-
Notifications
You must be signed in to change notification settings - Fork 253
/
Copy path10_dataflow_with_barrier.ql
50 lines (42 loc) · 1.44 KB
/
10_dataflow_with_barrier.ql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
/**
* @name 10_dataflow_with_barrier
* @kind path-problem
*/
import java
import semmle.code.java.dataflow.DataFlow
import DataFlow::PathGraph
predicate isOgnlSink(Expr arg) {
exists (Method m, MethodAccess ma
| m.getName() = "compileAndExecute" and
ma.getMethod() = m and
arg = ma.getArgument(0))
}
predicate isActionProxySource(MethodAccess ma) {
exists (Method m, Method n
| m.getName() = "getNamespace" and
m.getDeclaringType().getName() = "ActionProxy" and
n.overrides*(m) and
ma.getMethod() = n)
}
class OgnlCfg extends DataFlow::Configuration {
OgnlCfg() { this = "ognl" }
override predicate isSource(DataFlow::Node source) {
isActionProxySource(source.asExpr())
}
override predicate isSink(DataFlow::Node sink) {
isOgnlSink(sink.asExpr())
}
override predicate isBarrier(DataFlow::Node node) {
node.getEnclosingCallable().getDeclaringType().getName() = "ValueStackShadowMap"
}
}
/* If you look at the results of the previous query in the path viewer
* then you will see that a lot of the results are not interesting
* because they go via the class named "ValueStackShadowMap". This class
* is rarely used in practice, so we want to exclude paths that go
* through it. In this version of the query, we have overridden
* `isBarrier` to exclude those paths.
*/
from OgnlCfg cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select source, source, sink, "ognl"