@@ -30,9 +30,14 @@ private predicate setsAllowCredentials(MethodAccess header) {
3030
3131class CorsProbableCheckAccess extends MethodAccess {
3232 CorsProbableCheckAccess ( ) {
33- getMethod ( ) .getName ( ) = [ "contains" , "equals" ] and
34- getMethod ( ) .getDeclaringType ( ) .getQualifiedName ( ) =
35- [ "java.util.List<String>" , "java.util.ArrayList<String>" , "java.lang.String" ]
33+ getMethod ( ) .hasName ( "contains" ) and
34+ getMethod ( )
35+ .getDeclaringType ( )
36+ .getASourceSupertype * ( )
37+ .hasQualifiedName ( "java.util" , "Collection" )
38+ or
39+ getMethod ( ) .hasName ( "equals" ) and
40+ getQualifier ( ) .getType ( ) instanceof TypeString
3641 }
3742}
3843
@@ -58,18 +63,23 @@ class CorsOriginConfig extends TaintTracking::Configuration {
5863 )
5964 }
6065
61- /*
62- * This should ideally check, the origin being validated against a list/array-list.
63- * or function being used to validate the origin, which has a flow from its parameter to any of the CorsProbableCheckAccess functions
66+ /**
67+ * this sanitizer is oversimplistic:
68+ * - it only considers local dataflows
69+ * - it will consider any method calling `Collection.contains` or `String.equals` as a sanitizer
70+ * no matter if that check is taken into account and its result reaches the
71+ * return statement of the wrapper.
6472 */
65-
6673 override predicate isSanitizer ( DataFlow:: Node node ) {
67- node .asExpr ( ) = any ( CorsProbableCheckAccess ma ) .getAnArgument ( )
68- or
69- exists ( MethodAccess ma , CorsProbableCheckAccess ca |
70- ma .getMethod ( ) .calls ( ca .getMethod ( ) ) and
71- DataFlow:: localExprFlow ( ma .getMethod ( ) .getAParameter ( ) .getAnAccess ( ) , ca .getAnArgument ( ) ) and
72- ( node .asExpr ( ) = ma .getAnArgument ( ) or node .asExpr ( ) = ma .getAnArgument ( ) .getAChildExpr ( ) )
74+ exists ( CorsProbableCheckAccess check |
75+ TaintTracking:: localTaint ( node , DataFlow:: exprNode ( check .getAnArgument ( ) ) )
76+ or
77+ exists ( MethodAccess wrapperAccess , Method wrapper , int i |
78+ TaintTracking:: localTaint ( node , DataFlow:: exprNode ( wrapperAccess .getArgument ( i ) ) ) and
79+ wrapperAccess .getMethod ( ) = wrapper and
80+ TaintTracking:: localTaint ( DataFlow:: parameterNode ( wrapper .getParameter ( i ) ) ,
81+ DataFlow:: exprNode ( check .getAnArgument ( ) ) )
82+ )
7383 )
7484 }
7585}
0 commit comments