Correct string source

luchua-bc · luchua-bc · commit f85c01c97555 · 2022-05-11T10:37:22.000Z
diff --git a/java/ql/src/experimental/Security/CWE/CWE-321/HardcodedJwtKey.qll b/java/ql/src/experimental/Security/CWE/CWE-321/HardcodedJwtKey.qll
@@ -77,7 +77,7 @@ abstract class JwtTokenSink extends DataFlow::Node { }
  * A hardcoded string literal as a source for JWT token signing vulnerabilities.
  */
 class HardcodedKeyStringSource extends JwtKeySource {
-  HardcodedKeyStringSource() { this.asExpr() instanceof CompileTimeConstantExpr }
+  HardcodedKeyStringSource() { exists(this.asExpr().(CompileTimeConstantExpr).getStringValue()) }
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,7 @@ abstract class JwtTokenSink extends DataFlow::Node { }`
`77`	`77`	`* A hardcoded string literal as a source for JWT token signing vulnerabilities.`
`78`	`78`	`*/`
`79`	`79`	`class HardcodedKeyStringSource extends JwtKeySource {`
`80`		`- HardcodedKeyStringSource() { this.asExpr() instanceof CompileTimeConstantExpr }`
	`80`	`+ HardcodedKeyStringSource() { exists(this.asExpr().(CompileTimeConstantExpr).getStringValue()) }`
`81`	`81`	`}`
`82`	`82`
`83`	`83`	`/**`