Merge branch 'github:main' into couchdb

2026-04-29 10:45:15 +02:00 · 2026-01-09 17:20:40 +01:00
parent 1e1fb43534 636bbe30f9
commit 4c8058d97b
848 changed files with 122818 additions and 100889 deletions
--- a/java/ql/lib/change-notes/2024-09-24-multipart.md
+++ b/java/ql/lib/change-notes/2024-09-24-multipart.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added more dataflow models of `org.apache.commons.fileupload.FileItem`, `javax/jakarta.servlet.http.Part` and  `org.apache.commons.fileupload.util.Streams`.
--- a/java/ql/lib/change-notes/2025-12-08-spring-websocket-handler.md
+++ b/java/ql/lib/change-notes/2025-12-08-spring-websocket-handler.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Additional remote flow sources from the `org.springframework.web.socket` package have been modeled. 
--- a/java/ql/lib/ext/jakarta.servlet.http.model.yml
+++ b/java/ql/lib/ext/jakarta.servlet.http.model.yml
@@ -3,7 +3,14 @@ extensions:
      pack: codeql/java-all
      extensible: sourceModel
    data:
-      - ["jakarta.servlet.http", "HttpServletRequest", True, "getServletPath", "", "", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "HttpServletRequest", True, "getServletPath", "()", "", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "Part", True, "getInputStream", "()", "", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "Part", True, "getName", "()", "", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "Part", True, "getContentType", "()", "", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "Part", True, "getHeader", "(String)", "", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "Part", True, "getHeaderNames", "()", "", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "Part", True, "getHeaders", "(String)", "", "ReturnValue", "remote", "manual"]
+      - ["jakarta.servlet.http", "Part", True, "getSubmittedFileName", "()", "", "ReturnValue", "remote", "manual"]
      - ["jakarta.servlet.http", "HttpServletRequest", False, "getHeader", "(String)", "", "ReturnValue", "remote", "manual"]
      - ["jakarta.servlet.http", "HttpServletRequest", False, "getHeaderNames", "()", "", "ReturnValue", "remote", "manual"]
      - ["jakarta.servlet.http", "HttpServletRequest", False, "getHeaders", "(String)", "", "ReturnValue", "remote", "manual"]
--- a/java/ql/lib/ext/javax.servlet.http.model.yml
+++ b/java/ql/lib/ext/javax.servlet.http.model.yml
@@ -19,6 +19,14 @@ extensions:
      - ["javax.servlet.http", "HttpServletRequest", False, "getRequestURI", "()", "", "ReturnValue", "remote", "manual"]
      - ["javax.servlet.http", "HttpServletRequest", False, "getRequestURL", "()", "", "ReturnValue", "remote", "manual"]
      - ["javax.servlet.http", "HttpServletRequest", False, "getServletPath", "()", "", "ReturnValue", "remote", "manual"]
+      - ["javax.servlet.http", "Part", False, "getContentType", "()", "", "ReturnValue", "remote", "manual"]
+      - ["javax.servlet.http", "Part", False, "getHeader", "(String)", "", "ReturnValue", "remote", "manual"]
+      - ["javax.servlet.http", "Part", False, "getHeaderNames", "()", "", "ReturnValue", "remote", "manual"]
+      - ["javax.servlet.http", "Part", False, "getHeaders", "(String)", "", "ReturnValue", "remote", "manual"]
+      - ["javax.servlet.http", "Part", False, "getInputStream", "()", "", "ReturnValue", "remote", "manual"]
+      - ["javax.servlet.http", "Part", False, "getName", "()", "", "ReturnValue", "remote", "manual"]
+      - ["javax.servlet.http", "Part", False, "getSubmittedFileName", "()", "", "ReturnValue", "remote", "manual"]
+

