Share SpringUrlRedirect library

atorralba · atorralba · commit 1d12bd1521b6 · 2022-08-17T10:43:43.000+02:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql b/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
@@ -11,7 +11,7 @@
  */
 
 import java
-import SpringUrlRedirect
+import experimental.semmle.code.java.security.SpringUrlRedirect
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.controlflow.Guards
 import DataFlow::PathGraph
diff --git a/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegex.ql b/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegex.ql
@@ -12,13 +12,13 @@
  */
 
 import java
+import experimental.semmle.code.java.security.SpringUrlRedirect
 import semmle.code.java.controlflow.Guards
 import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.UrlRedirect
 import DataFlow::PathGraph
 import Regex
-import SpringUrlRedirect
 
 /** Source model of remote flow source with servlets. */
 private class GetServletUriSource extends SourceModelCsv {
diff --git a/java/ql/src/experimental/Security/CWE/CWE-625/SpringUrlRedirect.qll b/java/ql/src/experimental/Security/CWE/CWE-625/SpringUrlRedirect.qll
diff --git a/java/ql/src/experimental/semmle/code/java/security/SpringUrlRedirect.qll b/java/ql/src/experimental/semmle/code/java/security/SpringUrlRedirect.qll
@@ -1,9 +1,7 @@
-import java
-import DataFlow
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.dataflow.DataFlow2
-import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.frameworks.spring.SpringController
+/** Provides classes and predicates related to Spring URL redirect. */
+
+private import java
+private import semmle.code.java.dataflow.FlowSources
 
 /**
  * A concatenate expression using the string `redirect:` or `ajaxredirect:` or `forward:` on the left.
@@ -42,6 +40,13 @@ abstract class SpringUrlRedirectSink extends DataFlow::Node { }
  */
 private class SpringViewUrlRedirectSink extends SpringUrlRedirectSink {
   SpringViewUrlRedirectSink() {
+    // Hardcoded redirect such as "redirect:login"
+    this.asExpr()
+        .(CompileTimeConstantExpr)
+        .getStringValue()
+        .indexOf(["redirect:", "ajaxredirect:", "forward:"]) = 0 and
+    any(SpringRequestMappingMethod sqmm).polyCalls*(this.getEnclosingCallable())
+    or
     exists(RedirectBuilderExpr rbe |
       rbe.getRightOperand() = this.asExpr() and
       any(SpringRequestMappingMethod sqmm).polyCalls*(this.getEnclosingCallable())
