Merge branch 'main' into atorralba/promote-unsafe-android-webview-fetch

java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql

@@ -5,6 +5,7 @@
  * @kind path-problem
  * @precision low
  * @problem.severity error
+ * @security-severity 5.9
  * @tags security external/cwe/cwe-20
  */
 

java/ql/src/Security/CWE/CWE-022/TaintedPath.ql

@@ -3,6 +3,7 @@
  * @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @id java/path-injection
  * @tags security

java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql

@@ -3,6 +3,7 @@
  * @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 6.4
  * @precision medium
  * @id java/path-injection-local
  * @tags security

java/ql/src/Security/CWE/CWE-022/ZipSlip.ql

@@ -6,6 +6,7 @@
  * @kind path-problem
  * @id java/zipslip
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @tags security
  *       external/cwe/cwe-022

java/ql/src/Security/CWE/CWE-078/ExecRelative.ql

@@ -4,6 +4,7 @@
  *              malicious changes in the PATH environment variable.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id java/relative-path-command
  * @tags security

java/ql/src/Security/CWE/CWE-078/ExecTainted.ql

@@ -4,6 +4,7 @@
  *              changes in the strings.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id java/command-line-injection
  * @tags security

java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql

@@ -4,6 +4,7 @@
  *              changes in the strings.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 5.9
  * @precision medium
  * @id java/command-line-injection-local
  * @tags security

java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql

@@ -4,6 +4,7 @@
  *              insertion of special characters in the strings.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id java/concatenated-command-line
  * @tags security

java/ql/src/Security/CWE/CWE-079/XSS.ql

@@ -4,6 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 2.9
  * @precision high
  * @id java/xss
  * @tags security

java/ql/src/Security/CWE/CWE-079/XSSLocal.ql

@@ -4,6 +4,7 @@
  *              allows for a cross-site scripting vulnerability.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 2.9
  * @precision medium
  * @id java/xss-local
  * @tags security

java/ql/src/Security/CWE/CWE-089/SqlTainted.ql

@@ -4,6 +4,7 @@
  *              malicious code by the user.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @id java/sql-injection
  * @tags security

java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql

@@ -4,6 +4,7 @@
  *              malicious code by the user.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 6.4
  * @precision medium
  * @id java/sql-injection-local
  * @tags security

java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql

@@ -4,6 +4,7 @@
  *              characters is vulnerable to insertion of malicious code.
  * @kind problem
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @id java/concatenated-sql-query
  * @tags security

java/ql/src/Security/CWE/CWE-090/LdapInjection.ql

@@ -4,6 +4,7 @@
  *              malicious LDAP code by the user.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id java/ldap-injection
  * @tags security

java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql

@@ -3,6 +3,7 @@
  * @description User-controlled data may be evaluated as a Java EL expression, leading to arbitrary code execution.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 10.0
  * @precision high
  * @id java/insecure-bean-validation
  * @tags security

java/ql/src/Security/CWE/CWE-094/JexlInjection.qhelp

@@ -0,0 +1,63 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Java EXpression Language (JEXL) is a simple expression language
+provided by the Apache Commons JEXL library.
+The syntax is close to a mix of ECMAScript and shell-script. 
+The language allows invocation of methods available in the JVM.
+If a JEXL expression is built using attacker-controlled data, 
+and then evaluated, then it may allow the attacker to run arbitrary code.
+</p>
+</overview>
+
+<recommendation>
+<p>
+It is generally recommended to avoid using untrusted input in a JEXL expression.
+If it is not possible, JEXL expressions should be run in a sandbox that allows accessing only
+explicitly allowed classes.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example uses untrusted data to build and run a JEXL expression.
+</p>
+<sample src="UnsafeJexlExpressionEvaluation.java" />
+
+<p>
+The next example shows how an untrusted JEXL expression can be run
+in a sandbox that allows accessing only methods in the <code>java.lang.Math</code> class.
+The sandbox is implemented using <code>JexlSandbox</code> class that is provided by
+Apache Commons JEXL 3.
+</p>
+<sample src="SaferJexlExpressionEvaluationWithSandbox.java" />
+
+<p>
+The next example shows another way how a sandbox can be implemented.
+It uses a custom implementation of <code>JexlUberspect</code>
+that checks if callees are instances of allowed classes.
+</p>
+<sample src="SaferJexlExpressionEvaluationWithUberspectSandbox.java" />
+</example>
+
+<references>
+<li>
+  Apache Commons JEXL:
+  <a href="https://commons.apache.org/proper/commons-jexl/">Project page</a>.
+</li>
+<li>
+  Apache Commons JEXL documentation:
+  <a href="https://commons.apache.org/proper/commons-jexl/javadocs/apidocs-2.1.1/">JEXL 2.1.1 API</a>.
+</li>
+<li>
+  Apache Commons JEXL documentation:
+  <a href="https://commons.apache.org/proper/commons-jexl/apidocs/index.html">JEXL 3.1 API</a>.
+</li>
+<li>
+  OWASP:
+  <a href="https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection">Expression Language Injection</a>.
+</li>
+</references>
+</qhelp>

