File tree Expand file tree Collapse file tree 2 files changed +13
-8
lines changed
java/ql/lib/semmle/code/java/security Expand file tree Collapse file tree 2 files changed +13
-8
lines changed Original file line number Diff line number Diff line change @@ -50,9 +50,16 @@ class TemplateInjectionAdditionalTaintStep extends Unit {
5050/**
5151 * A sanitizer for server-side template injection (SST) vulnerabilities.
5252 */
53- abstract class TemplateInjectionSanitizer extends DataFlow:: Node {
53+ abstract class TemplateInjectionSanitizer extends DataFlow:: Node { }
54+
55+ /**
56+ * A sanitizer for server-side template injection (SST) vulnerabilities.
57+ * This sanitizer is only applicable when `TemplateInjectionSanitizerWithState::hasState`
58+ * holds for the flow state.
59+ */
60+ abstract class TemplateInjectionSanitizerWithState extends DataFlow:: Node {
5461 /** Holds if this sanitizer has the specified `state`. */
55- predicate hasState ( DataFlow:: FlowState state ) { state instanceof DataFlow :: FlowStateEmpty }
62+ abstract predicate hasState ( DataFlow:: FlowState state ) ;
5663}
5764
5865private class DefaultTemplateInjectionSource extends TemplateInjectionSource instanceof RemoteFlowSource {
Original file line number Diff line number Diff line change @@ -9,22 +9,20 @@ import semmle.code.java.security.TemplateInjection
99class TemplateInjectionFlowConfig extends TaintTracking:: Configuration {
1010 TemplateInjectionFlowConfig ( ) { this = "TemplateInjectionFlowConfig" }
1111
12- override predicate isSource ( DataFlow:: Node source ) { this .isSource ( source , _) }
13-
1412 override predicate isSource ( DataFlow:: Node source , DataFlow:: FlowState state ) {
1513 source .( TemplateInjectionSource ) .hasState ( state )
1614 }
1715
18- override predicate isSink ( DataFlow:: Node sink ) { this .isSink ( sink , _) }
19-
2016 override predicate isSink ( DataFlow:: Node sink , DataFlow:: FlowState state ) {
2117 sink .( TemplateInjectionSink ) .hasState ( state )
2218 }
2319
24- override predicate isSanitizer ( DataFlow:: Node sanitizer ) { this .isSanitizer ( sanitizer , _) }
20+ override predicate isSanitizer ( DataFlow:: Node sanitizer ) {
21+ sanitizer instanceof TemplateInjectionSanitizer
22+ }
2523
2624 override predicate isSanitizer ( DataFlow:: Node sanitizer , DataFlow:: FlowState state ) {
27- sanitizer .( TemplateInjectionSanitizer ) .hasState ( state )
25+ sanitizer .( TemplateInjectionSanitizerWithState ) .hasState ( state )
2826 }
2927
3028 override predicate isAdditionalTaintStep ( DataFlow:: Node node1 , DataFlow:: Node node2 ) {
You can’t perform that action at this time.
0 commit comments