Merge pull request #21472 from owen-mc/adjust-severity/xss-log-injection

Adjust `@security-severity` metadata for XSS and log injection queries
2026-04-26 01:05:15 +02:00 · 2026-03-18 16:51:14 +00:00
parent d4a0846c6c 3aaee9d981
commit 5b17d8cf76
29 changed files with 59 additions and 21 deletions
--- a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
+++ b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
@@ -4,7 +4,7 @@
 *              allows for a cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
 * @precision high
 * @id cpp/cgi-xss
 * @tags security
--- a/cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
+++ b/cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
--- a/Features/CWE-079/XSS.ql
+++ b/Features/CWE-079/XSS.ql
@@ -4,7 +4,7 @@
 *              allows for a cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
 * @precision high
 * @id cs/web/xss
 * @tags security
--- a/Features/CWE-117/LogForging.ql
+++ b/Features/CWE-117/LogForging.ql
@@ -4,7 +4,7 @@
 *              insertion of forged log entries by a malicious user.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 7.8
+ * @security-severity 6.1
 * @precision high
 * @id cs/log-forging
 * @tags security
--- a/csharp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
+++ b/csharp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
@@ -0,0 +1,5 @@
+---
+category: queryMetadata
+---
+* The `@security-severity` metadata of `cs/log-forging` has been reduced from 7.8 (high) to 6.1 (medium).
+* The `@security-severity` metadata of `cs/web/xss` has been increased from 6.1 (medium) to 7.8 (high).
--- a/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
+++ b/go/ql/src/Security/CWE-079/HtmlTemplateEscapingBypassXss.ql
@@ -5,7 +5,7 @@
 *              scripting vulnerability.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
 * @precision high
 * @id go/html-template-escaping-bypass-xss
 * @tags security
--- a/go/ql/src/Security/CWE-079/ReflectedXss.ql
+++ b/go/ql/src/Security/CWE-079/ReflectedXss.ql
@@ -4,7 +4,7 @@
 *              a cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
 * @precision high
 * @id go/reflected-xss
 * @tags security
--- a/go/ql/src/Security/CWE-079/StoredXss.ql
+++ b/go/ql/src/Security/CWE-079/StoredXss.ql
@@ -4,7 +4,7 @@
 *              a stored cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
 * @precision low
 * @id go/stored-xss
 * @tags security
--- a/go/ql/src/Security/CWE-117/LogInjection.ql
+++ b/go/ql/src/Security/CWE-117/LogInjection.ql
@@ -4,7 +4,7 @@
 *              insertion of forged log entries by a malicious user.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 7.8
+ * @security-severity 6.1
 * @precision medium
 * @id go/log-injection
 * @tags security
--- a/go/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
+++ b/go/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
@@ -0,0 +1,5 @@
+---
+category: queryMetadata
+---
+* The `@security-severity` metadata of `go/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
+* The `@security-severity` metadata of `go/html-template-escaping-bypass-xss`, `go/reflected-xss` and `go/stored-xss` has been increased from 6.1 (medium) to 7.8 (high).
--- a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql
+++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql
@@ -4,7 +4,7 @@
 * @description Exposing a Java object in a WebView with a JavaScript interface can lead to malicious JavaScript controlling the application.
 * @kind problem
 * @problem.severity warning
- * @security-severity 6.1
+ * @security-severity 7.8
 * @precision medium
 * @tags security
 *       external/cwe/cwe-079
--- a/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql
+++ b/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id java/android/websettings-javascript-enabled
 * @problem.severity warning
- * @security-severity 6.1
+ * @security-severity 7.8
 * @precision medium
 * @tags security
 *       external/cwe/cwe-079
--- a/java/ql/src/Security/CWE/CWE-079/XSS.ql
+++ b/java/ql/src/Security/CWE/CWE-079/XSS.ql
@@ -4,7 +4,7 @@
 *              allows for a cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
 * @precision high
 * @id java/xss
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-117/LogInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-117/LogInjection.ql
@@ -4,7 +4,7 @@
 *              insertion of forged log entries by malicious users.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 7.8
+ * @security-severity 6.1
 * @precision medium
 * @id java/log-injection
 * @tags security
--- a/java/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
+++ b/java/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
@@ -0,0 +1,5 @@
+---
+category: queryMetadata
+---
+* The `@security-severity` metadata of `java/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
+* The `@security-severity` metadata of `java/android/webview-addjavascriptinterface`, `java/android/websettings-javascript-enabled` and `java/xss` has been increased from 6.1 (medium) to 7.8 (high).