  - addsTo:
      pack: codeql/java-all
--- a/java/ql/lib/ext/org.apache.commons.fileupload.model.yml
+++ b/java/ql/lib/ext/org.apache.commons.fileupload.model.yml
@@ -0,0 +1,16 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["org.apache.commons.fileupload", "FileItem", True, "get", "()", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItem", True, "getContentType", "()", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItem", True, "getFieldName", "()", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItem", True, "getInputStream", "()", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItem", True, "getName", "()", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItem", True, "getString", "()", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItem", True, "getString", "(String)", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItemStream", True, "getContentType", "()", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItemStream", True, "getFieldName", "()", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItemStream", True, "getName", "()", "", "ReturnValue", "remote", "manual"]
+      - ["org.apache.commons.fileupload", "FileItemStream", True, "openStream", "()", "", "ReturnValue", "remote", "manual"]
--- a/java/ql/lib/ext/org.apache.commons.fileupload.util.model.yml
+++ b/java/ql/lib/ext/org.apache.commons.fileupload.util.model.yml
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["org.apache.commons.fileupload.util", "Streams", True, "asString", "(InputStream)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["org.apache.commons.fileupload.util", "Streams", True, "asString", "(InputStream,String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["org.apache.commons.fileupload.util", "Streams", True, "copy", "(InputStream,OutputStream,boolean)", "", "Argument[0]", "Argument[1]", "taint", "manual"]
+      - ["org.apache.commons.fileupload.util", "Streams", True, "copy", "(InputStream,OutputStream,boolean,byte[])", "", "Argument[0]", "Argument[1]", "taint", "manual"]
--- a/java/ql/lib/ext/org.springframework.web.socket.model.yml
+++ b/java/ql/lib/ext/org.springframework.web.socket.model.yml
@@ -0,0 +1,23 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+     - ["org.springframework.web.socket", "WebSocketHandler", True, "afterConnectionClosed", "", "", "Parameter[0]", "remote", "manual"]
+     - ["org.springframework.web.socket", "WebSocketHandler", True, "afterConnectionEstablished", "", "", "Parameter[0]", "remote", "manual"]
+     - ["org.springframework.web.socket", "WebSocketHandler", True, "handleMessage", "", "", "Parameter[0]", "remote", "manual"]
+     - ["org.springframework.web.socket", "WebSocketHandler", True, "handleMessage", "", "", "Parameter[1]", "remote", "manual"]
+     - ["org.springframework.web.socket", "WebSocketHandler", True, "handleTransportError", "", "", "Parameter[0]", "remote", "manual"]
+     - ["org.springframework.web.socket.handler", "AbstractWebSocketHandler", True, "handleBinaryMessage", "", "", "Parameter[0..1]", "remote", "manual"]
+     - ["org.springframework.web.socket.handler", "AbstractWebSocketHandler", True, "handlePongMessage", "", "", "Parameter[0..1]", "remote", "manual"]
+     - ["org.springframework.web.socket.handler", "AbstractWebSocketHandler", True, "handleTextMessage", "", "", "Parameter[0..1]", "remote", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["org.springframework.web.socket", "TextMessage", True, "asBytes", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["org.springframework.web.socket", "WebSocketMessage", True, "getPayload", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["org.springframework.web.socket", "WebSocketSession", True, "getAcceptedProtocol", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["org.springframework.web.socket", "WebSocketSession", True, "getHandshakeHeaders", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["org.springframework.web.socket", "WebSocketSession", True, "getPrincipal", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
+      - ["org.springframework.web.socket", "WebSocketSession", True, "getUri", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
--- a/java/ql/lib/semmle/code/java/ConflictingAccess.qll
+++ b/java/ql/lib/semmle/code/java/ConflictingAccess.qll
@@ -63,12 +63,23 @@ class ExposedField extends Field {
    not this.getType() instanceof LockType and
    // field is not thread-safe
    not isThreadSafeType(this.getType()) and
-    not isThreadSafeType(this.getInitializer().getType()) and
+    not isThreadSafeType(initialValue(this).getType()) and
    // the initializer guarantees thread safety
-    not isThreadSafeInitializer(this.getInitializer())
+    not isThreadSafeInitializer(initialValue(this))
  }
 }

+/**
+ * Gets the initial value for the field `f`.
+ * This is either a field initializer or an assignment in a constructor.
+ */
+Expr initialValue(Field f) {
+  result = f.getInitializer()
+  or
+  result = f.getAnAssignedValue() and
+  result.getEnclosingCallable() = f.getDeclaringType().getAConstructor()
+}
+
 /**
 * A field access that is exposed to potential data races.
 * We require the field to be in a class that is annotated as `@ThreadSafe`.
--- a/java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll
+++ b/java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll
@@ -35,6 +35,11 @@ private class DefaultIntentRedirectionSink extends IntentRedirectionSink {
  DefaultIntentRedirectionSink() { sinkNode(this, "intent-redirection") }
 }

+/** An external sanitizer for Intent redirection vulnerabilities. */
+private class ExternalIntentRedirectionSanitizer extends IntentRedirectionSanitizer {
+  ExternalIntentRedirectionSanitizer() { barrierNode(this, "intent-redirection") }
+}
+
 /**
 * A default sanitizer for `Intent` nodes dominated by calls to `ComponentName.getPackageName`
 * and `ComponentName.getClassName`. These are used to check whether the origin or destination
--- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll
@@ -37,6 +37,10 @@ private class DefaultCommandInjectionSink extends CommandInjectionSink {
  DefaultCommandInjectionSink() { sinkNode(this, "command-injection") }
 }

+private class ExternalCommandInjectionSanitizer extends CommandInjectionSanitizer {
+  ExternalCommandInjectionSanitizer() { barrierNode(this, "command-injection") }
+}
+
 private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer {
  DefaultCommandInjectionSanitizer() {
    this instanceof SimpleTypeSanitizer
--- a/java/ql/lib/semmle/code/java/security/FragmentInjection.qll
+++ b/java/ql/lib/semmle/code/java/security/FragmentInjection.qll
@@ -49,6 +49,15 @@ private class DefaultFragmentInjectionSink extends FragmentInjectionSink {
  DefaultFragmentInjectionSink() { sinkNode(this, "fragment-injection") }
 }