java/ql/src/Security/CWE/CWE-094/JexlInjection.ql

@@ -0,0 +1,38 @@
+/**
+ * @name Expression language injection (JEXL)
+ * @description Evaluation of a user-controlled JEXL expression
+ *              may lead to arbitrary code execution.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 10.0
+ * @precision high
+ * @id java/jexl-expression-injection
+ * @tags security
+ *       external/cwe/cwe-094
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.JexlInjection
+import DataFlow::PathGraph
+
+/**
+ * A taint-tracking configuration for unsafe user input
+ * that is used to construct and evaluate a JEXL expression.
+ * It supports both JEXL 2 and 3.
+ */
+class JexlInjectionConfig extends TaintTracking::Configuration {
+  JexlInjectionConfig() { this = "JexlInjectionConfig" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(JexlInjectionAdditionalTaintStep c).step(node1, node2)
+  }
+}
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, JexlInjectionConfig conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "JEXL injection from $@.", source.getNode(), "this user input"

java/ql/src/Security/CWE/CWE-094/SaferJexlExpressionEvaluationWithSandbox.java

@@ -0,0 +1,14 @@
+public void evaluate(Socket socket) throws IOException {
+  try (BufferedReader reader = new BufferedReader(
+        new InputStreamReader(socket.getInputStream()))) {
+    
+    JexlSandbox onlyMath = new JexlSandbox(false);
+    onlyMath.white("java.lang.Math");
+    JexlEngine jexl = new JexlBuilder().sandbox(onlyMath).create();
+      
+    String input = reader.readLine();
+    JexlExpression expression = jexl.createExpression(input);
+    JexlContext context = new MapContext();
+    expression.evaluate(context);
+  }
+}

java/ql/src/Security/CWE/CWE-094/SaferJexlExpressionEvaluationWithUberspectSandbox.java

@@ -0,0 +1,90 @@
+public void evaluate(Socket socket) throws IOException {
+  try (BufferedReader reader = new BufferedReader(
+        new InputStreamReader(socket.getInputStream()))) {
+    
+    JexlUberspect sandbox = new JexlUberspectSandbox();
+    JexlEngine jexl = new JexlBuilder().uberspect(sandbox).create();
+      
+    String input = reader.readLine();
+    JexlExpression expression = jexl.createExpression(input);
+    JexlContext context = new MapContext();
+    expression.evaluate(context);
+  }
+
+  private static class JexlUberspectSandbox implements JexlUberspect {
+
+    private static final List<String> ALLOWED_CLASSES =
+              Arrays.asList("java.lang.Math", "java.util.Random");
+
+    private final JexlUberspect uberspect = new JexlBuilder().create().getUberspect();
+
+    private void checkAccess(Object obj) {
+      if (!ALLOWED_CLASSES.contains(obj.getClass().getCanonicalName())) {
+        throw new AccessControlException("Not allowed");
+      }
+    }
+
+    @Override
+    public JexlMethod getMethod(Object obj, String method, Object... args) {
+      checkAccess(obj);
+      return uberspect.getMethod(obj, method, args);
+    }
+
+    @Override
+    public List<PropertyResolver> getResolvers(JexlOperator op, Object obj) {
+      checkAccess(obj);
+      return uberspect.getResolvers(op, obj);
+    }
+
+    @Override
+    public void setClassLoader(ClassLoader loader) {
+      uberspect.setClassLoader(loader);
+    }
+
+    @Override
+    public int getVersion() {
+      return uberspect.getVersion();
+    }
+
+    @Override
+    public JexlMethod getConstructor(Object obj, Object... args) {
+      checkAccess(obj);
+      return uberspect.getConstructor(obj, args);
+    }
+
+    @Override
+    public JexlPropertyGet getPropertyGet(Object obj, Object identifier) {
+      checkAccess(obj);
+      return uberspect.getPropertyGet(obj, identifier);
+    }
+
+    @Override
+    public JexlPropertyGet getPropertyGet(List<PropertyResolver> resolvers, Object obj, Object identifier) {
+      checkAccess(obj);
+      return uberspect.getPropertyGet(resolvers, obj, identifier);
+    }
+
+    @Override
+    public JexlPropertySet getPropertySet(Object obj, Object identifier, Object arg) {
+      checkAccess(obj);
+      return uberspect.getPropertySet(obj, identifier, arg);
+    }
+
+    @Override
+    public JexlPropertySet getPropertySet(List<PropertyResolver> resolvers, Object obj, Object identifier, Object arg) {
+      checkAccess(obj);
+      return uberspect.getPropertySet(resolvers, obj, identifier, arg);
+    }
+
+    @Override
+    public Iterator<?> getIterator(Object obj) {
+      checkAccess(obj);
+      return uberspect.getIterator(obj);
+    }
+
+    @Override
+    public JexlArithmetic.Uberspect getArithmetic(JexlArithmetic arithmetic) {
+      return uberspect.getArithmetic(arithmetic);
+    } 
+  }
+}

