Java: update query metadata and alert message

2026-04-26 17:25:19 +02:00 · 2023-12-01 08:29:17 -05:00
parent 5a9d7552b3
commit 6e7c05467b
1 changed files with 10 additions and 7 deletions
--- a/java/ql/src/Security/CWE/CWE-552/UnsafeUrlForward.ql
+++ b/java/ql/src/Security/CWE/CWE-552/UnsafeUrlForward.ql
@@ -1,13 +1,16 @@
 /**
- * @name Unsafe URL forward or include from a remote source
- * @description URL forward or include based on unvalidated user-input
- *              may cause file information disclosure.
+ * @name URL forward from a remote source
+ * @description URL forward based on unvalidated user-input
+ *              may cause file information disclosure or
+ *              redirection to malicious web sites.
 * @kind path-problem
 * @problem.severity error
+ * @security-severity 6.1
 * @precision high
- * @id java/unsafe-url-forward-include
+ * @id java/unvalidated-url-forward
 * @tags security
- *       external/cwe-552
+ *       external/cwe/cwe-552
+ *       external/cwe/cwe-601
 */

 import java
@@ -16,5 +19,5 @@ import UnsafeUrlForwardFlow::PathGraph

 from UnsafeUrlForwardFlow::PathNode source, UnsafeUrlForwardFlow::PathNode sink
 where UnsafeUrlForwardFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "Potentially untrusted URL forward due to $@.",
-  source.getNode(), "user-provided value"
+select sink.getNode(), source, sink, "Untrusted URL forward depends on a $@.", source.getNode(),
+  "user-provided value"