hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-11 20:51:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/main' into igfoo/mb

Browse Source
This commit is contained in:
Ian Lynagh
2026-01-13 01:01:35 +00:00
parent 70cc153cf5 c666fc71ca
commit dcd0a69759
1891 changed files with 180230 additions and 116717 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
java/documentation/library-coverage/coverage.csv
View File

@@ -76,7 +76,7 @@ jakarta.activation,2,,2,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,1,,,,,,,,,,,,,,,,2,
jakarta.faces.context,4,7,,,,,,,,,,,,,,2,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,,,,7,,
jakarta.json,,,123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,100,23
jakarta.persistence,2,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,1,
jakarta.servlet,2,19,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,19,,
jakarta.servlet,2,26,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,26,,
jakarta.ws.rs.client,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,
jakarta.ws.rs.container,,9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,,
jakarta.ws.rs.core,2,,149,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,94,55
@@ -115,7 +115,7 @@ javax.script,1,,50,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,14,36
javax.security.auth,7,,147,,,4,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,50,97
javax.security.cert,,,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,5,
javax.security.sasl,,,49,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,42,7
javax.servlet,10,22,3,,,,,,,,,,,,,,1,,,,,,,,,,2,,,,,,,,,,3,,,2,,2,,,,,,,,,22,3,
javax.servlet,10,29,3,,,,,,,,,,,,,,1,,,,,,,,,,2,,,,,,,,,,3,,,2,,2,,,,,,,,,29,3,
javax.smartcardio,,,34,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,24,10
javax.sound.midi,,,60,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,51,9
javax.sound.sampled,,,90,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,53,37
@@ -154,6 +154,7 @@ org.apache.commons.collections,,,800,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
org.apache.commons.collections4,,,800,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,17,783
org.apache.commons.compress.archivers.tar,,,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4,
org.apache.commons.exec,10,,,,6,,,,,,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
org.apache.commons.fileupload,,11,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,11,4,
org.apache.commons.httpclient.util,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
org.apache.commons.io,124,,570,,,,,,,,,4,,,,,,,,,,,,,,,105,,,,,,,,,15,,,,,,,,,,,,,,,,556,14
org.apache.commons.jelly,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,
@@ -258,6 +259,7 @@ org.springframework.web.multipart,,12,12,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
org.springframework.web.portlet,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,
org.springframework.web.reactive.function.client,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,
org.springframework.web.servlet,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,
org.springframework.web.socket,,8,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,8,6,
org.springframework.web.util,,9,157,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,9,132,25
org.thymeleaf,2,,2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,,,,,2,
org.xml.sax,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
1 package sink source summary sink:bean-validation sink:command-injection sink:credentials-key sink:credentials-password sink:credentials-username sink:encryption-iv sink:encryption-salt sink:environment-injection sink:file-content-store sink:fragment-injection sink:groovy-injection sink:hostname-verification sink:html-injection sink:information-leak sink:intent-redirection sink:jexl-injection sink:jndi-injection sink:js-injection sink:ldap-injection sink:log-injection sink:mvel-injection sink:notification sink:ognl-injection sink:path-injection sink:pending-intents sink:regex-use sink:regex-use[-1] sink:regex-use[0] sink:regex-use[] sink:regex-use[f-1] sink:regex-use[f1] sink:regex-use[f] sink:request-forgery sink:response-splitting sink:sql-injection sink:template-injection sink:trust-boundary-violation sink:unsafe-deserialization sink:url-forward sink:url-redirection sink:xpath-injection sink:xslt-injection source:android-external-storage-dir source:contentprovider source:database source:environment source:file source:remote summary:taint summary:value
76 jakarta.faces.context 4 7 2 2 7
77 jakarta.json 123 100 23
78 jakarta.persistence 2 1 2 1
79 jakarta.servlet 2 19 26 2 19 26
80 jakarta.ws.rs.client 1 1
81 jakarta.ws.rs.container 9 9
82 jakarta.ws.rs.core 2 149 2 94 55
115 javax.security.auth 7 147 4 3 50 97
116 javax.security.cert 5 5
117 javax.security.sasl 49 42 7
118 javax.servlet 10 22 29 3 1 2 3 2 2 22 29 3
119 javax.smartcardio 34 24 10
120 javax.sound.midi 60 51 9
121 javax.sound.sampled 90 53 37
154 org.apache.commons.collections4 800 17 783
155 org.apache.commons.compress.archivers.tar 4 4
156 org.apache.commons.exec 10 6 4
157 org.apache.commons.fileupload 11 4 11 4
158 org.apache.commons.httpclient.util 1 1
159 org.apache.commons.io 124 570 4 105 15 556 14
160 org.apache.commons.jelly 6 6
259 org.springframework.web.portlet 2 2
260 org.springframework.web.reactive.function.client 2 2
261 org.springframework.web.servlet 2 2
262 org.springframework.web.socket 8 6 8 6
263 org.springframework.web.util 9 157 9 132 25
264 org.thymeleaf 2 2 2 2
265 org.xml.sax 1 1