java/ql/src/Security/CWE/CWE-094/UnsafeJexlExpressionEvaluation.java

@@ -0,0 +1,11 @@
+public void evaluate(Socket socket) throws IOException {
+  try (BufferedReader reader = new BufferedReader(
+        new InputStreamReader(socket.getInputStream()))) {
+    
+    String input = reader.readLine();
+    JexlEngine jexl = new JexlBuilder().create();
+    JexlExpression expression = jexl.createExpression(input);
+    JexlContext context = new MapContext();
+    expression.evaluate(context);
+  }
+}

java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql

@@ -3,6 +3,7 @@
  * @description Using a deprecated artifact repository may eventually give attackers access for a supply chain attack.
  * @kind problem
  * @problem.severity error
+ * @security-severity 6.5
  * @precision very-high
  * @id java/maven/dependency-upon-bintray
  * @tags security

java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql

@@ -5,6 +5,7 @@
  *              an HTTP header.
  * @kind problem
  * @problem.severity error
+ * @security-severity 3.6
  * @precision high
  * @id java/netty-http-response-splitting
  * @tags security

java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql

@@ -4,6 +4,7 @@
  *              makes code vulnerable to attack by header splitting.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 3.6
  * @precision high
  * @id java/http-response-splitting
  * @tags security

java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql

@@ -4,6 +4,7 @@
  *              makes code vulnerable to attack by header splitting.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 3.6
  * @precision medium
  * @id java/http-response-splitting-local
  * @tags security

java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql

@@ -3,6 +3,7 @@
  * @description Using unvalidated external input as the argument to a construction of an array can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id java/improper-validation-of-array-construction
  * @tags security

java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql

@@ -4,6 +4,7 @@
  *              a construction of an array can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 5.9
  * @precision medium
  * @id java/improper-validation-of-array-construction-code-specified
  * @tags security

java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql

@@ -4,6 +4,7 @@
  *              a construction of an array can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 5.9
  * @precision medium
  * @id java/improper-validation-of-array-construction-local
  * @tags security

java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql

@@ -3,6 +3,7 @@
  * @description Using external input as an index to an array, without proper validation, can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id java/improper-validation-of-array-index
  * @tags security

java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql

@@ -4,6 +4,7 @@
  *              proper validation, can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 5.9
  * @precision medium
  * @id java/improper-validation-of-array-index-code-specified
  * @tags security

java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql

@@ -4,6 +4,7 @@
  *              proper validation, can lead to index out of bound exceptions.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 5.9
  * @precision medium
  * @id java/improper-validation-of-array-index-local
  * @tags security

java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql

@@ -3,6 +3,7 @@
  * @description Using external input in format strings can lead to exceptions or information leaks.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 6.9
  * @precision high
  * @id java/tainted-format-string
  * @tags security

