This repository was archived by the owner on Aug 11, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 23
Expand file tree
/
Copy pathOGNL.qll
More file actions
71 lines (61 loc) · 2.2 KB
/
OGNL.qll
File metadata and controls
71 lines (61 loc) · 2.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.DataFlow3
import lib.dataflow_extra.CollectionsEdges
import lib.dataflow_extra.ExtraEdges
import lib.struts.Sanitizers
import lib.dataflow_extra.Sanitizers
/** Contains classes and predicates related to the use of ognl.*/
class OgnlUtil extends RefType {
OgnlUtil() {
hasQualifiedName("com.opensymphony.xwork2.ognl", "OgnlUtil")
}
}
/** Holds when `sink` is an argument to a call that ended up executing it as ognl.*/
predicate isOgnlSink(DataFlow::Node sink) {
exists(MethodAccess ma | (ma.getMethod().hasName("compileAndExecute")) and
ma.getMethod().getDeclaringType() instanceof OgnlUtil and
sink.asExpr() = ma.getArgument(0)
)
}
/** Tracks parameters of a `Method` that ended up being evaluated as ognl.*/
class OgnlCallConfiguration extends DataFlow3::Configuration {
OgnlCallConfiguration() {
this = "OgnlCallConfiguration"
}
override predicate isSource(DataFlow::Node source) {
exists(Method m | m.getAParameter() = source.asParameter() and
source.asParameter().getType() instanceof TypeString
)
}
override predicate isSink(DataFlow::Node sink) {
isOgnlSink(sink)
}
override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
standardExtraEdges(node1, node2) or
collectionsPutEdge(node1, node2)
}
override predicate isBarrier(DataFlow::Node node) {
ognlSanitizers(node) or
node instanceof StrutsTestSanitizer or
node instanceof ToStringSanitizer or
node instanceof MapMethodSanitizer
}
}
/** A `Method` whose parameter ended gets evaluated as ognl.*/
class OgnlCallMethod extends Method {
OgnlCallMethod() {
exists(OgnlCallConfiguration cfg, DataFlow::Node source |
cfg.hasFlow(source, _) and source.asParameter() = this.getAParameter()
) and
not hasName("completeExpressionIfAltSyntax") and
not hasName("stripExpressionIfAltSyntax") and
not hasName("setLocation")
}
}
/** An `OgnlCallMethod` that is not used by another `OgnlCallMethod`.*/
class OgnlEntryPointMethod extends OgnlCallMethod {
OgnlEntryPointMethod() {
exists(Method m | m.polyCalls(this) and not m instanceof OgnlCallMethod)
}
}