Skip to content

Commit cc22a7d

Browse files
egregius313egregius313
committed
Add XssLocalQuery
1 parent c2b6a3f commit cc22a7d

File tree

3 files changed

+23
-12
lines changed

3 files changed

+23
-12
lines changed

java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,4 +3,5 @@ category: minorAnalysis
33
---
44
* Added the `TaintedPermissionQuery.qll` library to provide the `TaintedPermissionFlow` taint-tracking module to reason about tainted permission vulnerabilities.
55
* Added the `XPathInjectionQuery.qll` library to provide the `XPathInjectionFlow` taint-tracking module to reason about XPath injection vulnerabilities.
6-
* Added the `SqlConcatenatedQuery.qll` library to provide the `UncontrolledStringBuilderSourceFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by concatenating untrusted strings.
6+
* Added the `SqlConcatenatedQuery.qll` library to provide the `UncontrolledStringBuilderSourceFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by concatenating untrusted strings.
7+
* Added the `XssLocalQuery.qll` library to provide the `XssLocalFlow` taint-tracking module to reason about XSS vulnerabilities caused by local data flow.

java/ql/lib/semmle/code/java/security/XssLocalQuery.qll

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
/** Provides a taint-tracking configuration to reason about cross-site scripting from a local source. */
2+
3+
import java
4+
import semmle.code.java.dataflow.FlowSources
5+
import semmle.code.java.dataflow.TaintTracking
6+
import semmle.code.java.security.XSS
7+
8+
/**
9+
* A taint-tracking configuration for reasoning about cross-site scripting vulnerabilities from a local source.
10+
*/
11+
module XssLocalConfig implements DataFlow::ConfigSig {
12+
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
13+
14+
predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
15+
}
16+
17+
/**
18+
* Taint-tracking flow for cross-site scripting vulnerabilities from a local source.
19+
*/
20+
module XssLocalFlow = TaintTracking::Global<XssLocalConfig>;

java/ql/src/Security/CWE/CWE-079/XSSLocal.ql

Lines changed: 1 addition & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -12,17 +12,7 @@
1212
*/
1313

1414
import java
15-
import semmle.code.java.dataflow.FlowSources
16-
import semmle.code.java.security.XSS
17-
18-
module XssLocalConfig implements DataFlow::ConfigSig {
19-
predicate isSource(DataFlow::Node source) { source instanceof LocalUserInput }
20-
21-
predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
22-
}
23-
24-
module XssLocalFlow = TaintTracking::Global<XssLocalConfig>;
25-
15+
import semmle.code.java.security.XssLocalQuery
2616
import XssLocalFlow::PathGraph
2717

2818
from XssLocalFlow::PathNode source, XssLocalFlow::PathNode sink

0 commit comments

Comments
 (0)