Add missing string replacement sanitizers to log-injection and string-break #731
Conversation
|
Currently missing: tracing back from the receiver of a call to |
|
I've also add the extra sanitizers to the other place where string replacement is a sanitizer. (Note: this does include the "tracing back" to find out what kind of quote is being replaced.) It might be worth combining the two very similar implementations. |
owen-mc
changed the title
| StringsNewReplacerCall() { this.getTarget().hasQualifiedName("strings", "NewReplacer") } | ||
|
|
||
| DataFlow::Node getAReplacedArgument() { | ||
| exists(int m, int n | m = 2 * n and n = m / 2 and result = getArgument(m)) |
There was a problem hiding this comment.
| exists(int m, int n | m = 2 * n and n = m / 2 and result = getArgument(m)) | |
| exists(int m | m % 2 = 0 and result = getArgument(m)) |
| exists(StringsNewReplacerConfiguration config, DataFlow::Node source, DataFlow::Node sink | | ||
| config.hasFlow(source, sink) and | ||
| this.getTarget().hasQualifiedName("strings", "Replacer", "Replace") and | ||
| sink = this.getReceiver() and |
There was a problem hiding this comment.
Use exists( DataFlow::MethodCallNode mcn | ... this = mcn.getResult()) rather than assume that a method-call node is its own result
|
@smowton Currently, for log injection this PR doesn't check that the receiver of a call to |
|
Given we're doing it for StringBreak already and the other sanitisers in LogInjectionCustomizations do check what's being replaced, yes I think we should do likewise and try to check the replace args. If it proves too expensive to measure cross-method we can do it locally. |
strings.Replacer.Replaceandstrings.Replacer.WriteString