsedInSecurityCheckFlow =
48+
TaintTracking::Global<ClientSuppliedIpUsedInSecurityCheckConfig>;
49+
5050
from
51-
DataFlow::PathNode source, DataFlow::PathNode sink, ClientSuppliedIpUsedInSecurityCheckConfig conf
52-
where conf.hasFlowPath(source, sink)
51+
ClientSuppliedIpUsedInSecurityCheckFlow::PathNode source,
52+
ClientSuppliedIpUsedInSecurityCheckFlow::PathNode sink
53+
where ClientSuppliedIpUsedInSecurityCheckFlow::flowPath(source, sink)
5354
select sink.getNode(), source, sink, "IP address spoofing might include code from $@.",
5455
source.getNode(), "this user input"

0 commit comments

Comments
 (0)