From 0a697e49c115ade34c65f9d98f196c6cc23b3e77 Mon Sep 17 00:00:00 2001
From: Kevin Stubbings <kwstubbs@github.com>
Date: Tue, 24 Sep 2024 17:29:25 -0700
Subject: [PATCH] Add MaD

---
 java/ql/lib/change-notes/2024-09-24-multipart.md  |  4 ++++
 java/ql/lib/ext/jakarta.servlet.http.model.yml    |  7 +++++++
 java/ql/lib/ext/javax.servlet.http.model.yml      |  8 ++++++++
 java/ql/lib/ext/org.apache.commons.fileupload.yml | 15 +++++++++++++++
 4 files changed, 34 insertions(+)
 create mode 100644 java/ql/lib/change-notes/2024-09-24-multipart.md
 create mode 100644 java/ql/lib/ext/org.apache.commons.fileupload.yml

diff --git a/java/ql/lib/change-notes/2024-09-24-multipart.md b/java/ql/lib/change-notes/2024-09-24-multipart.md
new file mode 100644
index 00000000000..f10cfbfd944
--- /dev/null
+++ b/java/ql/lib/change-notes/2024-09-24-multipart.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added more dataflow models of `org.apache.commons.fileupload.FileItem` and `javax.servlet.http.Part`.
\ No newline at end of file
diff --git a/java/ql/lib/ext/jakarta.servlet.http.model.yml b/java/ql/lib/ext/jakarta.servlet.http.model.yml
index 5a83b1ac08d..c1c55bddb9e 100644
--- a/java/ql/lib/ext/jakarta.servlet.http.model.yml
+++ b/java/ql/lib/ext/jakarta.servlet.http.model.yml
@@ -4,3 +4,10 @@ extensions:
       extensible: sourceModel
     data:
       - ["jakarta.servlet.http", "HttpServletRequest", True, "getServletPath", "", "", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "Part", True, "getInputStream", "", "()", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "Part", True, "getName", "", "()", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "Part", True, "getContentType", "", "()", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "Part", True, "getHeader", "", "(String)", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "Part", True, "getHeaders", "", "(String)", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "Part", True, "getHeaderNames", "", "()", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "Part", True, "getSubmittedFileName", "", "()", "ReturnValue", "remote", "manual"]
diff --git a/java/ql/lib/ext/javax.servlet.http.model.yml b/java/ql/lib/ext/javax.servlet.http.model.yml
index ec35445d199..dd345ed3c3e 100644
--- a/java/ql/lib/ext/javax.servlet.http.model.yml
+++ b/java/ql/lib/ext/javax.servlet.http.model.yml
@@ -19,6 +19,14 @@ extensions:
       - ["javax.servlet.http", "HttpServletRequest", False, "getRequestURI", "()", "", "ReturnValue", "remote", "manual"]
       - ["javax.servlet.http", "HttpServletRequest", False, "getRequestURL", "()", "", "ReturnValue", "remote", "manual"]
       - ["javax.servlet.http", "HttpServletRequest", False, "getServletPath", "()", "", "ReturnValue", "remote", "manual"]
+      - ["javax.servlet.http", "Part", False, "getInputStream", "()", "", "ReturnValue", "remote", "manual"]
+      - ["javax.servlet.http", "Part", False, "getName", "()", "", "ReturnValue", "remote", "manual"]
+      - ["javax.servlet.http", "Part", False, "getContentType", "()", "", "ReturnValue", "remote", "manual"]
+      - ["javax.servlet.http", "Part", False, "getHeader", "(String)", "", "ReturnValue", "remote", "manual"]
+      - ["javax.servlet.http", "Part", False, "getSubmittedFileName", "()", "", "ReturnValue", "remote", "manual"]
+      - ["javax.servlet.http", "Part", False, "getHeaders", "(String)", "", "ReturnValue", "remote", "manual"]
+      - ["javax.servlet.http", "Part", False, "getHeadersNames", "()", "", "ReturnValue", "remote", "manual"]
+
 
   - addsTo:
       pack: codeql/java-all
diff --git a/java/ql/lib/ext/org.apache.commons.fileupload.yml b/java/ql/lib/ext/org.apache.commons.fileupload.yml
new file mode 100644
index 00000000000..dfa87cd22bb
--- /dev/null
+++ b/java/ql/lib/ext/org.apache.commons.fileupload.yml
@@ -0,0 +1,15 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["org.apache.commons.fileupload", "FileItem", True, "getInputStream", "", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItem", True, "getFieldName", "", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItem", True, "getContentType", "", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItem", True, "getString", "", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItem", True, "getName", "", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItem", True, "get", "", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItemStream", True, "getContentType", "", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItemStream", True, "getFieldName", "", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItemStream", True, "getName", "", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItemStream", True, "openStream", "", "", "ReturnValue", "remote", "manual"]
\ No newline at end of file