Merge pull request #9659 from smowton/smowton/admin/invert-java-log-injection-query

smowton · web-flow · commit 00b4070866c7 · 2022-06-22T14:27:50.000+01:00
Java: Report log-injection at the source rather than the sink
diff --git a/java/ql/src/Security/CWE/CWE-117/LogInjection.ql b/java/ql/src/Security/CWE/CWE-117/LogInjection.ql
@@ -17,5 +17,5 @@ import DataFlow::PathGraph
 
 from LogInjectionConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
 where cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "This $@ flows to a log entry.", source.getNode(),
-  "user-provided value"
+select source.getNode(), source, sink, "This user-provided value flows to a $@.", sink.getNode(),
+  "log entry"
diff --git a/java/ql/src/change-notes/2022-06-22-log-injection-location.md b/java/ql/src/change-notes/2022-06-22-log-injection-location.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `java/log-injection` now reports problems at the source (user-controlled data) instead of at the ultimate logging call. This was changed because user functions that wrap the ultimate logging call could result in most alerts being reported in an uninformative location.

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* The query `java/log-injection` now reports problems at the source (user-controlled data) instead of at the ultimate logging call. This was changed because user functions that wrap the ultimate logging call could result in most alerts being reported in an uninformative location.