How to write additional verification rules for ql rules

[fxzyyy]

public class TestServlet extends HttpServlet {

    private static final long serialVersionUID = 1L;

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        doPost(req, resp);
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        ...
    }
}



public class TestServlet extends HttpServlet {

    private static final long serialVersionUID = 1L;

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        doPost(req, resp);
    }

    @Override
    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        ...
    }
}


public class TestFilter extends HttpFilter {
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException 
{
       ...
    }

    protected void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
        ...
    }
}

When I write the ql rules, if the source and sink are in the TestServlet class, but there are methods in the TestFilter class to process the request and response, how do I need to write the rules here? When a certain condition is met, taint tracking is not performed.

[smowton]

Could you clarify what you mean by "When a certain condition is met, taint tracking is not performed"? Do you mean you WANT taint tracking not to be performed under a particular condition? Or is it that taint tracking is CURRENTLY not performed under some condition, and you think it should be? In either case, could you give an example of the sort of condition you're talking about?

[fxzyyy]

@smowton According to the execution process of JavaWeb, Filter will be executed in front of Servlet and can do some processing on the request. I mean that if there is some processing in Filter, the response will be returned directly, and the request will not go to Servlet. Does .CodeQL's data flow analysis combine Filter to Servlet? I don't know if you understand what I mean.

[smowton]

We don't analyse the relationships between Filters and Servlets -- we will assume both a Filter and a Servlet can be run with any input. If for example in your particular example a Filter will always have made the query-string safe, then you should define a sanitizer for your Servlet that excludes the query string from the usual set of inputs assumed to be under user control.

If have some circumstances where the Filter will exit entirely, presumably this also will mean there are some inputs to the Servlet which are less dangerous than usual -- again, you will want to define sanitizers that exclude the inputs that should be considered safe.

If you want more specific advice, please let me know what your Filter does and perhaps and I can suggest an appropriate exclusion from your Servlet's Configuration.

[fxzyyy]

@smowton Thanks for the answer. I probably understand what you mean. If this is the case, I need to filter the filter while analyzing the servlet data flow.

I don't have a general case here, if there is one, I'm happy to provide it.