Skip to content

Commit 685a204

Browse files
egregius313egregius313
committed
Refactor UnsafeReflection
1 parent 13e1cc5 commit 685a204

File tree

1 file changed

+11
-11
lines changed

1 file changed

+11
-11
lines changed

java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ import UnsafeReflectionLib
1717
import semmle.code.java.dataflow.DataFlow
1818
import semmle.code.java.dataflow.FlowSources
1919
import semmle.code.java.controlflow.Guards
20-
import DataFlow::PathGraph
20+
import UnsafeReflectionFlow::PathGraph
2121

2222
private predicate containsSanitizer(Guard g, Expr e, boolean branch) {
2323
g.(MethodAccess).getMethod().hasName("contains") and
@@ -31,14 +31,12 @@ private predicate equalsSanitizer(Guard g, Expr e, boolean branch) {
3131
branch = true
3232
}
3333

34-
class UnsafeReflectionConfig extends TaintTracking::Configuration {
35-
UnsafeReflectionConfig() { this = "UnsafeReflectionConfig" }
34+
module UnsafeReflectionConfig implements DataFlow::ConfigSig {
35+
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
3636

37-
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
37+
predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeReflectionSink }
3838

39-
override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeReflectionSink }
40-
41-
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
39+
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
4240
// Argument -> return of Class.forName, ClassLoader.loadClass
4341
exists(ReflectiveClassIdentifierMethodAccess rcimac |
4442
rcimac.getArgument(0) = pred.asExpr() and rcimac = succ.asExpr()
@@ -75,23 +73,25 @@ class UnsafeReflectionConfig extends TaintTracking::Configuration {
7573
)
7674
}
7775

78-
override predicate isSanitizer(DataFlow::Node node) {
76+
predicate isBarrier(DataFlow::Node node) {
7977
node = DataFlow::BarrierGuard<containsSanitizer/3>::getABarrierNode() or
8078
node = DataFlow::BarrierGuard<equalsSanitizer/3>::getABarrierNode()
8179
}
8280
}
8381

82+
module UnsafeReflectionFlow = TaintTracking::Global<UnsafeReflectionConfig>;
83+
8484
private Expr getAMethodArgument(MethodAccess reflectiveCall) {
8585
result = reflectiveCall.(NewInstance).getAnArgument()
8686
or
8787
result = reflectiveCall.(MethodInvokeCall).getAnArgument()
8888
}
8989

9090
from
91-
DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeReflectionConfig conf,
91+
UnsafeReflectionFlow::PathNode source, UnsafeReflectionFlow::PathNode sink,
9292
MethodAccess reflectiveCall
9393
where
94-
conf.hasFlowPath(source, sink) and
94+
UnsafeReflectionFlow::flowPath(source, sink) and
9595
sink.getNode().asExpr() = reflectiveCall.getQualifier() and
96-
conf.hasFlowToExpr(getAMethodArgument(reflectiveCall))
96+
UnsafeReflectionFlow::flowToExpr(getAMethodArgument(reflectiveCall))
9797
select sink.getNode(), source, sink, "Unsafe reflection of $@.", source.getNode(), "user input"

0 commit comments

Comments
 (0)