Skip to content

Commit 520ba47

Browse files
committed
Sanitizer improvements from code review
1 parent 409d95c commit 520ba47

1 file changed

Lines changed: 23 additions & 13 deletions

File tree

java/ql/src/Security/CWE/CWE-346/UnvalidatedCors.ql

Lines changed: 23 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -30,9 +30,14 @@ private predicate setsAllowCredentials(MethodAccess header) {
3030

3131
class CorsProbableCheckAccess extends MethodAccess {
3232
CorsProbableCheckAccess() {
33-
getMethod().getName() = ["contains", "equals"] and
34-
getMethod().getDeclaringType().getQualifiedName() =
35-
["java.util.List<String>", "java.util.ArrayList<String>", "java.lang.String"]
33+
getMethod().hasName("contains") and
34+
getMethod()
35+
.getDeclaringType()
36+
.getASourceSupertype*()
37+
.hasQualifiedName("java.util", "Collection")
38+
or
39+
getMethod().hasName("equals") and
40+
getQualifier().getType() instanceof TypeString
3641
}
3742
}
3843

@@ -58,18 +63,23 @@ class CorsOriginConfig extends TaintTracking::Configuration {
5863
)
5964
}
6065

61-
/*
62-
* This should ideally check, the origin being validated against a list/array-list.
63-
* or function being used to validate the origin, which has a flow from its parameter to any of the CorsProbableCheckAccess functions
66+
/**
67+
* this sanitizer is oversimplistic:
68+
* - it only considers local dataflows
69+
* - it will consider any method calling `Collection.contains` or `String.equals` as a sanitizer
70+
* no matter if that check is taken into account and its result reaches the
71+
* return statement of the wrapper.
6472
*/
65-
6673
override predicate isSanitizer(DataFlow::Node node) {
67-
node.asExpr() = any(CorsProbableCheckAccess ma).getAnArgument()
68-
or
69-
exists(MethodAccess ma, CorsProbableCheckAccess ca |
70-
ma.getMethod().calls(ca.getMethod()) and
71-
DataFlow::localExprFlow(ma.getMethod().getAParameter().getAnAccess(), ca.getAnArgument()) and
72-
(node.asExpr() = ma.getAnArgument() or node.asExpr() = ma.getAnArgument().getAChildExpr())
74+
exists(CorsProbableCheckAccess check |
75+
TaintTracking::localTaint(node, DataFlow::exprNode(check.getAnArgument()))
76+
or
77+
exists(MethodAccess wrapperAccess, Method wrapper, int i |
78+
TaintTracking::localTaint(node, DataFlow::exprNode(wrapperAccess.getArgument(i))) and
79+
wrapperAccess.getMethod() = wrapper and
80+
TaintTracking::localTaint(DataFlow::parameterNode(wrapper.getParameter(i)),
81+
DataFlow::exprNode(check.getAnArgument()))
82+
)
7383
)
7484
}
7585
}

0 commit comments

Comments
 (0)