hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-21 06:55:31 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update MaD Declarations after Triage

Browse Source
This commit is contained in:
Stephan Brandauer
2024-01-24 11:05:07 +01:00
parent 7e7175f49d
commit d5bcbcddab
3 changed files with 16 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
java/ql/lib/change-notes/2024-01-24-new-models.md Normal file
View File

@@ -0,0 +1,7 @@
---
category: minorAnalysis
---
* Added models for the following packages:
* com.fasterxml.jackson.databind
* javax.servlet

2
java/ql/lib/ext/com.fasterxml.jackson.databind.model.yml
View File

@@ -5,6 +5,8 @@ extensions:
data:
- ["com.fasterxml.jackson.databind", "ObjectMapper", True, "convertValue", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.fasterxml.jackson.databind", "ObjectMapper", False, "createParser", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.fasterxml.jackson.databind", "ObjectMapper", True, "readTree", "(URL)", "", "ReturnValue", ReturnValue, "taint", "ai-manual"] # result is remote, but only user-controlled if the URL is
- ["com.fasterxml.jackson.databind", "ObjectMapper", True, "readValue", "(InputStream,Class)", "", "ReturnValue", ReturnValue, "taint", "ai-manual"]
- ["com.fasterxml.jackson.databind", "ObjectMapper", True, "valueToTree", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["com.fasterxml.jackson.databind", "ObjectMapper", True, "valueToTree", "", "", "Argument[0].MapValue", "ReturnValue", "taint", "manual"]
- ["com.fasterxml.jackson.databind", "ObjectMapper", True, "valueToTree", "", "", "Argument[0].MapValue.Element", "ReturnValue", "taint", "manual"]

8
java/ql/lib/ext/javax.servlet.model.yml
View File

@@ -9,9 +9,15 @@ extensions:
- ["javax.servlet", "ServletRequest", False, "getParameterNames", "()", "", "ReturnValue", "remote", "manual"]
- ["javax.servlet", "ServletRequest", False, "getParameterValues", "(String)", "", "ReturnValue", "remote", "manual"]
- ["javax.servlet", "ServletRequest", False, "getReader", "()", "", "ReturnValue", "remote", "manual"]
- ["javax.servlet", "ServletRequest", True, "getParameter", "(String)", "", "Parameter[0]", "remote", "ai-manual"]
- ["javax.servlet", "ServletRequest", True, "getParameterValues", "(String)", "", "Parameter[0]", "remote", "ai-manual"]
- addsTo:
pack: codeql/java-all
extensible: sinkModel
data:
- ["javax.servlet", "ServletContext", True, "getResourceAsStream", "(String)", "", "Argument[0]", "path-injection", "ai-manual"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["javax.servlet", "ServletRequest", True, "getRealPath", "(String)", "", "Parameter[0]", ReturnValue, "taint", "ai-manual"]