From 996de78a66ef2cbd0c78e72d2f230ca9694ff2ae Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Thu, 17 Jul 2025 15:06:38 +0200
Subject: [PATCH] Java: Prune PathGraph for CsrfUnprotectedRequestType.ql

---
 .../CsrfUnprotectedRequestTypeQuery.qll       | 25 ++++++++++++++++++-
 .../CWE/CWE-352/CsrfUnprotectedRequestType.ql |  2 +-
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll b/java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll
index 42d6db246c0e..80d100d3d9e1 100644
--- a/java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll
@@ -237,12 +237,35 @@ private predicate sink(CallPathNode sinkMethodCall) {
   )
 }
 
+private predicate fwdFlow(CallPathNode n) {
+  source(n)
+  or
+  exists(CallPathNode mid | fwdFlow(mid) and CallGraph::edges(mid, n))
+}
+
+private predicate revFlow(CallPathNode n) {
+  fwdFlow(n) and
+  (
+    sink(n)
+    or
+    exists(CallPathNode mid | revFlow(mid) and CallGraph::edges(n, mid))
+  )
+}
+
+/**
+ * Holds if `pred` has a successor node `succ` and this edge is in an
+ * `unprotectedStateChange` path.
+ */
+predicate relevantEdge(CallPathNode pred, CallPathNode succ) {
+  CallGraph::edges(pred, succ) and revFlow(pred) and revFlow(succ)
+}
+
 /**
  * Holds if `sourceMethod` is an unprotected request handler that reaches a
  * `sinkMethodCall` that updates a database.
  */
 private predicate unprotectedDatabaseUpdate(CallPathNode sourceMethod, CallPathNode sinkMethodCall) =
-  doublyBoundedFastTC(CallGraph::edges/2, source/1, sink/1)(sourceMethod, sinkMethodCall)
+  doublyBoundedFastTC(relevantEdge/2, source/1, sink/1)(sourceMethod, sinkMethodCall)
 
 /**
  * Holds if `sourceMethod` is an unprotected request handler that appears to
diff --git a/java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestType.ql b/java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestType.ql
index e338cb84c005..cf5c0b385ccf 100644
--- a/java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestType.ql
+++ b/java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestType.ql
@@ -15,7 +15,7 @@
 import java
 import semmle.code.java.security.CsrfUnprotectedRequestTypeQuery
 
-query predicate edges(CallPathNode pred, CallPathNode succ) { CallGraph::edges(pred, succ) }
+query predicate edges(CallPathNode pred, CallPathNode succ) { relevantEdge(pred, succ) }
 
 from CallPathNode source, CallPathNode sink
 where unprotectedStateChange(source, sink)

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/github/codeql/pull/20083.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/github/codeql/pull/20083.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/github/codeql/pull/20083.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/github/codeql/pull/20083.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>