Move ESAPI models into the Weak Randomness query

These models don't need to apply to all queries. So instead they are better suited to be within the weak randomness query itself.
2026-04-27 17:55:19 +02:00 · 2023-11-07 16:49:13 -05:00
parent 7f3995f524
commit b9d2a26e6e
6 changed files with 17 additions and 4 deletions
--- a/java/ql/lib/ext/org.owasp.esapi.model.yml
+++ b/java/ql/lib/ext/org.owasp.esapi.model.yml
@@ -3,5 +3,4 @@ extensions:
      pack: codeql/java-all
      extensible: summaryModel
    data:
-      - ["org.owasp.esapi", "Encoder", true, "encodeForHTML", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["org.owasp.esapi", "Encoder", true, "encodeForBase64", "(byte[],boolean)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["org.owasp.esapi", "Encoder", true, "encodeForHTML", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
--- a/java/ql/lib/semmle/code/java/security/WeakRandomnessQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/WeakRandomnessQuery.qll
@@ -79,6 +79,14 @@ module WeakRandomnessConfig implements DataFlow::ConfigSig {
    n1.asExpr() = n2.asExpr().(BinaryExpr).getAnOperand()
    or
    n1.asExpr() = n2.asExpr().(UnaryExpr).getExpr()
+    or
+    exists(MethodCall mc, string methodName |
+      mc.getMethod().hasQualifiedName("org.owasp.esapi", "Encoder", methodName) and
+      methodName.matches("encode%")
+    |
+      n1.asExpr() = mc.getArgument(0) and
+      n2.asExpr() = mc
+    )
  }
 }