diff --git a/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll b/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll index 819f4c5d557b..a0f891fd36ea 100644 --- a/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll +++ b/java/ql/lib/semmle/code/java/frameworks/JaxWS.qll @@ -426,18 +426,33 @@ private class JaxRSXssSink extends XssSink { | not exists(resourceMethod.getProducesAnnotation()) or - isXssVulnerableContentType(getContentTypeString(resourceMethod - .getProducesAnnotation() - .getADeclaredContentTypeExpr())) + isXssVulnerableContentTypeExpr(resourceMethod + .getProducesAnnotation() + .getADeclaredContentTypeExpr()) ) } } +pragma[nomagic] +private predicate contentTypeString(string s) { s = getContentTypeString(_) } + +pragma[nomagic] +private predicate isXssVulnerableContentTypeString(string s) { + contentTypeString(s) and isXssVulnerableContentType(s) +} + +pragma[nomagic] +private predicate isXssSafeContentTypeString(string s) { + contentTypeString(s) and isXssSafeContentType(s) +} + private predicate isXssVulnerableContentTypeExpr(Expr e) { - isXssVulnerableContentType(getContentTypeString(e)) + isXssVulnerableContentTypeString(getContentTypeString(e)) } -private predicate isXssSafeContentTypeExpr(Expr e) { isXssSafeContentType(getContentTypeString(e)) } +private predicate isXssSafeContentTypeExpr(Expr e) { + isXssSafeContentTypeString(getContentTypeString(e)) +} /** * Gets a builder expression or related type that is configured to use the given `contentType`. diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringHttp.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringHttp.qll index 84c428e6fefa..e12e2b2643a0 100644 --- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringHttp.qll +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringHttp.qll @@ -152,14 +152,30 @@ private string getSpringConstantContentType(FieldAccess e) { ) } +private string getContentTypeString(Expr e) { + result = e.(CompileTimeConstantExpr).getStringValue() or + result = getSpringConstantContentType(e) +} + +pragma[nomagic] +private predicate contentTypeString(string s) { s = getContentTypeString(_) } + +pragma[nomagic] +private predicate isXssVulnerableContentTypeString(string s) { + contentTypeString(s) and XSS::isXssVulnerableContentType(s) +} + +pragma[nomagic] +private predicate isXssSafeContentTypeString(string s) { + contentTypeString(s) and XSS::isXssSafeContentType(s) +} + private predicate isXssVulnerableContentTypeExpr(Expr e) { - XSS::isXssVulnerableContentType(e.(CompileTimeConstantExpr).getStringValue()) or - XSS::isXssVulnerableContentType(getSpringConstantContentType(e)) + isXssVulnerableContentTypeString(getContentTypeString(e)) } private predicate isXssSafeContentTypeExpr(Expr e) { - XSS::isXssSafeContentType(e.(CompileTimeConstantExpr).getStringValue()) or - XSS::isXssSafeContentType(getSpringConstantContentType(e)) + isXssSafeContentTypeString(getContentTypeString(e)) } private DataFlow::Node getABodyBuilderWithExplicitContentType(Expr contentType) { diff --git a/java/ql/lib/semmle/code/java/security/XSS.qll b/java/ql/lib/semmle/code/java/security/XSS.qll index e35f8f9e643f..cc584033e4fc 100644 --- a/java/ql/lib/semmle/code/java/security/XSS.qll +++ b/java/ql/lib/semmle/code/java/security/XSS.qll @@ -118,10 +118,15 @@ class XssVulnerableWriterSourceNode extends ApiSourceNode { */ bindingset[s] predicate isXssVulnerableContentType(string s) { - s.regexpMatch("(?i)text/(html|xml|xsl|rdf|vtt|cache-manifest).*") or - s.regexpMatch("(?i)application/(.*\\+)?xml.*") or - s.regexpMatch("(?i)cache-manifest.*") or - s.regexpMatch("(?i)image/svg\\+xml.*") + s.regexpMatch("(?i)(" + + // + "text/(html|xml|xsl|rdf|vtt|cache-manifest).*" + "|" + + // + "application/(.*\\+)?xml.*" + "|" + + // + "cache-manifest.*" + "|" + + // + "image/svg\\+xml.*" + ")") } /**