8
java/documentation/library-coverage/coverage.rst
View File

@@ -19,9 +19,9 @@ Java framework & library support
JBoss Logging,``org.jboss.logging``,,,324,,,,,,
`JSON-java <https://github.com/stleary/JSON-java>`_,``org.json``,,236,,,,,,,
Java Standard Library,``java.*``,10,4628,260,99,,9,,,26
Java extensions,"``javax.*``, ``jakarta.*``",87,4185,90,10,4,2,1,1,4
Java extensions,"``javax.*``, ``jakarta.*``",101,4185,90,10,4,2,1,1,4
Kotlin Standard Library,``kotlin*``,,1849,16,14,,,,,2
`Spring <https://spring.io/>`_,``org.springframework.*``,38,486,143,26,,28,14,,35
Others,"``actions.osgi``, ``antlr``, ``ch.ethz.ssh2``, ``cn.hutool.core.codec``, ``com.alibaba.com.caucho.hessian.io``, ``com.alibaba.druid.sql``, ``com.alibaba.fastjson2``, ``com.amazonaws.auth``, ``com.auth0.jwt.algorithms``, ``com.azure.identity``, ``com.caucho.burlap.io``, ``com.caucho.hessian.io``, ``com.cedarsoftware.util.io``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.esotericsoftware.yamlbeans``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.google.gson``, ``com.hubspot.jinjava``, ``com.jcraft.jsch``, ``com.microsoft.sqlserver.jdbc``, ``com.mitchellbosecke.pebble``, ``com.mongodb``, ``com.opensymphony.xwork2``, ``com.rabbitmq.client``, ``com.sshtools.j2ssh.authentication``, ``com.sun.crypto.provider``, ``com.sun.jndi.ldap``, ``com.sun.net.httpserver``, ``com.sun.net.ssl``, ``com.sun.rowset``, ``com.sun.security.auth.module``, ``com.sun.security.ntlm``, ``com.sun.security.sasl.digest``, ``com.thoughtworks.xstream``, ``com.trilead.ssh2``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``freemarker.cache``, ``freemarker.template``, ``groovy.lang``, ``groovy.text``, ``groovy.util``, ``hudson``, ``io.jsonwebtoken``, ``io.netty.bootstrap``, ``io.netty.buffer``, ``io.netty.channel``, ``io.netty.handler.codec``, ``io.netty.handler.ssl``, ``io.netty.handler.stream``, ``io.netty.resolver``, ``io.netty.util``, ``io.undertow.server.handlers.resource``, ``javafx.scene.web``, ``jenkins``, ``jodd.json``, ``liquibase.database.jvm``, ``liquibase.statement.core``, ``net.lingala.zip4j``, ``net.schmizz.sshj``, ``net.sf.json``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.acegisecurity``, ``org.antlr.runtime``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.exec``, ``org.apache.commons.httpclient.util``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.lang``, ``org.apache.commons.logging``, ``org.apache.commons.net``, ``org.apache.commons.ognl``, ``org.apache.cxf.catalog``, ``org.apache.cxf.common.classloader``, ``org.apache.cxf.common.jaxb``, ``org.apache.cxf.common.logging``, ``org.apache.cxf.configuration.jsse``, ``org.apache.cxf.helpers``, ``org.apache.cxf.resource``, ``org.apache.cxf.staxutils``, ``org.apache.cxf.tools.corba.utils``, ``org.apache.cxf.tools.util``, ``org.apache.cxf.transform``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.fs``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hadoop.hive.ql.exec``, ``org.apache.hadoop.hive.ql.metadata``, ``org.apache.hc.client5.http.async.methods``, ``org.apache.hc.client5.http.classic.methods``, ``org.apache.hc.client5.http.fluent``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.ibatis.mapping``, ``org.apache.log4j``, ``org.apache.shiro.authc``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.shiro.mgt``, ``org.apache.sshd.client.session``, ``org.apache.struts.beanvalidation.validation.interceptor``, ``org.apache.struts2``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.apache.velocity.app``, ``org.apache.velocity.runtime``, ``org.codehaus.cargo.container.installer``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.eclipse.jetty.client``, ``org.exolab.castor.xml``, ``org.fusesource.leveldbjni``, ``org.geogebra.web.full.main``, ``org.gradle.api.file``, ``org.hibernate``, ``org.ho.yaml``, ``org.influxdb``, ``org.jabsorb``, ``org.jboss.vfs``, ``org.jdbi.v3.core``, ``org.jenkins.ui.icon``, ``org.jenkins.ui.symbol``, ``org.jooq``, ``org.keycloak.models.map.storage``, ``org.kohsuke.stapler``, ``org.lastaflute.web``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.owasp.esapi``, ``org.pac4j.jwt.config.encryption``, ``org.pac4j.jwt.config.signature``, ``org.scijava.log``, ``org.slf4j``, ``org.thymeleaf``, ``org.xml.sax``, ``org.xmlpull.v1``, ``org.yaml.snakeyaml``, ``play.libs.ws``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``, ``software.amazon.awssdk.transfer.s3.model``, ``sun.jvmstat.perfdata.monitor.protocol.local``, ``sun.jvmstat.perfdata.monitor.protocol.rmi``, ``sun.misc``, ``sun.net.ftp``, ``sun.net.www.protocol.http``, ``sun.security.acl``, ``sun.security.jgss.krb5``, ``sun.security.krb5``, ``sun.security.pkcs``, ``sun.security.pkcs11``, ``sun.security.provider``, ``sun.security.ssl``, ``sun.security.x509``, ``sun.tools.jconsole``",133,10525,927,140,6,22,18,,208