java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql

@@ -3,6 +3,7 @@
  * @description Using external input in format strings can lead to exceptions or information leaks.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 6.9
  * @precision medium
  * @id java/tainted-format-string-local
  * @tags security

java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql

@@ -4,6 +4,7 @@
  *              overflows.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id java/tainted-arithmetic
  * @tags security

java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql

@@ -4,6 +4,7 @@
  *              overflows.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 5.9
  * @precision medium
  * @id java/tainted-arithmetic-local
  * @tags security

java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql

@@ -4,6 +4,7 @@
  *              overflows.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id java/uncontrolled-arithmetic
  * @tags security

java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql

@@ -4,6 +4,7 @@
  *              is then used in an arithmetic expression, this may result in an overflow.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 5.9
  * @precision medium
  * @id java/extreme-value-arithmetic
  * @tags security

java/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql

@@ -4,6 +4,7 @@
  *              to behave unexpectedly.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id java/comparison-with-wider-type
  * @tags reliability

java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql

@@ -5,6 +5,7 @@
  *              that are useful to an attacker for developing a subsequent exploit.
  * @kind problem
  * @problem.severity error
+ * @security-severity 3.6
  * @precision high
  * @id java/stack-trace-exposure
  * @tags security
@@ -15,7 +16,7 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.security.XSS
+import semmle.code.java.security.InformationLeak
 
 /**
  * One of the `printStackTrace()` overloads on `Throwable`.
@@ -83,14 +84,14 @@ predicate stackTraceExpr(Expr exception, MethodAccess stackTraceString) {
   )
 }
 
-class StackTraceStringToXssSinkFlowConfig extends TaintTracking::Configuration {
-  StackTraceStringToXssSinkFlowConfig() {
-    this = "StackTraceExposure::StackTraceStringToXssSinkFlowConfig"
+class StackTraceStringToHttpResponseSinkFlowConfig extends TaintTracking::Configuration {
+  StackTraceStringToHttpResponseSinkFlowConfig() {
+    this = "StackTraceExposure::StackTraceStringToHttpResponseSinkFlowConfig"
   }
 
   override predicate isSource(DataFlow::Node src) { stackTraceExpr(_, src.asExpr()) }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink }
 }
 
 /**
@@ -105,8 +106,8 @@ predicate printsStackExternally(MethodAccess call, Expr stackTrace) {
 /**
  * A stringified stack trace flows to an external sink.
  */
-predicate stringifiedStackFlowsExternally(XssSink externalExpr, Expr stackTrace) {
-  exists(MethodAccess stackTraceString, StackTraceStringToXssSinkFlowConfig conf |
+predicate stringifiedStackFlowsExternally(DataFlow::Node externalExpr, Expr stackTrace) {
+  exists(MethodAccess stackTraceString, StackTraceStringToHttpResponseSinkFlowConfig conf |
     stackTraceExpr(stackTrace, stackTraceString) and
     conf.hasFlow(DataFlow::exprNode(stackTraceString), externalExpr)
   )
@@ -123,21 +124,21 @@ class GetMessageFlowSource extends MethodAccess {
   }
 }
 
-class GetMessageFlowSourceToXssSinkFlowConfig extends TaintTracking::Configuration {
-  GetMessageFlowSourceToXssSinkFlowConfig() {
-    this = "StackTraceExposure::GetMessageFlowSourceToXssSinkFlowConfig"
+class GetMessageFlowSourceToHttpResponseSinkFlowConfig extends TaintTracking::Configuration {
+  GetMessageFlowSourceToHttpResponseSinkFlowConfig() {
+    this = "StackTraceExposure::GetMessageFlowSourceToHttpResponseSinkFlowConfig"
   }
 
   override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof GetMessageFlowSource }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof InformationLeakSink }
 }
 
