From 996de78a66ef2cbd0c78e72d2f230ca9694ff2ae Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Thu, 17 Jul 2025 15:06:38 +0200 Subject: [PATCH] Java: Prune PathGraph for CsrfUnprotectedRequestType.ql --- .../CsrfUnprotectedRequestTypeQuery.qll | 25 ++++++++++++++++++- .../CWE/CWE-352/CsrfUnprotectedRequestType.ql | 2 +- 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll b/java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll index 42d6db246c0e..80d100d3d9e1 100644 --- a/java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll @@ -237,12 +237,35 @@ private predicate sink(CallPathNode sinkMethodCall) { ) } +private predicate fwdFlow(CallPathNode n) { + source(n) + or + exists(CallPathNode mid | fwdFlow(mid) and CallGraph::edges(mid, n)) +} + +private predicate revFlow(CallPathNode n) { + fwdFlow(n) and + ( + sink(n) + or + exists(CallPathNode mid | revFlow(mid) and CallGraph::edges(n, mid)) + ) +} + +/** + * Holds if `pred` has a successor node `succ` and this edge is in an + * `unprotectedStateChange` path. + */ +predicate relevantEdge(CallPathNode pred, CallPathNode succ) { + CallGraph::edges(pred, succ) and revFlow(pred) and revFlow(succ) +} + /** * Holds if `sourceMethod` is an unprotected request handler that reaches a * `sinkMethodCall` that updates a database. */ private predicate unprotectedDatabaseUpdate(CallPathNode sourceMethod, CallPathNode sinkMethodCall) = - doublyBoundedFastTC(CallGraph::edges/2, source/1, sink/1)(sourceMethod, sinkMethodCall) + doublyBoundedFastTC(relevantEdge/2, source/1, sink/1)(sourceMethod, sinkMethodCall) /** * Holds if `sourceMethod` is an unprotected request handler that appears to diff --git a/java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestType.ql b/java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestType.ql index e338cb84c005..cf5c0b385ccf 100644 --- a/java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestType.ql +++ b/java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestType.ql @@ -15,7 +15,7 @@ import java import semmle.code.java.security.CsrfUnprotectedRequestTypeQuery -query predicate edges(CallPathNode pred, CallPathNode succ) { CallGraph::edges(pred, succ) } +query predicate edges(CallPathNode pred, CallPathNode succ) { relevantEdge(pred, succ) } from CallPathNode source, CallPathNode sink where unprotectedStateChange(source, sink) pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy