from QueryInjectionSink query, DataFlow::PathNode source, DataFlow::PathNode sink where queryTaintedBy(query, source, sink) select query, source, sink, "Query might include code from $@.", source.getNode(), "this user input"
直接追进去可以看到,定义了标准的source、sink、sanitizer流程~
1 2 3 4 5 6 7 8 9 10 11
private class QueryInjectionFlowConfig extends TaintTracking::Configuration { // 继承了taint tracking,就是全局污点跟踪~ @angelwhu QueryInjectionFlowConfig() { this = "SqlInjectionLib::QueryInjectionFlowConfig" }
classLog4j2MethodextendsMethod{ Log4j2Method(){ this.getDeclaringType().getAnAncestor().hasQualifiedName("org.slf4j", "Logger") and ( ( this.hasName("info") or this.hasName("debug") or this.hasName("trace") or this.hasName("warn") or this.hasName("error") )) } }
// 连接GetSet方法:https://xz.aliyun.com/t/10852#toc-9 classGetSetTaintStepextendsTaintTracking::AdditionalTaintStep{ override predicate step(DataFlow::Node src, DataFlow::Node sink){ exists(MethodAccess ma | ( ma.getMethod() instanceof GetterMethod or ma.getMethod() instanceof SetterMethod or ma.getMethod().getName().matches("get%") or ma.getMethod().getName().matches("set%")) and src.asExpr() = ma.getQualifier() and sink.asExpr() = ma ) } }
classMyTaintTrackingConfigurationextendsTaintTracking::Configuration { MyTaintTrackingConfiguration() { this = "MyTaintTrackingConfiguration" }
override predicate isSource(DataFlow::Node source) { // exists(Method m, Parameter p | // m.getAnAnnotation().getType().hasQualifiedName("org.springframework.web.bind.annotation", "RequestMapping") and // m.hasAnnotation() and // m.getAParameter() = p and // source.asParameter() = p and // p.getType().hasName("HttpServletRequest") // ) // or exists( SpringRequestMappingMethod route| source.asParameter()=route.getARequestParameter() ) or source instanceof RemoteFlowSource }