Skip to content

Commit 4c80ff0

Browse files
egregius313egregius313
committed
Refactor UnvalidatedCors
1 parent d254d91 commit 4c80ff0

File tree

1 file changed

+18
-16
lines changed

1 file changed

+18
-16
lines changed

java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql

Lines changed: 18 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -14,8 +14,7 @@ import java
1414
import semmle.code.java.dataflow.FlowSources
1515
import semmle.code.java.frameworks.Servlets
1616
import semmle.code.java.dataflow.TaintTracking
17-
import semmle.code.java.dataflow.TaintTracking2
18-
import DataFlow::PathGraph
17+
import CorsOriginFlow::PathGraph
1918

2019
/**
2120
* Holds if `header` sets `Access-Control-Allow-Credentials` to `true`. This ensures fair chances of exploitability.
@@ -48,24 +47,25 @@ private Expr getAccessControlAllowOriginHeaderName() {
4847
}
4948

5049
/**
51-
* This taintflow2 configuration checks if there is a flow from source node towards CorsProbableCheckAccess methods.
50+
* A taint-tracking configuration for flow from a source node to CorsProbableCheckAccess methods.
5251
*/
53-
class CorsSourceReachesCheckConfig extends TaintTracking2::Configuration {
54-
CorsSourceReachesCheckConfig() { this = "CorsOriginConfig" }
52+
module CorsSourceReachesCheckConfig implements DataFlow::ConfigSig {
53+
predicate isSource(DataFlow::Node source) { CorsOriginFlow::flow(source, _) }
5554

56-
override predicate isSource(DataFlow::Node source) { any(CorsOriginConfig c).hasFlow(source, _) }
57-
58-
override predicate isSink(DataFlow::Node sink) {
55+
predicate isSink(DataFlow::Node sink) {
5956
sink.asExpr() = any(CorsProbableCheckAccess check).getAnArgument()
6057
}
6158
}
6259

63-
private class CorsOriginConfig extends TaintTracking::Configuration {
64-
CorsOriginConfig() { this = "CorsOriginConfig" }
60+
/**
61+
* Taint-tracking flow from a source node to CorsProbableCheckAccess methods.
62+
*/
63+
module CorsSourceReachesCheckFlow = TaintTracking::Global<CorsSourceReachesCheckConfig>;
6564

66-
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
65+
private module CorsOriginConfig implements DataFlow::ConfigSig {
66+
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
6767

68-
override predicate isSink(DataFlow::Node sink) {
68+
predicate isSink(DataFlow::Node sink) {
6969
exists(MethodAccess corsHeader, MethodAccess allowCredentialsHeader |
7070
(
7171
corsHeader.getMethod() instanceof ResponseSetHeaderMethod or
@@ -79,9 +79,11 @@ private class CorsOriginConfig extends TaintTracking::Configuration {
7979
}
8080
}
8181

82-
from
83-
DataFlow::PathNode source, DataFlow::PathNode sink, CorsOriginConfig conf,
84-
CorsSourceReachesCheckConfig sanconf
85-
where conf.hasFlowPath(source, sink) and not sanconf.hasFlow(source.getNode(), _)
82+
private module CorsOriginFlow = TaintTracking::Global<CorsOriginConfig>;
83+
84+
from CorsOriginFlow::PathNode source, CorsOriginFlow::PathNode sink
85+
where
86+
CorsOriginFlow::flowPath(source, sink) and
87+
not CorsSourceReachesCheckFlow::flow(source.getNode(), _)
8688
select sink.getNode(), source, sink, "CORS header is being set using user controlled value $@.",
8789
source.getNode(), "user-provided value"

0 commit comments

Comments
 (0)