 /**
  * A call to `getMessage()` that then flows to a servlet response.
  */
-predicate getMessageFlowsExternally(XssSink externalExpr, GetMessageFlowSource getMessage) {
-  any(GetMessageFlowSourceToXssSinkFlowConfig conf)
+predicate getMessageFlowsExternally(DataFlow::Node externalExpr, GetMessageFlowSource getMessage) {
+  any(GetMessageFlowSourceToHttpResponseSinkFlowConfig conf)
       .hasFlow(DataFlow::exprNode(getMessage), externalExpr)
 }
 

java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql

@@ -3,6 +3,7 @@
  * @description Marking a certificate as valid for a host without checking the certificate hostname allows an attacker to perform a machine-in-the-middle attack.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 4.9
  * @precision high
  * @id java/unsafe-hostname-verification
  * @tags security

java/ql/src/Security/CWE/CWE-312/CleartextStorageClass.ql

@@ -3,6 +3,7 @@
  * @description Storing sensitive information in cleartext can expose it to an attacker.
  * @kind problem
  * @problem.severity recommendation
+ * @security-severity 5.9
  * @precision medium
  * @id java/cleartext-storage-in-class
  * @tags security

java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql

@@ -3,6 +3,7 @@
  * @description Storing sensitive information in cleartext can expose it to an attacker.
  * @kind problem
  * @problem.severity error
+ * @security-severity 2.9
  * @precision high
  * @id java/cleartext-storage-in-cookie
  * @tags security

java/ql/src/Security/CWE/CWE-312/CleartextStorageProperties.ql

@@ -3,6 +3,7 @@
  * @description Storing sensitive information in cleartext can expose it to an attacker.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 6.4
  * @precision medium
  * @id java/cleartext-storage-in-properties
  * @tags security

java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql

@@ -3,6 +3,7 @@
  * @description Non-HTTPS connections can be intercepted by third parties.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 5.2
  * @precision medium
  * @id java/non-https-url
  * @tags security

java/ql/src/Security/CWE/CWE-319/UseSSL.ql

@@ -3,6 +3,7 @@
  * @description Non-SSL connections can be intercepted by third parties.
  * @kind problem
  * @problem.severity recommendation
+ * @security-severity 5.2
  * @precision medium
  * @id java/non-ssl-connection
  * @tags security

java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql

@@ -4,6 +4,7 @@
  *              third parties.
  * @kind problem
  * @problem.severity recommendation
+ * @security-severity 5.2
  * @precision medium
  * @id java/non-ssl-socket-factory
  * @tags security

java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql

@@ -3,6 +3,7 @@
  * @description Using broken or weak cryptographic algorithms can allow an attacker to compromise security.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.2
  * @precision high
  * @id java/weak-cryptographic-algorithm
  * @tags security

java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql

@@ -3,6 +3,7 @@
  * @description Using broken or weak cryptographic algorithms can allow an attacker to compromise security.
  * @kind path-problem
  * @problem.severity warning
+ * @security-severity 5.2
  * @precision medium
  * @id java/potentially-weak-cryptographic-algorithm
  * @tags security

java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql

@@ -3,9 +3,11 @@
  * @description Using a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id java/predictable-seed
  * @tags security
+ *       external/cwe/cwe-335
  */
 
 import java

java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql

@@ -3,6 +3,7 @@
  * @description Using a vulnerable version of JHipster to generate random numbers makes it easier for attackers to take over accounts.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision very-high
  * @id java/jhipster-prng
  * @tags security

java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql

@@ -4,6 +4,7 @@
  *              a Cross-Site Request Forgery (CSRF) attack.
  * @kind problem
  * @problem.severity error
+ * @security-severity 6.4
  * @precision high
  * @id java/spring-disabled-csrf-protection
  * @tags security

java/ql/src/Security/CWE/CWE-367/TOCTOURace.ql

@@ -4,6 +4,7 @@
  *              if the state may be changed between the check and use.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 5.9
  * @precision medium
  * @id java/toctou-race-condition
  * @tags security

java/ql/src/Security/CWE/CWE-421/SocketAuthRace.ql

@@ -3,6 +3,7 @@
  * @description Opening a socket after authenticating via a different channel may allow an attacker to connect to the port first.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 10.0
  * @precision medium
  * @id java/socket-auth-race-condition
  * @tags security

java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp

@@ -14,8 +14,8 @@ may have unforeseen effects, such as the execution of arbitrary code.
 </p>
 <p>
 There are many different serialization frameworks.  This query currently
-supports Kryo, XmlDecoder, XStream, SnakeYaml, and Java IO serialization through
-<code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
+supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap 
+and Java IO serialization through <code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
 </p>
 </overview>
 
