Skip to content

Commit beca44e

Browse files
aschackmullaschackmull
authored
Merge pull request #4172 from rvermeulen/java/xss-sink-extensible
Java: Customizable XSS analysis
2 parents 35494ab + 2bdd3d7 commit beca44e

File tree

2 files changed

+35
-6
lines changed
  • java/ql/src

2 files changed

+35
-6
lines changed

java/ql/src/Security/CWE/CWE-079/XSS.ql

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,8 +22,10 @@ class XSSConfig extends TaintTracking::Configuration {
2222

2323
override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
2424

25-
override predicate isSanitizer(DataFlow::Node node) {
26-
node.getType() instanceof NumericType or node.getType() instanceof BooleanType
25+
override predicate isSanitizer(DataFlow::Node node) { node instanceof XssSanitizer }
26+
27+
override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
28+
any(XssAdditionalTaintStep s).step(node1, node2)
2729
}
2830
}
2931

java/ql/src/semmle/code/java/security/XSS.qll

Lines changed: 31 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
1+
/** Provides classes to reason about Cross-site scripting (XSS) vulnerabilities. */
2+
13
import java
24
import semmle.code.java.frameworks.Servlets
35
import semmle.code.java.frameworks.android.WebView
@@ -6,12 +8,27 @@ import semmle.code.java.frameworks.spring.SpringHttp
68
import semmle.code.java.dataflow.DataFlow
79
import semmle.code.java.dataflow.TaintTracking2
810

9-
/*
10-
* Definitions for XSS sinks
11-
*/
12-
11+
/** A sink that represent a method that outputs data without applying contextual output encoding. */
1312
abstract class XssSink extends DataFlow::Node { }
1413

14+
/** A sanitizer that neutralizes dangerous characters that can be used to perform a XSS attack. */
15+
abstract class XssSanitizer extends DataFlow::Node { }
16+
17+
/**
18+
* A unit class for adding additional taint steps.
19+
*
20+
* Extend this class to add additional taint steps that should apply to the XSS
21+
* taint configuration.
22+
*/
23+
abstract class XssAdditionalTaintStep extends TaintTracking2::Unit {
24+
/**
25+
* Holds if the step from `node1` to `node2` should be considered a taint
26+
* step for XSS taint configurations.
27+
*/
28+
abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
29+
}
30+
31+
/** A default sink representing methods susceptible to XSS attacks. */
1532
private class DefaultXssSink extends XssSink {
1633
DefaultXssSink() {
1734
exists(HttpServletResponseSendErrorMethod m, MethodAccess ma |
@@ -80,6 +97,14 @@ private class DefaultXssSink extends XssSink {
8097
}
8198
}
8299

100+
/** A default sanitizer that considers numeric and boolean typed data safe for writing to output. */
101+
private class DefaultXSSSanitizer extends XssSanitizer {
102+
DefaultXSSSanitizer() {
103+
this.getType() instanceof NumericType or this.getType() instanceof BooleanType
104+
}
105+
}
106+
107+
/** A configuration that tracks data from a servlet writer to an output method. */
83108
private class ServletWriterSourceToWritingMethodFlowConfig extends TaintTracking2::Configuration {
84109
ServletWriterSourceToWritingMethodFlowConfig() {
85110
this = "XSS::ServletWriterSourceToWritingMethodFlowConfig"
@@ -94,6 +119,7 @@ private class ServletWriterSourceToWritingMethodFlowConfig extends TaintTracking
94119
}
95120
}
96121

122+
/** A method that can be used to output data to an output stream or writer. */
97123
private class WritingMethod extends Method {
98124
WritingMethod() {
99125
getDeclaringType().getASupertype*().hasQualifiedName("java.io", _) and
@@ -106,6 +132,7 @@ private class WritingMethod extends Method {
106132
}
107133
}
108134

135+
/** An output stream or writer that writes to a servlet response. */
109136
class ServletWriterSource extends MethodAccess {
110137
ServletWriterSource() {
111138
this.getMethod() instanceof ServletResponseGetWriterMethod

0 commit comments

Comments
 (0)