-
Notifications
You must be signed in to change notification settings - Fork 0
/
1.8.ql
71 lines (65 loc) · 2.86 KB
/
1.8.ql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
/**
* @kind path-problem
*/
import java
import semmle.code.java.dataflow.TaintTracking
import DataFlow::PathGraph
class CustomAdditionalStep extends TaintTracking::AdditionalTaintStep {
override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
//spread taint from
exists(MethodAccess ma, Callable c |
// the method access' qualifier
node1.asExpr() = ma.getQualifier() and
// to the method access
node2.asExpr() = ma and
c = ma.getCallee() and
// if
(
(
// method accessed belongs to these
c.getQualifiedName() in ["Container.getSoftConstraints", "Container.getHardConstraints"]
// or ¬‿¬
) or
(
// the accessed method's name belong in these
c.getName() in ["keySet"] and
// add the class which declares it inherts from this
c.getDeclaringType().getASupertype().getQualifiedName().matches("java.util.Map<%>")
)
)
// or ¯\_(ツ)_/¯
) or
exists(ConstructorCall cc |
// a constructor call's argument
node1.asExpr() = cc.getAnArgument() and
// to the constructor call
node2.asExpr() = cc and
// if the type constructed matches
cc.getConstructedType().getName().matches("HashSet<%>")
)
}
}
class ELInjectionTaintTrackingConfig extends TaintTracking::Configuration {
ELInjectionTaintTrackingConfig() { this = "ELInjectionTaintTrackingConfig" }
override predicate isSource(DataFlow::Node source) {
exists(Method overriding, Method overridden|
// the isValid we are looking for should be an overriding method
overriding.overrides(overridden) and
// the method which is overridden should match the pattern
overridden.getQualifiedName().matches("ConstraintValidator<%,%>.isValid") and
// source would be the first parameter of the overriding method
source.asParameter() = overriding.getParameter(0)
)
}
override predicate isSink(DataFlow::Node sink) {
exists(Call c|
// first argument of the call will be sink
c.getArgument(0) = sink.asExpr() and
// the calls of this function are the ones we're interested in
c.getCallee().getQualifiedName() = "ConstraintValidatorContext.buildConstraintViolationWithTemplate"
)
}
}
from ELInjectionTaintTrackingConfig cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink, source, sink, "Custom constraint error message contains unsanitized user data"