Add XPath.evaluate as XXE sink

2026-04-25 08:45:14 +02:00 · 2023-05-15 17:39:35 +02:00
parent 9dede31c0d
commit 7d79d87d48
4 changed files with 59 additions and 19 deletions
--- a/java/ql/src/change-notes/2023-05-15-xpath-xxe-sink.md
+++ b/java/ql/src/change-notes/2023-05-15-xpath-xxe-sink.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The queries `java/xxe` and `java/xxe-local` now recognize the second argument of calls to `XPath.evaluate` as a sink.