Totals,,330,26361,2656,404,16,128,33,1,409
`Spring <https://spring.io/>`_,``org.springframework.*``,46,492,143,26,,28,14,,35
Others,"``actions.osgi``, ``antlr``, ``ch.ethz.ssh2``, ``cn.hutool.core.codec``, ``com.alibaba.com.caucho.hessian.io``, ``com.alibaba.druid.sql``, ``com.alibaba.fastjson2``, ``com.amazonaws.auth``, ``com.auth0.jwt.algorithms``, ``com.azure.identity``, ``com.caucho.burlap.io``, ``com.caucho.hessian.io``, ``com.cedarsoftware.util.io``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.esotericsoftware.yamlbeans``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.google.gson``, ``com.hubspot.jinjava``, ``com.jcraft.jsch``, ``com.microsoft.sqlserver.jdbc``, ``com.mitchellbosecke.pebble``, ``com.mongodb``, ``com.opensymphony.xwork2``, ``com.rabbitmq.client``, ``com.sshtools.j2ssh.authentication``, ``com.sun.crypto.provider``, ``com.sun.jndi.ldap``, ``com.sun.net.httpserver``, ``com.sun.net.ssl``, ``com.sun.rowset``, ``com.sun.security.auth.module``, ``com.sun.security.ntlm``, ``com.sun.security.sasl.digest``, ``com.thoughtworks.xstream``, ``com.trilead.ssh2``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``freemarker.cache``, ``freemarker.template``, ``groovy.lang``, ``groovy.text``, ``groovy.util``, ``hudson``, ``io.jsonwebtoken``, ``io.netty.bootstrap``, ``io.netty.buffer``, ``io.netty.channel``, ``io.netty.handler.codec``, ``io.netty.handler.ssl``, ``io.netty.handler.stream``, ``io.netty.resolver``, ``io.netty.util``, ``io.undertow.server.handlers.resource``, ``javafx.scene.web``, ``jenkins``, ``jodd.json``, ``liquibase.database.jvm``, ``liquibase.statement.core``, ``net.lingala.zip4j``, ``net.schmizz.sshj``, ``net.sf.json``, ``net.sf.saxon.s9api``, ``ognl``, ``okhttp3``, ``org.acegisecurity``, ``org.antlr.runtime``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.exec``, ``org.apache.commons.fileupload``, ``org.apache.commons.httpclient.util``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.lang``, ``org.apache.commons.logging``, ``org.apache.commons.net``, ``org.apache.commons.ognl``, ``org.apache.cxf.catalog``, ``org.apache.cxf.common.classloader``, ``org.apache.cxf.common.jaxb``, ``org.apache.cxf.common.logging``, ``org.apache.cxf.configuration.jsse``, ``org.apache.cxf.helpers``, ``org.apache.cxf.resource``, ``org.apache.cxf.staxutils``, ``org.apache.cxf.tools.corba.utils``, ``org.apache.cxf.tools.util``, ``org.apache.cxf.transform``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.fs``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hadoop.hive.ql.exec``, ``org.apache.hadoop.hive.ql.metadata``, ``org.apache.hc.client5.http.async.methods``, ``org.apache.hc.client5.http.classic.methods``, ``org.apache.hc.client5.http.fluent``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.ibatis.mapping``, ``org.apache.log4j``, ``org.apache.shiro.authc``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.shiro.mgt``, ``org.apache.sshd.client.session``, ``org.apache.struts.beanvalidation.validation.interceptor``, ``org.apache.struts2``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.apache.velocity.app``, ``org.apache.velocity.runtime``, ``org.codehaus.cargo.container.installer``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.eclipse.jetty.client``, ``org.exolab.castor.xml``, ``org.fusesource.leveldbjni``, ``org.geogebra.web.full.main``, ``org.gradle.api.file``, ``org.hibernate``, ``org.ho.yaml``, ``org.influxdb``, ``org.jabsorb``, ``org.jboss.vfs``, ``org.jdbi.v3.core``, ``org.jenkins.ui.icon``, ``org.jenkins.ui.symbol``, ``org.jooq``, ``org.keycloak.models.map.storage``, ``org.kohsuke.stapler``, ``org.lastaflute.web``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.owasp.esapi``, ``org.pac4j.jwt.config.encryption``, ``org.pac4j.jwt.config.signature``, ``org.scijava.log``, ``org.slf4j``, ``org.thymeleaf``, ``org.xml.sax``, ``org.xmlpull.v1``, ``org.yaml.snakeyaml``, ``play.libs.ws``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``retrofit2``, ``software.amazon.awssdk.transfer.s3.model``, ``sun.jvmstat.perfdata.monitor.protocol.local``, ``sun.jvmstat.perfdata.monitor.protocol.rmi``, ``sun.misc``, ``sun.net.ftp``, ``sun.net.www.protocol.http``, ``sun.security.acl``, ``sun.security.jgss.krb5``, ``sun.security.krb5``, ``sun.security.pkcs``, ``sun.security.pkcs11``, ``sun.security.provider``, ``sun.security.ssl``, ``sun.security.x509``, ``sun.tools.jconsole``",144,10529,927,140,6,22,18,,208
Totals,,363,26371,2656,404,16,128,33,1,409