--- a/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
+++ b/python/ql/src/Security/CWE-079/Jinja2WithoutEscaping.ql
@@ -4,7 +4,7 @@
 *              cause a cross-site scripting vulnerability.
 * @kind problem
 * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
 * @precision medium
 * @id py/jinja2/autoescape-false
 * @tags security
--- a/python/ql/src/Security/CWE-079/ReflectedXss.ql
+++ b/python/ql/src/Security/CWE-079/ReflectedXss.ql
@@ -4,7 +4,7 @@
 *              allows for a cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
 * @sub-severity high
 * @precision high
 * @id py/reflective-xss
--- a/python/ql/src/Security/CWE-117/LogInjection.ql
+++ b/python/ql/src/Security/CWE-117/LogInjection.ql
@@ -4,7 +4,7 @@
 *              insertion of forged log entries by a malicious user.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 7.8
+ * @security-severity 6.1
 * @precision medium
 * @id py/log-injection
 * @tags security
--- a/python/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
+++ b/python/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
@@ -0,0 +1,5 @@
+---
+category: queryMetadata
+---
+* The `@security-severity` metadata of `py/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
+* The `@security-severity` metadata of `py/jinja2/autoescape-false` and `py/reflective-xss` has been increased from 6.1 (medium) to 7.8 (high).
--- a/ruby/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
+++ b/ruby/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
@@ -0,0 +1,5 @@
+---
+category: queryMetadata
+---
+* The `@security-severity` metadata of `rb/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
+* The `@security-severity` metadata of `rb/reflected-xss`, `rb/stored-xss` and `rb/html-constructed-from-input` has been increased from 6.1 (medium) to 7.8 (high).
--- a/ruby/ql/src/queries/security/cwe-079/ReflectedXSS.ql
+++ b/ruby/ql/src/queries/security/cwe-079/ReflectedXSS.ql
@@ -4,7 +4,7 @@
 *              allows for a cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
 * @sub-severity high
 * @precision high
 * @id rb/reflected-xss
--- a/ruby/ql/src/queries/security/cwe-079/StoredXSS.ql
+++ b/ruby/ql/src/queries/security/cwe-079/StoredXSS.ql
@@ -4,7 +4,7 @@
 *              a stored cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
 * @precision high
 * @id rb/stored-xss
 * @tags security
--- a/ruby/ql/src/queries/security/cwe-079/UnsafeHtmlConstruction.ql
+++ b/ruby/ql/src/queries/security/cwe-079/UnsafeHtmlConstruction.ql
@@ -4,7 +4,7 @@
 *              user to perform a cross-site scripting attack.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
 * @precision high
 * @id rb/html-constructed-from-input
 * @tags security
--- a/ruby/ql/src/queries/security/cwe-117/LogInjection.ql
+++ b/ruby/ql/src/queries/security/cwe-117/LogInjection.ql
@@ -4,7 +4,7 @@
 *              insertion of forged log entries by a malicious user.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 7.8
+ * @security-severity 6.1
 * @precision medium
 * @id rb/log-injection
 * @tags security
--- a/rust/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
+++ b/rust/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
@@ -0,0 +1,5 @@
+---
+category: queryMetadata
+---
+* The `@security-severity` metadata of `rust/log-injection` has been increased from 2.6 (low) to 6.1 (medium).
+* The `@security-severity` metadata of `rust/xss` has been increased from 6.1 (medium) to 7.8 (high).
--- a/rust/ql/src/queries/security/CWE-079/XSS.ql
+++ b/rust/ql/src/queries/security/CWE-079/XSS.ql
@@ -4,7 +4,7 @@
 *              allows for a cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
 * @precision high
 * @id rust/xss
 * @tags security
--- a/rust/ql/src/queries/security/CWE-117/LogInjection.ql
+++ b/rust/ql/src/queries/security/CWE-117/LogInjection.ql
@@ -4,7 +4,7 @@
 *              insertion of forged log entries by a malicious user.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 2.6
+ * @security-severity 6.1
 * @precision medium
 * @id rust/log-injection
 * @tags security
--- a/swift/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
+++ b/swift/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* The `@security-severity` metadata of `swift/unsafe-webview-fetch` has been increased from 6.1 (medium) to 7.8 (high).
--- a/swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.ql
+++ b/swift/ql/src/queries/Security/CWE-079/UnsafeWebViewFetch.ql
@@ -3,7 +3,7 @@
 * @description Fetching data in a WebView without restricting the base URL may allow an attacker to access sensitive local data, or enable cross-site scripting attack.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 6.1
+ * @security-severity 7.8
 * @precision high
 * @id swift/unsafe-webview-fetch
 * @tags security