From 936f0c650c4efe35ba78005cdfc0308333c13129 Mon Sep 17 00:00:00 2001 From: MarkLee131 Date: Thu, 30 Apr 2026 19:06:04 +0800 Subject: [PATCH] Address review comments on path-injection[read] sub-kind - shared/mad/codeql/mad/ModelValidation.qll: shorten the comment for `path-injection[%]` to `// Java-only currently`, matching the style of other language-scoped entries and dropping API examples and the java/zipslip reference. - java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll: replace the `File.exists` example in the QLDoc with `FileReader`, since `File.exists` is still labelled plain `path-injection`, not `path-injection[read]`. --- java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll | 4 ++-- shared/mad/codeql/mad/ModelValidation.qll | 5 +---- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll index 84a94d87dce..b7bcbcceeb9 100644 --- a/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll +++ b/java/ql/lib/semmle/code/java/security/ZipSlipQuery.qll @@ -55,8 +55,8 @@ module ZipSlipFlow = TaintTracking::Global; * * This deliberately selects only the `path-injection` sink kind and excludes * `path-injection[read]`: Zip Slip is an archive-extraction vulnerability, so - * read-only path sinks (e.g. `ClassLoader.getResource`, `FileInputStream`, - * `File.exists`) are outside the threat model. + * read-only path sinks (for example `ClassLoader.getResource`, + * `FileInputStream`, and `FileReader`) are outside the threat model. */ private class FileCreationSink extends DataFlow::Node { FileCreationSink() { sinkNode(this, "path-injection") } diff --git a/shared/mad/codeql/mad/ModelValidation.qll b/shared/mad/codeql/mad/ModelValidation.qll index b5f3e078a52..3f11d3ce089 100644 --- a/shared/mad/codeql/mad/ModelValidation.qll +++ b/shared/mad/codeql/mad/ModelValidation.qll @@ -54,10 +54,7 @@ module KindValidation { this.matches([ // shared "credentials-%", "encryption-%", "qltest%", "test-%", "regex-use%", - // shared: path-injection[read] identifies sinks that only read from a path - // (e.g. ClassLoader.getResource, FileInputStream, File.exists). Queries such - // as java/zipslip that only care about write/extraction deliberately exclude - // this sub-kind. + // Java-only currently "path-injection[%]", // Swift-only currently, but may be shared in the future "%string-%length", "weak-hash-input-%",