Update MaD Declarations after Triage

2026-04-24 16:25:15 +02:00 · 2023-06-06 16:38:31 +02:00
parent dc26dc81a9
commit 75cbcdd72e
11 changed files with 71 additions and 0 deletions
--- a/java/ql/lib/change-notes/2023-06-06-new-models.md
+++ b/java/ql/lib/change-notes/2023-06-06-new-models.md
@@ -0,0 +1,15 @@
+---
+category: minorAnalysis
+---
+* Added models for the following packages:
+
+  * com.alibaba.druid.sql
+  * com.fasterxml.jackson.databind
+  * com.jcraft.jsch
+  * io.netty.handler.ssl
+  * okhttp3
+  * org.antlr.runtime
+  * org.fusesource.leveldbjni
+  * org.influxdb
+  * org.springframework.core.io
+  * org.yaml.snakeyaml
--- a/java/ql/lib/ext/com.alibaba.druid.sql.model.yml
+++ b/java/ql/lib/ext/com.alibaba.druid.sql.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["com.alibaba.druid.sql", "SQLUtils", False, "toMySqlString", "(SQLObject)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
--- a/java/ql/lib/ext/com.fasterxml.jackson.databind.model.yml
+++ b/java/ql/lib/ext/com.fasterxml.jackson.databind.model.yml
@@ -9,3 +9,9 @@ extensions:
      - ["com.fasterxml.jackson.databind", "ObjectMapper", True, "valueToTree", "", "", "Argument[0].MapValue", "ReturnValue", "taint", "manual"]
      - ["com.fasterxml.jackson.databind", "ObjectMapper", True, "valueToTree", "", "", "Argument[0].MapValue.Element", "ReturnValue", "taint", "manual"]
      - ["com.fasterxml.jackson.databind", "ObjectReader", False, "createParser", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.fasterxml.jackson.databind", "ObjectMapper", True, "readValue", "(File,Class)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["com.fasterxml.jackson.databind", "ObjectMapper", True, "writeValue", "(File,Object)", "", "Argument[0]", "path-injection", "ai-manual"]
--- a/java/ql/lib/ext/com.jcraft.jsch.model.yml
+++ b/java/ql/lib/ext/com.jcraft.jsch.model.yml
@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["com.jcraft.jsch", "JSch", True, "getSession", "(String,String,int)", "", "Argument[1]", "request-forgery", "ai-manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["com.jcraft.jsch", "ChannelSftp", True, "realpath", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
--- a/java/ql/lib/ext/io.netty.handler.ssl.model.yml
+++ b/java/ql/lib/ext/io.netty.handler.ssl.model.yml
@@ -5,3 +5,5 @@ extensions:
    data:
      - ["io.netty.handler.ssl", "OpenSslServerContext", False, "OpenSslServerContext", "(File,File)", "", "Argument[0]", "path-injection", "ai-manual"]
      - ["io.netty.handler.ssl", "SslContextBuilder", False, "forServer", "(File,File)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["io.netty.handler.ssl", "SslContextBuilder", False, "trustManager", "(File)", "", "Argument[0]", "path-injection", "ai-manual"]
+      - ["io.netty.handler.ssl", "SslContextBuilder", False, "trustManager", "(InputStream)", "", "Argument[0]", "path-injection", "ai-manual"]
--- a/java/ql/lib/ext/okhttp3.model.yml
+++ b/java/ql/lib/ext/okhttp3.model.yml
@@ -58,3 +58,4 @@ extensions:
      - ["okhttp3", "HttpUrl$Builder", False, "setQueryParameter", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
      - ["okhttp3", "HttpUrl$Builder", False, "setQueryParameter", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
      - ["okhttp3", "HttpUrl$Builder", False, "username", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["okhttp3", "Request$Builder", True, "build", "()", "", "Argument[undefined]", "ReturnValue", "taint", "ai-manual"]
--- a/java/ql/lib/ext/org.antlr.runtime.model.yml
+++ b/java/ql/lib/ext/org.antlr.runtime.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.antlr.runtime", "ANTLRFileStream", True, "ANTLRFileStream", "(String,String)", "", "Argument[0]", "path-injection", "ai-manual"]
--- a/java/ql/lib/ext/org.fusesource.leveldbjni.model.yml
+++ b/java/ql/lib/ext/org.fusesource.leveldbjni.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.fusesource.leveldbjni", "JniDBFactory", True, "open", "(File,Options)", "", "Argument[0]", "path-injection", "ai-manual"]
--- a/java/ql/lib/ext/org.influxdb.model.yml
+++ b/java/ql/lib/ext/org.influxdb.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.influxdb", "InfluxDBFactory", False, "connect", "(String,String,String,Builder)", "", "Argument[0]", "request-forgery", "ai-manual"]
--- a/java/ql/lib/ext/org.springframework.core.io.model.yml
+++ b/java/ql/lib/ext/org.springframework.core.io.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.springframework.core.io", "ResourceLoader", True, "getResource", "(String)", "", "Argument[0]", "path-injection", "ai-manual"] # todo: look into whether this may also be a request forgery sink
--- a/java/ql/lib/ext/org.yaml.snakeyaml.model.yml
+++ b/java/ql/lib/ext/org.yaml.snakeyaml.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["org.yaml.snakeyaml", "Yaml", True, "load", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]