Skip to content

Commit 89546cb

Browse files
owen-mcowen-mc
committed
Fix qldoc inaccuracies
1 parent 8debe49 commit 89546cb

File tree

1 file changed

+14
-9
lines changed

1 file changed

+14
-9
lines changed

java/ql/lib/semmle/code/java/frameworks/spring/SpringWebClient.qll

Lines changed: 14 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -72,10 +72,14 @@ private class SpringRestTemplateMethodWithUriVariablesParameter extends Method {
7272
int getUriVariablesPosition() { result = pos }
7373
}
7474

75-
/** Gets the first argument, if it is a compile time constant. */
75+
/** Gets the first argument of `mc`, if it is a compile-time constant. */
7676
pragma[inline]
7777
private CompileTimeConstantExpr getConstantUrl(MethodCall mc) { result = mc.getArgument(0) }
7878

79+
/**
80+
* Holds if the first argument of `mc` is a compile-time constant URL template
81+
* which has its `idx`-th placeholder at the offset `offset`.
82+
*/
7983
pragma[inline]
8084
private predicate urlHasPlaceholderAtOffset(MethodCall mc, int idx, int offset) {
8185
exists(
@@ -87,15 +91,16 @@ private predicate urlHasPlaceholderAtOffset(MethodCall mc, int idx, int offset)
8791
)
8892
}
8993

90-
private class SpringWebClientRestTemplateGetForObject extends RequestForgerySink {
91-
SpringWebClientRestTemplateGetForObject() {
94+
private class SpringWebClientRestTemplateUriVariable extends RequestForgerySink {
95+
SpringWebClientRestTemplateUriVariable() {
9296
exists(SpringRestTemplateMethodWithUriVariablesParameter m, MethodCall mc, int i |
93-
// Note that the first argument is modeled as a request forgery sink
94-
// separately. This model is for arguments beyond the first two. There
95-
// are two relevant overloads, one with third parameter type `Object...`
96-
// and one with third parameter type `Map<String, ?>`. For the latter we
97-
// cannot deal with MapValue content easily but there is a default
98-
// implicit taint read at sinks that will catch it.
97+
// Note that the first argument of `m` is modeled as a request forgery
98+
// sink separately. This model is for arguments corresponding to the
99+
// `uriVariables` parameter. There are always two relevant overloads, one
100+
// with parameter type `Object...` and one with parameter type
101+
// `Map<String, ?>`. For the latter we cannot deal with MapValue content
102+
// easily but there is a default implicit taint read at sinks that will
103+
// catch it.
99104
mc.getMethod() = m and
100105
i >= 0 and
101106
this.asExpr() = mc.getArgument(m.getUriVariablesPosition() + i)

0 commit comments

Comments
 (0)