Why is this query not detecting this sink #864
-
/**
* @name sink-detect-4
* @kind problem
* @problem.severity warnings
* @id java/example/sink-detection
*/
import java
import semmle.code.java.dataflow.DataFlow
predicate isSink(DataFlow::Node snk) {
// Detect session management sinks
exists(MethodAccess sessionUtils |
sessionUtils.getMethod().getDeclaringType().getName() = "Utils" and
(
sessionUtils.getMethod().hasName("setSessionUserName") or
sessionUtils.getMethod().hasName("setUsernameCookie")
) and
snk.asExpr() = sessionUtils
)
}
// Query to output each detected sink with its package, class, function declaration, and signature
from DataFlow::Node sink
where isSink(sink)
select sink,
"Sink element in type: " + sink.getEnclosingCallable().getDeclaringType().getName() + ", method: "
+ sink.getEnclosingCallable().getName() + ", signature: " +
sink.getEnclosingCallable().getQualifiedName() + "(" +
sink.getEnclosingCallable().getSignature() + ")" + ", sink data type: " +
sink.getType().getName()
This is the sink I want to detect: Utils.setUsernameCookie(response, result.getString("username")); Context regarding this sink: This method directly uses the unvalidated username to set a cookie in the HTTP response headers, which could lead to HTTP Response Splitting if CR/LF characters are included and not properly handled. The above query doesnt give any results. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
Have you tried debugging your query with the First investigate the
If the |
Beta Was this translation helpful? Give feedback.
Have you tried debugging your query with the
CodeQL: Quick evaluation
feature? In the VScode IDE, select a piece of QL code you'd like to inspect, right-click and chooseCodeQL: Quick evaluation
.First investigate the
isSink
predicate:MethodAccess
in the editor and quick evaluate, this gives you a list of all method access in the code (possibly quite a lot)sessionUtils.getMethod().getDeclaringType().getName() = "Utils"
in the editor and quick evaluate. This should give you all the accesses to methods defined in classes named "Utils"