update {java/rb}/xxe to match python/javascript

2025-12-20 10:46:30 +01:00 · 2022-08-11 21:57:50 +02:00
parent 2d0a4c3d83
commit 034d197e01
2 changed files with 6 additions and 4 deletions
--- a/java/ql/src/Security/CWE/CWE-611/XXE.ql
+++ b/java/ql/src/Security/CWE/CWE-611/XXE.ql
@@ -51,5 +51,6 @@ class XxeConfig extends TaintTracking::Configuration {

 from DataFlow::PathNode source, DataFlow::PathNode sink, XxeConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Unsafe parsing of XML file from $@.", source.getNode(),
-  "user input"
+select sink.getNode(), source, sink,
+  "A $@ is parsed as XML without guarding against external entity expansion.", source.getNode(),
+  "user-provided value"