Merge remote-tracking branch 'upstream/main' into post-release-prep/codeql-cli-2.13.3

java/ql/lib/change-notes/2023-05-17-change-hostnamesanitizingprefix-regex.md

@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Updated the regular expression in the `HostnameSanitizer` sanitizer in the `semmle.code.java.security.RequestForgery` library to better detect strings prefixed with a hostname.
+

java/ql/lib/change-notes/2023-05-22-inputstreamwrapper-transitive.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Dataflow analysis has a new flow step through constructors of transitive subtypes of `java.io.InputStream` that wrap an underlying data source. Previously, the step only existed for direct subtypes of `java.io.InputStream`.

java/ql/lib/change-notes/2023-05-23-java-nio-file-files-copy-models-tweak.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+Modified the models related to `java.nio.file.Files.copy` so that generic `[Input|Output]Stream` arguments are not considered file-related sinks.

java/ql/lib/ext/java.nio.file.model.yml

@@ -3,9 +3,11 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
-      - ["java.nio.file", "Files", False, "copy", "", "", "Argument[0]", "read-file", "manual"]
+      - ["java.nio.file", "Files", False, "copy", "(Path,OutputStream)", "", "Argument[0]", "read-file", "manual"]
+      - ["java.nio.file", "Files", False, "copy", "(Path,Path,CopyOption[])", "", "Argument[0]", "read-file", "manual"]
+      - ["java.nio.file", "Files", False, "copy", "(Path,Path,CopyOption[])", "", "Argument[1]", "create-file", "manual"]
       - ["java.nio.file", "Files", False, "copy", "(InputStream,Path,CopyOption[])", "", "Argument[0]", "write-file", "manual"]
-      - ["java.nio.file", "Files", False, "copy", "", "", "Argument[1]", "create-file", "manual"]
+      - ["java.nio.file", "Files", False, "copy", "(InputStream,Path,CopyOption[])", "", "Argument[1]", "create-file", "manual"]
       - ["java.nio.file", "Files", False, "createDirectories", "", "", "Argument[0]", "create-file", "manual"]
       - ["java.nio.file", "Files", False, "createDirectory", "", "", "Argument[0]", "create-file", "manual"]
       - ["java.nio.file", "Files", False, "createFile", "", "", "Argument[0]", "create-file", "manual"]

java/ql/lib/ext/org.apache.hc.core5.http.impl.bootstrap.model.yml

@@ -1,6 +1,6 @@
 extensions:
   - addsTo:
-      pack: codeql/java-tests
+      pack: codeql/java-all
       extensible: sinkModel
     data:
       - ["org.apache.hc.core5.http.impl.bootstrap", "HttpAsyncRequester", True, "connect", "(HttpHost,Timeout)", "", "Argument[0]", "open-url", "hq-manual"]

java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

@@ -255,8 +255,9 @@ private class BulkData extends RefType {
  * status of its argument.
  */
 private predicate inputStreamWrapper(Constructor c, int argi) {
+  not c.fromSource() and
   c.getParameterType(argi) instanceof BulkData and
-  c.getDeclaringType().getASourceSupertype().hasQualifiedName("java.io", "InputStream")
+  c.getDeclaringType().getASourceSupertype+().hasQualifiedName("java.io", "InputStream")
 }
 
 /** An object construction that preserves the data flow status of any of its arguments. */

java/ql/lib/semmle/code/java/security/RequestForgery.qll

@@ -79,10 +79,7 @@ private class HostnameSanitizingPrefix extends InterestingPrefix {
     // the host or entity addressed: for example, anything containing `?` or `#`, or a slash that
     // doesn't appear to be a protocol specifier (e.g. `http://` is not sanitizing), or specifically
     // the string "/".
-    exists(
-      this.getStringValue()
-          .regexpFind(".*([?#]|[^?#:/\\\\][/\\\\]).*|[/\\\\][^/\\\\].*|^/$", 0, offset)
-    )
+    exists(this.getStringValue().regexpFind("([?#]|[^?#:/\\\\][/\\\\])|^/$", 0, offset))
   }
 
   override int getOffset() { result = offset }