From a8ee8783561588681862bb40f3a6ea4e3e513941 Mon Sep 17 00:00:00 2001
From: Michael Nebel <michaelnebel@github.com>
Date: Mon, 14 Nov 2022 10:52:55 +0100
Subject: [PATCH] Java: Add bi-directional import of FragmentInjection.

---
 java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
index 8460c662d5c..a6f9e2b17c7 100644
--- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -135,6 +135,7 @@ private module Frameworks {
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.InformationLeak
   private import semmle.code.java.security.Files
+  private import semmle.code.java.security.FragmentInjection
   private import semmle.code.java.security.GroovyInjection
   private import semmle.code.java.security.ImplicitPendingIntents
   private import semmle.code.java.security.JexlInjectionSinkModels
@@ -613,7 +614,8 @@ module CsvValidation {
           "open-url", "jndi-injection", "ldap", "sql", "jdbc-url", "logging", "mvel", "xpath",
           "groovy", "xss", "ognl-injection", "intent-start", "pending-intent-sent",
           "url-open-stream", "url-redirect", "create-file", "write-file", "set-hostname-verifier",
-          "header-splitting", "information-leak", "xslt", "jexl", "bean-validation", "ssti"
+          "header-splitting", "information-leak", "xslt", "jexl", "bean-validation", "ssti",
+          "fragment-injection"
         ] and
       not kind.matches("regex-use%") and
       not kind.matches("qltest%") and