Skip to content

Commit 409d95c

Browse files
committed
Sanitizer checks to decrease FP
1 parent 19872e9 commit 409d95c

1 file changed

Lines changed: 23 additions & 0 deletions

File tree

java/ql/src/Security/CWE/CWE-346/UnvalidatedCors.ql

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,14 @@ private predicate setsAllowCredentials(MethodAccess header) {
2828
header.getArgument(1).(CompileTimeConstantExpr).getStringValue() = "true"
2929
}
3030

31+
class CorsProbableCheckAccess extends MethodAccess {
32+
CorsProbableCheckAccess() {
33+
getMethod().getName() = ["contains", "equals"] and
34+
getMethod().getDeclaringType().getQualifiedName() =
35+
["java.util.List<String>", "java.util.ArrayList<String>", "java.lang.String"]
36+
}
37+
}
38+
3139
private Expr getAccessControlAllowOriginHeaderName() {
3240
result.(CompileTimeConstantExpr).getStringValue().toLowerCase() = "access-control-allow-origin"
3341
}
@@ -49,6 +57,21 @@ class CorsOriginConfig extends TaintTracking::Configuration {
4957
sink.asExpr() = corsheader.getArgument(1)
5058
)
5159
}
60+
61+
/*
62+
* This should ideally check, the origin being validated against a list/array-list.
63+
* or function being used to validate the origin, which has a flow from its parameter to any of the CorsProbableCheckAccess functions
64+
*/
65+
66+
override predicate isSanitizer(DataFlow::Node node) {
67+
node.asExpr() = any(CorsProbableCheckAccess ma).getAnArgument()
68+
or
69+
exists(MethodAccess ma, CorsProbableCheckAccess ca |
70+
ma.getMethod().calls(ca.getMethod()) and
71+
DataFlow::localExprFlow(ma.getMethod().getAParameter().getAnAccess(), ca.getAnArgument()) and
72+
(node.asExpr() = ma.getAnArgument() or node.asExpr() = ma.getAnArgument().getAChildExpr())
73+
)
74+
}
5275
}
5376

5477
from DataFlow::PathNode source, DataFlow::PathNode sink, CorsOriginConfig conf

0 commit comments

Comments
 (0)