Merge branch 'main' into atorralba/promote-ognl-injection

2025-12-22 03:36:30 +01:00 · 2021-07-20 17:17:17 +02:00
parent 47fffb04a6 5a489a386a
commit b6904a7992
2457 changed files with 219307 additions and 31173 deletions
--- a/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
+++ b/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
@@ -5,7 +5,7 @@
 * @kind path-problem
 * @precision low
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
 * @tags security external/cwe/cwe-20
 */

--- a/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+++ b/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
@@ -3,7 +3,7 @@
 * @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 7.5
 * @precision high
 * @id java/path-injection
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-022/TaintedPathLocal.ql
@@ -3,7 +3,7 @@
 * @description Accessing paths influenced by users can allow an attacker to access unexpected resources.
 * @kind path-problem
 * @problem.severity recommendation
- * @security-severity 6.4
+ * @security-severity 7.5
 * @precision medium
 * @id java/path-injection-local
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
+++ b/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
@@ -6,7 +6,7 @@
 * @kind path-problem
 * @id java/zipslip
 * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 7.5
 * @precision high
 * @tags security
 *       external/cwe/cwe-022
--- a/java/ql/src/Security/CWE/CWE-078/ExecCommon.qll
+++ b/java/ql/src/Security/CWE/CWE-078/ExecCommon.qll
@@ -1,32 +0,0 @@
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.ExternalProcess
-import semmle.code.java.security.CommandArguments
-
-private class RemoteUserInputToArgumentToExecFlowConfig extends TaintTracking::Configuration {
-  RemoteUserInputToArgumentToExecFlowConfig() {
-    this = "ExecCommon::RemoteUserInputToArgumentToExecFlowConfig"
-  }
-
-  override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof ArgumentToExec }
-
-  override predicate isSanitizer(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType
-    or
-    node.getType() instanceof BoxedType
-    or
-    isSafeCommandArgument(node.asExpr())
-  }
-}
-
-/**
- * Implementation of `ExecTainted.ql`. It is extracted to a QLL
- * so that it can be excluded from `ExecUnescaped.ql` to avoid
- * reporting overlapping results.
- */
-predicate execTainted(DataFlow::PathNode source, DataFlow::PathNode sink, ArgumentToExec execArg) {
-  exists(RemoteUserInputToArgumentToExecFlowConfig conf |
-    conf.hasFlowPath(source, sink) and sink.getNode() = DataFlow::exprNode(execArg)
-  )
-}
--- a/java/ql/src/Security/CWE/CWE-078/ExecRelative.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecRelative.ql
@@ -4,7 +4,7 @@
 *              malicious changes in the PATH environment variable.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
 * @precision medium
 * @id java/relative-path-command
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
@@ -4,7 +4,7 @@
 *              changes in the strings.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
 * @precision high
 * @id java/command-line-injection
 * @tags security
@@ -15,7 +15,7 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.ExternalProcess
-import ExecCommon
+import semmle.code.java.security.CommandLineQuery
 import DataFlow::PathGraph

 from DataFlow::PathNode source, DataFlow::PathNode sink, ArgumentToExec execArg
--- a/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecTaintedLocal.ql
@@ -4,7 +4,7 @@
 *              changes in the strings.
 * @kind path-problem
 * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 9.8
 * @precision medium
 * @id java/command-line-injection-local
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
+++ b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
@@ -4,7 +4,7 @@
 *              insertion of special characters in the strings.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
 * @precision high
 * @id java/concatenated-command-line
 * @tags security
@@ -14,7 +14,7 @@

 import java
 import semmle.code.java.security.ExternalProcess
-import ExecCommon
+import semmle.code.java.security.CommandLineQuery

