-
Notifications
You must be signed in to change notification settings - Fork 250
/
09_dataflow.ql
42 lines (35 loc) · 1.03 KB
/
09_dataflow.ql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
/**
* @name 09_dataflow
* @kind path-problem
*/
import java
import semmle.code.java.dataflow.DataFlow
import DataFlow::PathGraph
predicate isOgnlSink(Expr arg) {
exists (Method m, MethodAccess ma
| m.getName() = "compileAndExecute" and
ma.getMethod() = m and
arg = ma.getArgument(0))
}
predicate isActionProxySource(MethodAccess ma) {
exists (Method m, Method n
| m.getName() = "getNamespace" and
m.getDeclaringType().getName() = "ActionProxy" and
n.overrides*(m) and
ma.getMethod() = n)
}
class OgnlCfg extends DataFlow::Configuration {
OgnlCfg() { this = "ognl" }
override predicate isSource(DataFlow::Node source) {
isActionProxySource(source.asExpr())
}
override predicate isSink(DataFlow::Node sink) {
isOgnlSink(sink.asExpr())
}
}
/* First version of the dataflow query. We use isActionProxySource
* as the source and isOgnlSink as the sink.
*/
from OgnlCfg cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select source, source, sink, "ognl"