@@ -75,6 +75,22 @@ Alvaro Muñoz &amp; Christian Schneider, RSAConference 2016:
 SnakeYaml documentation on deserialization:
 <a href="https://bitbucket.org/asomov/snakeyaml/wiki/Documentation#markdown-header-loading-yaml">SnakeYaml deserialization</a>.
 </li>
+<li>
+Hessian deserialization and related gadget chains:
+<a href="https://paper.seebug.org/1137/">Hessian deserialization</a>.
+</li>
+<li>
+Castor and Hessian java deserialization vulnerabilities:
+<a href="https://securitylab.github.com/research/hessian-java-deserialization-castor-vulnerabilities/">Castor and Hessian deserialization</a>.
+</li>
+<li>
+Remote code execution in JYaml library:
+<a href="https://www.cybersecurity-help.cz/vdb/SB2020022512">JYaml deserialization</a>.
+</li>
+<li>
+JsonIO deserialization vulnerabilities:
+<a href="https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/">JsonIO deserialization</a>.
+</li>
 </references>
 
 </qhelp>

java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql

@@ -4,6 +4,7 @@
  *              execute arbitrary code.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id java/unsafe-deserialization
  * @tags security
@@ -21,6 +22,39 @@ class UnsafeDeserializationConfig extends TaintTracking::Configuration {
   override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(ClassInstanceExpr cie |
+      cie.getArgument(0) = pred.asExpr() and
+      cie = succ.asExpr() and
+      (
+        cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader or
+        cie.getConstructor().getDeclaringType() instanceof YamlBeansReader or
+        cie.getConstructor().getDeclaringType().getASupertype*() instanceof UnsafeHessianInput or
+        cie.getConstructor().getDeclaringType() instanceof BurlapInput
+      )
+    )
+    or
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof BurlapInputInitMethod and
+      ma.getArgument(0) = pred.asExpr() and
+      ma.getQualifier() = succ.asExpr()
+    )
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    exists(ClassInstanceExpr cie |
+      cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader and
+      cie = node.asExpr() and
+      exists(SafeJsonIoConfig sji | sji.hasFlowToExpr(cie.getArgument(1)))
+    )
+    or
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof JsonIoJsonToJavaMethod and
+      ma.getArgument(0) = node.asExpr() and
+      exists(SafeJsonIoConfig sji | sji.hasFlowToExpr(ma.getArgument(1)))
+    )
+  }
 }
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeDeserializationConfig conf

java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql

@@ -4,6 +4,7 @@
  *              may cause redirection to malicious web sites.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 2.7
  * @precision high
  * @id java/unvalidated-url-redirection
  * @tags security

java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql

@@ -4,6 +4,7 @@
  *              may cause redirection to malicious web sites.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 2.7
  * @precision medium
  * @id java/unvalidated-url-redirection-local
  * @tags security

java/ql/src/Security/CWE/CWE-611/XXE.ql

@@ -4,6 +4,7 @@
  * references may lead to disclosure of confidential data or denial of service.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id java/xxe
  * @tags security

java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql

@@ -4,6 +4,7 @@
  *              interception.
  * @kind problem
  * @problem.severity error
+ * @security-severity 2.9
  * @precision high
  * @id java/insecure-cookie
  * @tags security

java/ql/src/Security/CWE/CWE-643/XPathInjection.ql

@@ -4,6 +4,7 @@
  *              malicious code by the user.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id java/xml/xpath-injection
  * @tags security

java/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql

@@ -3,6 +3,7 @@
  * @description Certain standard library routines are dangerous to call.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 10.0
  * @precision medium
  * @id java/potentially-dangerous-function
  * @tags reliability

java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql

@@ -4,6 +4,7 @@
  *              can cause unexpected truncation.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id java/tainted-numeric-cast
  * @tags security

java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql

@@ -4,6 +4,7 @@
  *              can cause unexpected truncation.
  * @kind path-problem
  * @problem.severity recommendation
+ * @security-severity 5.9
  * @precision medium
  * @id java/tainted-numeric-cast-local
  * @tags security

java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql

@@ -4,6 +4,7 @@
  *              the file may be modified or removed by external actors.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id java/world-writable-file-read
  * @tags security

java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql

@@ -3,6 +3,7 @@
  * @description Using a hard-coded credential in a call to a sensitive Java API may compromise security.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision medium
  * @id java/hardcoded-credential-api-call
  * @tags security

java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql

@@ -3,6 +3,7 @@
  * @description Comparing a parameter to a hard-coded credential may compromise security.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision low
  * @id java/hardcoded-credential-comparison
  * @tags security