 /**
 * Strings that are known to be sane by some simple local analysis. Such strings
--- a/java/ql/src/Security/CWE/CWE-079/XSS.ql
+++ b/java/ql/src/Security/CWE/CWE-079/XSS.ql
@@ -4,7 +4,7 @@
 *              allows for a cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 6.1
 * @precision high
 * @id java/xss
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-079/XSSLocal.ql
@@ -4,7 +4,7 @@
 *              allows for a cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity recommendation
- * @security-severity 2.9
+ * @security-severity 6.1
 * @precision medium
 * @id java/xss-local
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
@@ -4,7 +4,7 @@
 *              malicious code by the user.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 8.8
 * @precision high
 * @id java/sql-injection
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
@@ -4,7 +4,7 @@
 *              malicious code by the user.
 * @kind path-problem
 * @problem.severity recommendation
- * @security-severity 6.4
+ * @security-severity 8.8
 * @precision medium
 * @id java/sql-injection-local
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql
@@ -4,7 +4,7 @@
 *              characters is vulnerable to insertion of malicious code.
 * @kind problem
 * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 8.8
 * @precision high
 * @id java/concatenated-sql-query
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql
@@ -4,7 +4,7 @@
 *              malicious LDAP code by the user.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
 * @precision high
 * @id java/ldap-injection
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
+++ b/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
@@ -3,7 +3,7 @@
 * @description User-controlled data may be evaluated as a Java EL expression, leading to arbitrary code execution.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 10.0
+ * @security-severity 9.3
 * @precision high
 * @id java/insecure-bean-validation
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
@@ -4,7 +4,7 @@
 *              may lead to arbitrary code execution.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 10.0
+ * @security-severity 9.3
 * @precision high
 * @id java/jexl-expression-injection
 * @tags security
@@ -12,27 +12,9 @@
 */

 import java
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.JexlInjection
+import semmle.code.java.security.JexlInjectionQuery
 import DataFlow::PathGraph

-/**
- * A taint-tracking configuration for unsafe user input
- * that is used to construct and evaluate a JEXL expression.
- * It supports both JEXL 2 and 3.
- */
-class JexlInjectionConfig extends TaintTracking::Configuration {
-  JexlInjectionConfig() { this = "JexlInjectionConfig" }
-
-  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof JexlEvaluationSink }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    any(JexlInjectionAdditionalTaintStep c).step(node1, node2)
-  }
-}
-
 from DataFlow::PathNode source, DataFlow::PathNode sink, JexlInjectionConfig conf
 where conf.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "JEXL injection from $@.", source.getNode(), "this user input"
--- a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
+++ b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
@@ -5,7 +5,7 @@
 *              an HTTP header.
 * @kind problem
 * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 6.1
 * @precision high
 * @id java/netty-http-response-splitting
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
+++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
@@ -4,7 +4,7 @@
 *              makes code vulnerable to attack by header splitting.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 6.1
 * @precision high
 * @id java/http-response-splitting
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql
@@ -4,7 +4,7 @@
 *              makes code vulnerable to attack by header splitting.
 * @kind path-problem
 * @problem.severity recommendation
- * @security-severity 3.6
+ * @security-severity 6.1
 * @precision medium
 * @id java/http-response-splitting-local
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-129/ArraySizing.qll
+++ b/java/ql/src/Security/CWE/CWE-129/ArraySizing.qll
@@ -1,7 +1,7 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.DefUse
-import semmle.code.java.security.Random
+import semmle.code.java.security.RandomDataSource
 private import BoundingChecks

