@@ -15,16 +15,17 @@ import semmle.code.java.frameworks.Servlets
1515import semmle.code.java.dataflow.TaintTracking
1616import DataFlow:: PathGraph
1717
18- // Check for Access-Control-Allow-Credentials as well, this ensures fair chances of exploitability.
19- predicate satisfyAllowCredentials ( MethodAccess header , MethodAccess check ) {
18+ /**
19+ * Holds if `header` sets `Access-Control-Allow-Credentials` to `true`. This ensures fair chances of exploitability.
20+ */
21+ private predicate setsAllowCredentials ( MethodAccess header ) {
2022 header .getArgument ( 0 ) .( CompileTimeConstantExpr ) .getStringValue ( ) .toLowerCase ( ) =
2123 "access-control-allow-credentials" and
22- header .getArgument ( 1 ) .( CompileTimeConstantExpr ) .getStringValue ( ) = "true" and
23- header .getEnclosingCallable ( ) = check .getEnclosingCallable ( )
24+ header .getArgument ( 1 ) .( CompileTimeConstantExpr ) .getStringValue ( ) = "true"
2425}
2526
26- predicate checkAccessControlAllowOriginHeader ( Expr expr ) {
27- expr .( CompileTimeConstantExpr ) .getStringValue ( ) .toLowerCase ( ) = "access-control-allow-origin"
27+ private Expr getAccessControlAllowOriginHeaderName ( ) {
28+ result .( CompileTimeConstantExpr ) .getStringValue ( ) .toLowerCase ( ) = "access-control-allow-origin"
2829}
2930
3031class CorsOriginConfig extends TaintTracking:: Configuration {
@@ -33,18 +34,19 @@ class CorsOriginConfig extends TaintTracking::Configuration {
3334 override predicate isSource ( DataFlow:: Node source ) { source instanceof RemoteFlowSource }
3435
3536 override predicate isSink ( DataFlow:: Node sink ) {
36- exists ( ResponseSetHeaderMethod h , MethodAccess m |
37- m = h .getAReference ( ) and
38- checkAccessControlAllowOriginHeader ( m .getArgument ( 0 ) ) and
39- satisfyAllowCredentials ( h .getAReference ( ) , m ) and
40- sink .asExpr ( ) = m .getArgument ( 1 )
41- )
42- or
43- exists ( ResponseAddHeaderMethod a , MethodAccess m |
44- m = a .getAReference ( ) and
45- checkAccessControlAllowOriginHeader ( m .getArgument ( 0 ) ) and
46- satisfyAllowCredentials ( a .getAReference ( ) , m ) and
47- sink .asExpr ( ) = m .getArgument ( 1 )
37+ exists ( MethodAccess corsheader , MethodAccess allowcredentialsheader |
38+ (
39+ corsheader .getMethod ( ) instanceof ResponseSetHeaderMethod or
40+ corsheader .getMethod ( ) instanceof ResponseAddHeaderMethod
41+ ) and
42+ (
43+ allowcredentialsheader .getMethod ( ) instanceof ResponseSetHeaderMethod or
44+ allowcredentialsheader .getMethod ( ) instanceof ResponseAddHeaderMethod
45+ ) and
46+ getAccessControlAllowOriginHeaderName ( ) = corsheader .getArgument ( 0 ) and
47+ setsAllowCredentials ( allowcredentialsheader ) and
48+ corsheader .getEnclosingCallable ( ) = allowcredentialsheader .getEnclosingCallable ( ) and
49+ sink .asExpr ( ) = corsheader .getArgument ( 1 )
4850 )
4951 }
5052}
0 commit comments