Skip to content

Commit 5594e7f

Browse files
egregius313egregius313
committed
Add SensitiveGetQuery
1 parent 478309c commit 5594e7f

File tree

1 file changed

+9
-9
lines changed

1 file changed

+9
-9
lines changed

java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ import java
1414
import semmle.code.java.dataflow.FlowSources
1515
import semmle.code.java.dataflow.TaintTracking
1616
import semmle.code.java.security.SensitiveActions
17-
import DataFlow::PathGraph
17+
import SensitiveGetQueryFlow::PathGraph
1818

1919
/** A variable that holds sensitive information judging by its name. */
2020
class SensitiveInfoExpr extends Expr {
@@ -59,22 +59,22 @@ class RequestGetParamSource extends DataFlow::ExprNode {
5959
}
6060

6161
/** A taint configuration tracking flow from the `ServletRequest` of a GET request handler to an expression whose name suggests it holds security-sensitive data. */
62-
class SensitiveGetQueryConfiguration extends TaintTracking::Configuration {
63-
SensitiveGetQueryConfiguration() { this = "SensitiveGetQueryConfiguration" }
62+
module SensitiveGetQueryConfig implements DataFlow::ConfigSig {
63+
predicate isSource(DataFlow::Node source) { source instanceof RequestGetParamSource }
6464

65-
override predicate isSource(DataFlow::Node source) { source instanceof RequestGetParamSource }
66-
67-
override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof SensitiveInfoExpr }
65+
predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof SensitiveInfoExpr }
6866

6967
/** Holds if the node is in a servlet method other than `doGet`. */
70-
override predicate isSanitizer(DataFlow::Node node) {
68+
predicate isBarrier(DataFlow::Node node) {
7169
isServletRequestMethod(node.getEnclosingCallable()) and
7270
not isGetServletMethod(node.getEnclosingCallable())
7371
}
7472
}
7573

76-
from DataFlow::PathNode source, DataFlow::PathNode sink, SensitiveGetQueryConfiguration c
77-
where c.hasFlowPath(source, sink)
74+
module SensitiveGetQueryFlow = TaintTracking::Global<SensitiveGetQueryConfig>;
75+
76+
from SensitiveGetQueryFlow::PathNode source, SensitiveGetQueryFlow::PathNode sink
77+
where SensitiveGetQueryFlow::flowPath(source, sink)
7878
select sink.getNode(), source, sink,
7979
"$@ uses the GET request method to transmit sensitive information.", source.getNode(),
8080
"This request"

0 commit comments

Comments
 (0)