+/**
+ * A sanitizer for Fragment injection vulnerabilities.
+ */
+abstract class FragmentInjectionSanitizer extends DataFlow::Node { }
+
+private class ExternalFragmentInjectionSanitizer extends FragmentInjectionSanitizer {
+  ExternalFragmentInjectionSanitizer() { barrierNode(this, "fragment-injection") }
+}
+
 private class DefaultFragmentInjectionAdditionalTaintStep extends FragmentInjectionAdditionalTaintStep
 {
  override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
--- a/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll
@@ -14,6 +14,8 @@ module FragmentInjectionTaintConfig implements DataFlow::ConfigSig {

  predicate isSink(DataFlow::Node sink) { sink instanceof FragmentInjectionSink }

+  predicate isBarrier(DataFlow::Node node) { node instanceof FragmentInjectionSanitizer }
+
  predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
    any(FragmentInjectionAdditionalTaintStep c).step(n1, n2)
  }
--- a/java/ql/lib/semmle/code/java/security/GroovyInjection.qll
+++ b/java/ql/lib/semmle/code/java/security/GroovyInjection.qll
@@ -26,6 +26,13 @@ private class DefaultGroovyInjectionSink extends GroovyInjectionSink {
  DefaultGroovyInjectionSink() { sinkNode(this, "groovy-injection") }
 }

+/** A data flow sanitizer for Groovy expression injection vulnerabilities. */
+abstract class GroovyInjectionSanitizer extends DataFlow::ExprNode { }
+
+private class ExternalGroovyInjectionSanitizer extends GroovyInjectionSanitizer {
+  ExternalGroovyInjectionSanitizer() { barrierNode(this, "groovy-injection") }
+}
+
 /** A set of additional taint steps to consider when taint tracking Groovy related data flows. */
 private class DefaultGroovyInjectionAdditionalTaintStep extends GroovyInjectionAdditionalTaintStep {
  override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
--- a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
+++ b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll
@@ -289,8 +289,8 @@ private Method getSourceMethod(Method m) {
  result = m
 }

-private class DefaultPathInjectionSanitizer extends PathInjectionSanitizer {
-  DefaultPathInjectionSanitizer() { barrierNode(this, "path-injection") }
+private class ExternalPathInjectionSanitizer extends PathInjectionSanitizer {
+  ExternalPathInjectionSanitizer() { barrierNode(this, "path-injection") }
 }

 /** Holds if `g` is a guard that checks for `..` components. */
--- a/java/ql/lib/semmle/code/java/security/RequestForgery.qll
+++ b/java/ql/lib/semmle/code/java/security/RequestForgery.qll
@@ -118,8 +118,8 @@ private class ContainsUrlSanitizer extends RequestForgerySanitizer {
  }
 }

-private class DefaultRequestForgerySanitizer extends RequestForgerySanitizer {
-  DefaultRequestForgerySanitizer() { barrierNode(this, "request-forgery") }
+private class ExternalRequestForgerySanitizer extends RequestForgerySanitizer {
+  ExternalRequestForgerySanitizer() { barrierNode(this, "request-forgery") }
 }

 /**
--- a/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
@@ -27,8 +27,8 @@ class TrustBoundaryViolationSink extends DataFlow::Node {
 */
 abstract class TrustBoundaryValidationSanitizer extends DataFlow::Node { }

-private class DefaultTrustBoundaryValidationSanitizer extends TrustBoundaryValidationSanitizer {
-  DefaultTrustBoundaryValidationSanitizer() { barrierNode(this, "trust-boundary-violation") }
+private class ExternalTrustBoundaryValidationSanitizer extends TrustBoundaryValidationSanitizer {
+  ExternalTrustBoundaryValidationSanitizer() { barrierNode(this, "trust-boundary-violation") }
 }

 /**
--- a/java/ql/lib/semmle/code/java/security/XSS.qll
+++ b/java/ql/lib/semmle/code/java/security/XSS.qll
@@ -54,8 +54,8 @@ private class DefaultXssSink extends XssSink {
  }
 }

-private class DefaultXssSanitizer extends XssSanitizer {
-  DefaultXssSanitizer() { barrierNode(this, ["html-injection", "js-injection"]) }
+private class ExternalXssSanitizer extends XssSanitizer {
+  ExternalXssSanitizer() { barrierNode(this, ["html-injection", "js-injection"]) }
 }

 /** A sanitizer that considers numeric and boolean typed data safe for writing to output. */
--- a/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll
+++ b/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll
@@ -21,8 +21,8 @@ private class DefaultRegexInjectionSink extends RegexInjectionSink {
  }
 }

-private class DefaultRegexInjectionSanitizer extends RegexInjectionSanitizer {
-  DefaultRegexInjectionSanitizer() { barrierNode(this, "regex-use") }
+private class ExternalRegexInjectionSanitizer extends RegexInjectionSanitizer {
+  ExternalRegexInjectionSanitizer() { barrierNode(this, "regex-use") }
 }

 /**