 /**
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql
@@ -3,7 +3,7 @@
 * @description Using unvalidated external input as the argument to a construction of an array can lead to index out of bound exceptions.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
 * @precision medium
 * @id java/improper-validation-of-array-construction
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql
@@ -4,7 +4,7 @@
 *              a construction of an array can lead to index out of bound exceptions.
 * @kind path-problem
 * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 8.8
 * @precision medium
 * @id java/improper-validation-of-array-construction-code-specified
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionLocal.ql
@@ -4,7 +4,7 @@
 *              a construction of an array can lead to index out of bound exceptions.
 * @kind path-problem
 * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 8.8
 * @precision medium
 * @id java/improper-validation-of-array-construction-local
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql
@@ -3,7 +3,7 @@
 * @description Using external input as an index to an array, without proper validation, can lead to index out of bound exceptions.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
 * @precision medium
 * @id java/improper-validation-of-array-index
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql
@@ -4,7 +4,7 @@
 *              proper validation, can lead to index out of bound exceptions.
 * @kind path-problem
 * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 8.8
 * @precision medium
 * @id java/improper-validation-of-array-index-code-specified
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexLocal.ql
@@ -4,7 +4,7 @@
 *              proper validation, can lead to index out of bound exceptions.
 * @kind path-problem
 * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 8.8
 * @precision medium
 * @id java/improper-validation-of-array-index-local
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
+++ b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
@@ -3,7 +3,7 @@
 * @description Using external input in format strings can lead to exceptions or information leaks.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 6.9
+ * @security-severity 9.3
 * @precision high
 * @id java/tainted-format-string
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatStringLocal.ql
@@ -3,7 +3,7 @@
 * @description Using external input in format strings can lead to exceptions or information leaks.
 * @kind path-problem
 * @problem.severity recommendation
- * @security-severity 6.9
+ * @security-severity 9.3
 * @precision medium
 * @id java/tainted-format-string-local
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
+++ b/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
@@ -4,7 +4,7 @@
 *              overflows.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.6
 * @precision medium
 * @id java/tainted-arithmetic
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-190/ArithmeticTaintedLocal.ql
@@ -4,7 +4,7 @@
 *              overflows.
 * @kind path-problem
 * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 8.6
 * @precision medium
 * @id java/tainted-arithmetic-local
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+++ b/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -4,7 +4,7 @@
 *              overflows.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.6
 * @precision medium
 * @id java/uncontrolled-arithmetic
 * @tags security
@@ -14,7 +14,7 @@

 import java
 import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.security.Random
+import semmle.code.java.security.RandomQuery
 import semmle.code.java.security.SecurityTests
 import ArithmeticCommon
 import DataFlow::PathGraph
--- a/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
+++ b/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
@@ -4,7 +4,7 @@
 *              is then used in an arithmetic expression, this may result in an overflow.
 * @kind path-problem
 * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 8.6
 * @precision medium
 * @id java/extreme-value-arithmetic
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+++ b/java/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
@@ -4,7 +4,7 @@
 *              to behave unexpectedly.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
 * @precision medium
 * @id java/comparison-with-wider-type
 * @tags reliability
--- a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
+++ b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
@@ -5,7 +5,7 @@
 *              that are useful to an attacker for developing a subsequent exploit.
 * @kind problem
 * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 5.4
 * @precision high
 * @id java/stack-trace-exposure
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
+++ b/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
@@ -3,7 +3,7 @@
 * @description Marking a certificate as valid for a host without checking the certificate hostname allows an attacker to perform a machine-in-the-middle attack.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 4.9
+ * @security-severity 5.9
 * @precision high
 * @id java/unsafe-hostname-verification
 * @tags security
@@ -15,6 +15,7 @@ import semmle.code.java.controlflow.Guards
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.Encryption
+import semmle.code.java.security.SecurityFlag
 import DataFlow::PathGraph
 private import semmle.code.java.dataflow.ExternalFlow

@@ -86,71 +87,30 @@ private class HostnameVerifierSink extends DataFlow::Node {
  HostnameVerifierSink() { sinkNode(this, "set-hostname-verifier") }
 }

-bindingset[result]
-private string getAFlagName() {
-  result
-      .regexpMatch("(?i).*(secure|disable|selfCert|selfSign|validat|verif|trust|ignore|nocertificatecheck).*")
-}
-
 /**
- * A flag has to either be of type `String`, `boolean` or `Boolean`.
+ * Flags suggesting a deliberately unsafe `HostnameVerifier` usage.
 */
-private class FlagType extends Type {
-  FlagType() {
-    this instanceof TypeString
-    or
-    this instanceof BooleanType
+private class UnsafeHostnameVerificationFlag extends FlagKind {
+  UnsafeHostnameVerificationFlag() { this = "UnsafeHostnameVerificationFlag" }
+
+  bindingset[result]
+  override string getAFlagName() {
+    result
+        .regexpMatch("(?i).*(secure|disable|selfCert|selfSign|validat|verif|trust|ignore|nocertificatecheck).*") and
+    result != "equalsIgnoreCase"
  }
 }

-private predicate isEqualsIgnoreCaseMethodAccess(MethodAccess ma) {
-  ma.getMethod().hasName("equalsIgnoreCase") and
-  ma.getMethod().getDeclaringType() instanceof TypeString
+/** Gets a guard that represents a (likely) flag controlling an unsafe `HostnameVerifier` use. */
+private Guard getAnUnsafeHostnameVerifierFlagGuard() {
+  result = any(UnsafeHostnameVerificationFlag flag).getAFlag().asExpr()
 }

-/** Holds if `source` should is considered a flag. */
-private predicate isFlag(DataFlow::Node source) {
-  exists(VarAccess v | v.getVariable().getName() = getAFlagName() |
-    source.asExpr() = v and v.getType() instanceof FlagType
-  )
-  or
-  exists(StringLiteral s | s.getRepresentedString() = getAFlagName() | source.asExpr() = s)
-  or
-  exists(MethodAccess ma | ma.getMethod().getName() = getAFlagName() |
-    source.asExpr() = ma and
-    ma.getType() instanceof FlagType and
-    not isEqualsIgnoreCaseMethodAccess(ma)
-  )
-}
-
-/** Holds if there is flow from `node1` to `node2` either due to local flow or due to custom flow steps. */
-private predicate flagFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-  DataFlow::localFlowStep(node1, node2)
-  or
-  exists(MethodAccess ma | ma.getMethod() = any(EnvReadMethod m) |
-    ma = node2.asExpr() and ma.getAnArgument() = node1.asExpr()
-  )
-  or
-  exists(MethodAccess ma |
-    ma.getMethod().hasName("parseBoolean") and
-    ma.getMethod().getDeclaringType().hasQualifiedName("java.lang", "Boolean")
-  |
-    ma = node2.asExpr() and ma.getAnArgument() = node1.asExpr()
-  )
-}
-
-/** Gets a guard that depends on a flag. */
-private Guard getAGuard() {
-  exists(DataFlow::Node source, DataFlow::Node sink |
-    isFlag(source) and
-    flagFlowStep*(source, sink) and
-    sink.asExpr() = result
-  )
-}
-
-/** Holds if `node` is guarded by a flag that suggests an intentionally insecure feature. */
+/** Holds if `node` is guarded by a flag that suggests an intentionally insecure use. */
 private predicate isNodeGuardedByFlag(DataFlow::Node node) {
-  exists(Guard g | g.controls(node.asExpr().getBasicBlock(), _) | g = getAGuard())
+  exists(Guard g | g.controls(node.asExpr().getBasicBlock(), _) |
+    g = getASecurityFeatureFlagGuard() or g = getAnUnsafeHostnameVerifierFlagGuard()
+  )
 }

 from
--- a/java/ql/src/Security/CWE/CWE-312/CleartextStorageClass.ql
+++ b/java/ql/src/Security/CWE/CWE-312/CleartextStorageClass.ql
@@ -3,7 +3,7 @@
 * @description Storing sensitive information in cleartext can expose it to an attacker.
 * @kind problem
 * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 7.5
 * @precision medium
 * @id java/cleartext-storage-in-class
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql
+++ b/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql
@@ -3,7 +3,7 @@
 * @description Storing sensitive information in cleartext can expose it to an attacker.
 * @kind problem
 * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 5.0
 * @precision high
 * @id java/cleartext-storage-in-cookie
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-312/CleartextStorageProperties.ql
+++ b/java/ql/src/Security/CWE/CWE-312/CleartextStorageProperties.ql
@@ -3,7 +3,7 @@
 * @description Storing sensitive information in cleartext can expose it to an attacker.
 * @kind problem
 * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.5
 * @precision medium
 * @id java/cleartext-storage-in-properties
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
+++ b/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
@@ -3,7 +3,7 @@
 * @description Non-HTTPS connections can be intercepted by third parties.
 * @kind path-problem
 * @problem.severity recommendation
- * @security-severity 5.2
+ * @security-severity 7.5
 * @precision medium
 * @id java/non-https-url
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-319/UseSSL.ql
+++ b/java/ql/src/Security/CWE/CWE-319/UseSSL.ql
@@ -3,7 +3,7 @@
 * @description Non-SSL connections can be intercepted by third parties.
 * @kind problem
 * @problem.severity recommendation
- * @security-severity 5.2
+ * @security-severity 7.5
 * @precision medium
 * @id java/non-ssl-connection
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql
+++ b/java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql
@@ -4,7 +4,7 @@
 *              third parties.
 * @kind problem
 * @problem.severity recommendation
- * @security-severity 5.2
+ * @security-severity 7.5
 * @precision medium
 * @id java/non-ssl-socket-factory
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -3,7 +3,7 @@
 * @description Using broken or weak cryptographic algorithms can allow an attacker to compromise security.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 5.2
+ * @security-severity 7.5
 * @precision high
 * @id java/weak-cryptographic-algorithm
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
+++ b/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
@@ -3,7 +3,7 @@
 * @description Using broken or weak cryptographic algorithms can allow an attacker to compromise security.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 5.2
+ * @security-severity 7.5
 * @precision medium
 * @id java/potentially-weak-cryptographic-algorithm
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql
+++ b/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql
@@ -3,7 +3,7 @@
 * @description Using a predictable seed in a pseudo-random number generator can lead to predictability of the numbers generated by it.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
 * @precision high
 * @id java/predictable-seed
 * @tags security
@@ -11,7 +11,7 @@
 */

