Firstly, this is my ql script
/**
* @id java/taint
* @name taint
* @description taint
* @kind path-problem
* @problem.severity warning
*/
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.TaintTracking
import DataFlow::PathGraph
private class Sink extends DataFlow::Node {
Sink() { exists(MethodAccess c | c.getMethod().hasName("wxLogin") and c = this.asExpr()) }
}
private class Source extends DataFlow::Node {
Source() {
exists(Parameter p |
p = this.asParameter() and
exists(Annotation a |
a = p.getAnAnnotation() and
a.getType().getName() = "RequestParam"
)
)
}
}
class Configuration extends TaintTracking::Configuration {
Configuration() { this = "Configuration" }
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
}
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select source.getNode(), source, sink, "source"
/*
* from Sink s
* select s
*/
/*
* from RemoteFlowSource r
* select r
*/
And the project I use to build the database is from github
A key part of the source project is
@GetMapping("/login")
public void getCode(@RequestParam("code") String code) {
List<WxMaProperties.Config> configs = wxMaProperties.getConfigs();
String s = userService.wxLogin(configs.get(0).getAppid(), code);
System.out.println(s);
}
which is expected to be found a datapath in.
The taint spreads from String code to wxLogin().
But the CodeQl gives no output.
I wonder if I should do extra configs when analyzing a spring project?
I've already tried to select the sources and the sinks, which turn out to work well enough
