Merge branch 'main' into java/update-mad-decls-after-triage-2024-01-24T10-05-04

2026-04-28 02:05:14 +02:00 · 2024-01-24 14:55:20 +01:00
parent d5bcbcddab 67242278ee
commit 4e63cbc993
290 changed files with 2653 additions and 3284 deletions
--- a/java/ql/lib/ext/java.awt.model.yml
+++ b/java/ql/lib/ext/java.awt.model.yml
@@ -6,7 +6,6 @@ extensions:
      - ["java.awt", "Container", True, "add", "(Component)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
      - ["java.awt", "Container", True, "add", "(Component)", "", "Argument[0]", "ReturnValue", "value", "manual"]
      - ["java.awt", "Container", True, "add", "(Component,Object)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
-
  - addsTo:
      pack: codeql/java-all
      extensible: neutralModel
@@ -14,3 +13,8 @@ extensions:
      # The below APIs have numeric flow and are currently being stored as neutral models.
      # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
      - ["java.awt", "Insets", "Insets", "(int,int,int,int)", "summary", "manual"] # value-numeric
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["java.awt", "Desktop", True, "browse", "(URI)", "", "Argument[0]", "url-redirection", "ai-manual"]
--- a/java/ql/lib/ext/javax.servlet.http.model.yml
+++ b/java/ql/lib/ext/javax.servlet.http.model.yml
@@ -26,6 +26,7 @@ extensions:
      - ["javax.servlet.http", "HttpServletResponse", False, "addHeader", "", "", "Argument[0..1]", "response-splitting", "manual"]
      - ["javax.servlet.http", "HttpServletResponse", False, "sendError", "(int,String)", "", "Argument[1]", "information-leak", "manual"]
      - ["javax.servlet.http", "HttpServletResponse", False, "setHeader", "", "", "Argument[0..1]", "response-splitting", "manual"]
+      # - ["javax.servlet.http", "HttpServletResponse", True, "sendRedirect", "(String)", "", "Argument[0]", "url-redirection", "ai-manual"] # QL model exists in java/ql/lib/semmle/code/java/security/UrlRedirect.qll
      - ["javax.servlet.http", "HttpSession", True, "putValue", "", "", "Argument[0..1]", "trust-boundary-violation", "manual"]
      - ["javax.servlet.http", "HttpSession", True, "setAttribute", "", "", "Argument[0..1]", "trust-boundary-violation", "manual"]
  - addsTo: