Move ESAPI models into the Weak Randomness query

These models don't need to apply to all queries. So instead they are
better suited to be within the weak randomness query itself.

java/ql/lib/ext/org.owasp.esapi.model.yml

@@ -3,5 +3,4 @@ extensions:
       pack: codeql/java-all
       extensible: summaryModel
     data:
-      - ["org.owasp.esapi", "Encoder", true, "encodeForHTML", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["org.owasp.esapi", "Encoder", true, "encodeForBase64", "(byte[],boolean)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["org.owasp.esapi", "Encoder", true, "encodeForHTML", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]

java/ql/lib/semmle/code/java/security/WeakRandomnessQuery.qll

@@ -79,6 +79,14 @@ module WeakRandomnessConfig implements DataFlow::ConfigSig {
     n1.asExpr() = n2.asExpr().(BinaryExpr).getAnOperand()
     or
     n1.asExpr() = n2.asExpr().(UnaryExpr).getExpr()
+    or
+    exists(MethodCall mc, string methodName |
+      mc.getMethod().hasQualifiedName("org.owasp.esapi", "Encoder", methodName) and
+      methodName.matches("encode%")
+    |
+      n1.asExpr() = mc.getArgument(0) and
+      n2.asExpr() = mc
+    )
   }
 }
 

java/ql/test/query-tests/security/CWE-330/WeakRandomCookies.java

@@ -8,6 +8,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.Cookie;
 import org.apache.commons.lang3.RandomStringUtils;
+import org.owasp.esapi.Encoder;
 
 public class WeakRandomCookies extends HttpServlet {
     HttpServletResponse response;
@@ -20,9 +21,11 @@ public class WeakRandomCookies extends HttpServlet {
         Cookie cookie = new Cookie("name", Integer.toString(c));
         response.addCookie(cookie); // $hasWeakRandomFlow
 
+        Encoder enc = null;
         int c2 = r.nextInt();
+        String value = enc.encodeForHTML(Integer.toString(c2));
         // BAD: The cookie value may be predictable.
-        Cookie cookie2 = new Cookie("name" + c2, "value");
+        Cookie cookie2 = new Cookie("name", value);
         response.addCookie(cookie2); // $hasWeakRandomFlow
 
         byte[] bytes = new byte[16];

java/ql/test/query-tests/security/CWE-330/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/apache-commons-lang3-3.7
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/apache-commons-lang3-3.7:${testdir}/../../../stubs/esapi-2.0.1

java/ql/test/stubs/esapi-2.0.1/org/owasp/esapi/Encoder.java

@@ -2,4 +2,6 @@ package org.owasp.esapi;
 
 public interface Encoder {
   String encodeForLDAP(String input);
+
+  String encodeForHTML(String untrustedData);
 }

java/ql/test/stubs/esapi-2.0.1/org/owasp/esapi/reference/DefaultEncoder.java

@@ -5,4 +5,5 @@ import org.owasp.esapi.Encoder;
 public class DefaultEncoder implements Encoder {
   public static Encoder getInstance() { return null; }
   public String encodeForLDAP(String input) { return null; }
+  public String encodeForHTML(String untrustedData) { return null; }
 }