 import java
-import semmle.code.java.security.Random
+import semmle.code.java.security.RandomQuery

 from GetRandomData da, RValue use, PredictableSeedExpr source
 where
--- a/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql
+++ b/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql
@@ -3,7 +3,7 @@
 * @description Using a vulnerable version of JHipster to generate random numbers makes it easier for attackers to take over accounts.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
 * @precision very-high
 * @id java/jhipster-prng
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
+++ b/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
@@ -4,7 +4,7 @@
 *              a Cross-Site Request Forgery (CSRF) attack.
 * @kind problem
 * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 8.8
 * @precision high
 * @id java/spring-disabled-csrf-protection
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-367/TOCTOURace.ql
+++ b/java/ql/src/Security/CWE/CWE-367/TOCTOURace.ql
@@ -4,7 +4,7 @@
 *              if the state may be changed between the check and use.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.7
 * @precision medium
 * @id java/toctou-race-condition
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-421/SocketAuthRace.ql
+++ b/java/ql/src/Security/CWE/CWE-421/SocketAuthRace.ql
@@ -3,7 +3,7 @@
 * @description Opening a socket after authenticating via a different channel may allow an attacker to connect to the port first.
 * @kind problem
 * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 7.2
 * @precision medium
 * @id java/socket-auth-race-condition
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
+++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.qhelp
@@ -14,8 +14,8 @@ may have unforeseen effects, such as the execution of arbitrary code.
 </p>
 <p>
 There are many different serialization frameworks.  This query currently
-supports Kryo, XmlDecoder, XStream, SnakeYaml, and Java IO serialization through
-<code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
+supports Kryo, XmlDecoder, XStream, SnakeYaml, JYaml, JsonIO, YAMLBeans, HessianBurlap, Castor, Burlap 
+and Java IO serialization through <code>ObjectInputStream</code>/<code>ObjectOutputStream</code>.
 </p>
 </overview>

@@ -75,6 +75,22 @@ Alvaro Muñoz &amp; Christian Schneider, RSAConference 2016:
 SnakeYaml documentation on deserialization:
 <a href="https://bitbucket.org/asomov/snakeyaml/wiki/Documentation#markdown-header-loading-yaml">SnakeYaml deserialization</a>.
 </li>
+<li>
+Hessian deserialization and related gadget chains:
+<a href="https://paper.seebug.org/1137/">Hessian deserialization</a>.
+</li>
+<li>
+Castor and Hessian java deserialization vulnerabilities:
+<a href="https://securitylab.github.com/research/hessian-java-deserialization-castor-vulnerabilities/">Castor and Hessian deserialization</a>.
+</li>
+<li>
+Remote code execution in JYaml library:
+<a href="https://www.cybersecurity-help.cz/vdb/SB2020022512">JYaml deserialization</a>.
+</li>
+<li>
+JsonIO deserialization vulnerabilities:
+<a href="https://klezvirus.github.io/Advanced-Web-Hacking/Serialisation/">JsonIO deserialization</a>.
+</li>
 </references>

