Skip to content

Commit 3705970

Browse files
atorralbaatorralba
committed
Refactored XPath.qll to remove redundant classes and restrict visibility
1 parent d739a8c commit 3705970

1 file changed

Lines changed: 23 additions & 31 deletions

File tree

  • java/ql/src/semmle/code/java/security

java/ql/src/semmle/code/java/security/XPath.qll

Lines changed: 23 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -4,55 +4,47 @@ import java
44
import semmle.code.java.dataflow.FlowSources
55
import semmle.code.java.dataflow.TaintTracking
66

7-
/**
8-
* An abstract type representing a call to interpret XPath expressions.
9-
*/
10-
class XPathSink extends MethodAccess {
11-
/**
12-
* Gets the argument representing the XPath expressions to be evaluated.
13-
*/
14-
abstract Expr getSink();
15-
}
16-
177
/** The class `javax.xml.xpath.XPath` */
18-
class XPath extends RefType {
8+
private class XPath extends RefType {
199
XPath() { this.hasQualifiedName("javax.xml.xpath", "XPath") }
2010
}
2111

2212
/** A call to `XPath.evaluate` or `XPath.compile` */
23-
class XPathEvaluateOrCompile extends XPathSink {
13+
private class XPathEvaluateOrCompile extends MethodAccess {
2414
XPathEvaluateOrCompile() {
25-
exists(Method m | this.getMethod() = m and m.getDeclaringType() instanceof XPath |
15+
exists(Method m |
16+
this.getMethod() = m and m.getDeclaringType() instanceof XPath
17+
|
2618
m.hasName(["evaluate", "compile"])
2719
)
2820
}
29-
30-
override Expr getSink() { result = this.getArgument(0) }
3121
}
3222

33-
/** Any class extending or implementing `org.dom4j.Node` */
34-
class Dom4JNode extends RefType {
35-
Dom4JNode() {
36-
exists(Interface node | node.hasQualifiedName("org.dom4j", "Node") |
37-
this.extendsOrImplements*(node)
38-
)
39-
}
23+
/** The interface `org.dom4j.Node` */
24+
private class Dom4JNode extends Interface {
25+
Dom4JNode() { this.hasQualifiedName("org.dom4j", "Node") }
4026
}
4127

4228
/** A call to `Node.selectNodes` or `Node.selectSingleNode` */
43-
class NodeSelectNodes extends XPathSink {
29+
private class NodeSelectNodes extends MethodAccess {
4430
NodeSelectNodes() {
45-
exists(Method m | this.getMethod() = m and m.getDeclaringType() instanceof Dom4JNode |
31+
exists(Method m |
32+
this.getMethod() = m and m.getDeclaringType().getASourceSupertype*() instanceof Dom4JNode
33+
|
4634
m.hasName(["selectNodes", "selectSingleNode"])
4735
)
4836
}
49-
50-
override Expr getSink() { result = this.getArgument(0) }
51-
}
52-
53-
/** A sink that represents a method that interprets XPath expressions. */
54-
class XPathInjectionSink extends DataFlow::ExprNode {
55-
XPathInjectionSink() { exists(XPathSink sink | this.getExpr() = sink.getSink()) }
5637
}
5738

39+
/**
40+
* A sink that represents a method that interprets XPath expressions.
41+
* Extend this class to add your own XPath Injection sinks.
42+
*/
43+
abstract class XPathInjectionSink extends DataFlow::Node { }
5844

45+
private class DefaultXPathInjectionSink extends XPathInjectionSink {
46+
DefaultXPathInjectionSink() {
47+
exists(NodeSelectNodes sink | sink.getArgument(0) = this.asExpr()) or
48+
exists(XPathEvaluateOrCompile sink | sink.getArgument(0) = this.asExpr())
49+
}
50+
}

0 commit comments

Comments
 (0)