java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql

@@ -3,6 +3,7 @@
  * @description Using a hard-coded credential in a sensitive call may compromise security.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision low
  * @id java/hardcoded-credential-sensitive-call
  * @tags security

java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql

@@ -3,6 +3,7 @@
  * @description Hard-coding a password string may compromise security.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision low
  * @id java/hardcoded-password-field
  * @tags security

java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql

@@ -4,6 +4,7 @@
  *              passing through authentication systems.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision medium
  * @id java/user-controlled-bypass
  * @tags security

java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql

@@ -4,6 +4,7 @@
  *              permissions being granted.
  * @kind path-problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision high
  * @id java/tainted-permissions-check
  * @tags security

java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql

@@ -3,6 +3,7 @@
  * @description Non-HTTPS connections can be intercepted by third parties.
  * @kind problem
  * @problem.severity error
+ * @security-severity 5.9
  * @precision very-high
  * @id java/maven/non-https-url
  * @tags security

java/ql/src/Security/CWE/CWE-833/LockOrderInconsistency.ql

@@ -3,6 +3,7 @@
  * @description Acquiring multiple locks in a different order may cause deadlock.
  * @kind problem
  * @problem.severity recommendation
+ * @security-severity 6.9
  * @precision medium
  * @id java/lock-order-inconsistency
  * @tags security

java/ql/src/Security/CWE/CWE-835/InfiniteLoop.ql

@@ -5,6 +5,7 @@
  *              looping.
  * @kind problem
  * @problem.severity warning
+ * @security-severity 3.6
  * @precision medium
  * @id java/unreachable-exit-in-loop
  * @tags security

java/ql/src/Security/CWE/CWE-918/RequestForgery.java

@@ -0,0 +1,20 @@
+import java.net.http.HttpClient;
+
+public class SSRF extends HttpServlet {
+	private static final String VALID_URI = "http://lgtm.com";
+	private HttpClient client = HttpClient.newHttpClient();
+
+	protected void doGet(HttpServletRequest request, HttpServletResponse response)
+		throws ServletException, IOException {
+		URI uri = new URI(request.getParameter("uri"));
+		// BAD: a request parameter is incorporated without validation into a Http request
+		HttpRequest r = HttpRequest.newBuilder(uri).build();
+		client.send(r, null);
+
+		// GOOD: the request parameter is validated against a known fixed string
+		if (VALID_URI.equals(request.getParameter("uri"))) {
+			HttpRequest r2 = HttpRequest.newBuilder(uri).build();
+			client.send(r2, null);
+		}
+	}
+}

java/ql/src/Security/CWE/CWE-918/RequestForgery.qhelp

@@ -0,0 +1,39 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+
+<overview>
+<p>Directly incorporating user input into an HTTP request without validating the input
+can facilitate server-side request forgery (SSRF) attacks. In these attacks, the server
+may be tricked into making a request and interacting with an attacker-controlled server.
+</p>
+
+</overview>
+<recommendation>
+
+<p>To guard against SSRF attacks, you should avoid putting user-provided input
+directly into a request URL. Instead, maintain a list of authorized
+URLs on the server; then choose from that list based on the input provided.
+Alternatively, ensure requests constructed from user input are limited to
+a particular host or more restrictive URL prefix.</p>
+
+</recommendation>
+<example>
+
+<p>The following example shows an HTTP request parameter being used directly to form a
+new request without validating the input, which facilitates SSRF attacks.
+It also shows how to remedy the problem by validating the user input against a known fixed string.
+</p>
+
+<sample src="RequestForgery.java" />
+
+</example>
+<references>
+  <li>
+    <a href="https://owasp.org/www-community/attacks/Server_Side_Request_Forgery">OWASP SSRF</a>
+  </li>
+
+</references>
+</qhelp>

java/ql/src/Security/CWE/CWE-918/RequestForgery.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Server-side request forgery
+ * @description Making web requests based on unvalidated user-input
+ *              may cause the server to communicate with malicious servers.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/ssrf
+ * @tags security
+ *       external/cwe/cwe-918
+ */
+
+import java
+import semmle.code.java.security.RequestForgeryConfig
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, RequestForgeryConfiguration conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Potential server-side request forgery due to $@.",
+  source.getNode(), "a user-provided value"