 </qhelp>
--- a/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
+++ b/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
@@ -4,7 +4,7 @@
 *              execute arbitrary code.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
 * @precision high
 * @id java/unsafe-deserialization
 * @tags security
@@ -22,6 +22,39 @@ class UnsafeDeserializationConfig extends TaintTracking::Configuration {
  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

  override predicate isSink(DataFlow::Node sink) { sink instanceof UnsafeDeserializationSink }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(ClassInstanceExpr cie |
+      cie.getArgument(0) = pred.asExpr() and
+      cie = succ.asExpr() and
+      (
+        cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader or
+        cie.getConstructor().getDeclaringType() instanceof YamlBeansReader or
+        cie.getConstructor().getDeclaringType().getASupertype*() instanceof UnsafeHessianInput or
+        cie.getConstructor().getDeclaringType() instanceof BurlapInput
+      )
+    )
+    or
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof BurlapInputInitMethod and
+      ma.getArgument(0) = pred.asExpr() and
+      ma.getQualifier() = succ.asExpr()
+    )
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    exists(ClassInstanceExpr cie |
+      cie.getConstructor().getDeclaringType() instanceof JsonIoJsonReader and
+      cie = node.asExpr() and
+      exists(SafeJsonIoConfig sji | sji.hasFlowToExpr(cie.getArgument(1)))
+    )
+    or
+    exists(MethodAccess ma |
+      ma.getMethod() instanceof JsonIoJsonToJavaMethod and
+      ma.getArgument(0) = node.asExpr() and
+      exists(SafeJsonIoConfig sji | sji.hasFlowToExpr(ma.getArgument(1)))
+    )
+  }
 }

 from DataFlow::PathNode source, DataFlow::PathNode sink, UnsafeDeserializationConfig conf
--- a/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
+++ b/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
@@ -4,7 +4,7 @@
 *              may cause redirection to malicious web sites.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 2.7
+ * @security-severity 6.1
 * @precision high
 * @id java/unvalidated-url-redirection
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql
@@ -4,7 +4,7 @@
 *              may cause redirection to malicious web sites.
 * @kind path-problem
 * @problem.severity recommendation
- * @security-severity 2.7
+ * @security-severity 6.1
 * @precision medium
 * @id java/unvalidated-url-redirection-local
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-611/XXE.ql
+++ b/java/ql/src/Security/CWE/CWE-611/XXE.ql
@@ -4,7 +4,7 @@
 * references may lead to disclosure of confidential data or denial of service.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.1
 * @precision high
 * @id java/xxe
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
+++ b/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
@@ -4,7 +4,7 @@
 *              interception.
 * @kind problem
 * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 5.0
 * @precision high
 * @id java/insecure-cookie
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
+++ b/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
@@ -4,7 +4,7 @@
 *              malicious code by the user.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
 * @precision high
 * @id java/xml/xpath-injection
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
+++ b/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
@@ -4,7 +4,7 @@
 *              can cause unexpected truncation.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.0
 * @precision high
 * @id java/tainted-numeric-cast
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql
@@ -4,7 +4,7 @@
 *              can cause unexpected truncation.
 * @kind path-problem
 * @problem.severity recommendation
- * @security-severity 5.9
+ * @security-severity 9.0
 * @precision medium
 * @id java/tainted-numeric-cast-local
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql
+++ b/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql
@@ -4,7 +4,7 @@
 *              the file may be modified or removed by external actors.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
 * @precision high
 * @id java/world-writable-file-read
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
+++ b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
@@ -3,7 +3,7 @@
 * @description Using a hard-coded credential in a call to a sensitive Java API may compromise security.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
 * @precision medium
 * @id java/hardcoded-credential-api-call
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql
+++ b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql
@@ -3,7 +3,7 @@
 * @description Comparing a parameter to a hard-coded credential may compromise security.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
 * @precision low
 * @id java/hardcoded-credential-comparison
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql
+++ b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql
@@ -3,7 +3,7 @@
 * @description Using a hard-coded credential in a sensitive call may compromise security.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
 * @precision low
 * @id java/hardcoded-credential-sensitive-call
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql
+++ b/java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql
@@ -3,7 +3,7 @@
 * @description Hard-coding a password string may compromise security.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
 * @precision low
 * @id java/hardcoded-password-field
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql
+++ b/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql
@@ -4,7 +4,7 @@
 *              passing through authentication systems.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
 * @precision medium
 * @id java/user-controlled-bypass
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql
+++ b/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql
@@ -4,7 +4,7 @@
 *              permissions being granted.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
 * @precision high
 * @id java/tainted-permissions-check
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql
+++ b/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql
@@ -3,7 +3,7 @@
 * @description Non-HTTPS connections can be intercepted by third parties.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 8.1
 * @precision very-high
 * @id java/maven/non-https-url
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-833/LockOrderInconsistency.ql
+++ b/java/ql/src/Security/CWE/CWE-833/LockOrderInconsistency.ql
@@ -3,7 +3,7 @@
 * @description Acquiring multiple locks in a different order may cause deadlock.
 * @kind problem
 * @problem.severity recommendation
- * @security-severity 6.9
+ * @security-severity 5.0
 * @precision medium
 * @id java/lock-order-inconsistency
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-835/InfiniteLoop.ql
+++ b/java/ql/src/Security/CWE/CWE-835/InfiniteLoop.ql
@@ -5,7 +5,7 @@
 *              looping.
 * @kind problem
 * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
 * @precision medium
 * @id java/unreachable-exit-in-loop
 * @tags security
--- a/java/ql/src/Security/CWE/CWE-918/RequestForgery.java
+++ b/java/ql/src/Security/CWE/CWE-918/RequestForgery.java
@@ -0,0 +1,20 @@
+import java.net.http.HttpClient;
+
+public class SSRF extends HttpServlet {
+	private static final String VALID_URI = "http://lgtm.com";
+	private HttpClient client = HttpClient.newHttpClient();
+
+	protected void doGet(HttpServletRequest request, HttpServletResponse response)
+		throws ServletException, IOException {
+		URI uri = new URI(request.getParameter("uri"));
+		// BAD: a request parameter is incorporated without validation into a Http request
+		HttpRequest r = HttpRequest.newBuilder(uri).build();
+		client.send(r, null);
+
+		// GOOD: the request parameter is validated against a known fixed string
+		if (VALID_URI.equals(request.getParameter("uri"))) {
+			HttpRequest r2 = HttpRequest.newBuilder(uri).build();
+			client.send(r2, null);
+		}
+	}
+}
--- a/java/ql/src/Security/CWE/CWE-918/RequestForgery.qhelp
+++ b/java/ql/src/Security/CWE/CWE-918/RequestForgery.qhelp
@@ -0,0 +1,39 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+
+<overview>
+<p>Directly incorporating user input into an HTTP request without validating the input
+can facilitate server-side request forgery (SSRF) attacks. In these attacks, the server
+may be tricked into making a request and interacting with an attacker-controlled server.
+</p>
+
+</overview>
+<recommendation>
+
+<p>To guard against SSRF attacks, you should avoid putting user-provided input
+directly into a request URL. Instead, maintain a list of authorized
+URLs on the server; then choose from that list based on the input provided.
+Alternatively, ensure requests constructed from user input are limited to
+a particular host or more restrictive URL prefix.</p>
+
+</recommendation>
+<example>
+
+<p>The following example shows an HTTP request parameter being used directly to form a
+new request without validating the input, which facilitates SSRF attacks.
+It also shows how to remedy the problem by validating the user input against a known fixed string.
+</p>
+
+<sample src="RequestForgery.java" />
+
+</example>
+<references>
+  <li>
+    <a href="https://owasp.org/www-community/attacks/Server_Side_Request_Forgery">OWASP SSRF</a>
+  </li>
+
+</references>
+</qhelp>
--- a/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql
+++ b/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Server-side request forgery
+ * @description Making web requests based on unvalidated user-input
+ *              may cause the server to communicate with malicious servers.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/ssrf
+ * @tags security
+ *       external/cwe/cwe-918
+ */
+
+import java
+import semmle.code.java.security.RequestForgeryConfig
+import DataFlow::PathGraph
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, RequestForgeryConfiguration conf
+where conf.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "Potential server-side request forgery due to $@.",
+  source.getNode(), "a user-provided value"