4
java/ql/integration-tests/java/buildless-paths/codescanning-config.yml Normal file
View File

@@ -0,0 +1,4 @@
paths:
- include
paths-ignore:
- include/exclude

1
java/ql/integration-tests/java/buildless-paths/include/ShouldAppear2.java Normal file
View File

@@ -0,0 +1 @@
public class ShouldAppear2 { }

1
java/ql/integration-tests/java/buildless-paths/include/ShouldAppear2.xml Normal file
View File

@@ -0,0 +1 @@
<tag></tag>

1
java/ql/integration-tests/java/buildless-paths/include/exclude/ShouldNotAppear3.java Normal file
View File

@@ -0,0 +1 @@
public class ShouldNotAppear3 { }

1
java/ql/integration-tests/java/buildless-paths/include/exclude/ShouldNotAppear3.xml Normal file
View File

@@ -0,0 +1 @@
<tag></tag>

1
java/ql/integration-tests/java/buildless-paths/sibling/ShouldNotAppear1.java Normal file
View File

@@ -0,0 +1 @@
public class ShouldNotAppear1 { }

1
java/ql/integration-tests/java/buildless-paths/sibling/ShouldNotAppear1.xml Normal file
View File

@@ -0,0 +1 @@
<tag></tag>

4
java/ql/integration-tests/java/buildless-paths/test.expected Normal file
View File

@@ -0,0 +1,4 @@
javaFiles
| include/ShouldAppear2.java:0:0:0:0 | ShouldAppear2 |
#select
| include/ShouldAppear2.xml:0:0:0:0 | include/ShouldAppear2.xml |

5
java/ql/integration-tests/java/buildless-paths/test.py Normal file
View File

@@ -0,0 +1,5 @@
import os
import os.path
def test(codeql, java):
codeql.database.create(build_mode = "none", codescanning_config = "codescanning-config.yml")

6
java/ql/integration-tests/java/buildless-paths/test.ql Normal file
View File

@@ -0,0 +1,6 @@
import java
query predicate javaFiles(File f) { f.isJavaSourceFile() }
from XmlFile f
select f

4
java/ql/lib/change-notes/2024-09-24-multipart.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added more dataflow models of `org.apache.commons.fileupload.FileItem`, `javax/jakarta.servlet.http.Part` and `org.apache.commons.fileupload.util.Streams`.

4
java/ql/lib/change-notes/2025-12-02-improve-regex-sanitizer.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* A sanitizer has been added to `java/ssrf` to remove alerts when a regular expression check is used to verify that the value is safe.

4
java/ql/lib/change-notes/2025-12-08-spring-websocket-handler.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Additional remote flow sources from the `org.springframework.web.socket` package have been modeled.

4
java/ql/lib/change-notes/2025-12-16-java-xml-paths.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the Java extractor's search for XML and properties files.

8
java/ql/lib/ext/empty.model.yml
View File

@@ -13,6 +13,14 @@ extensions:
pack: codeql/java-all
extensible: summaryModel
data: []
- addsTo:
pack: codeql/java-all
extensible: barrierModel
data: []
- addsTo:
pack: codeql/java-all
extensible: barrierGuardModel
data: []
- addsTo:
pack: codeql/java-all
extensible: neutralModel

6
java/ql/lib/ext/hudson.model.yml
View File

@@ -50,6 +50,12 @@ extensions:
- ["hudson", "FilePath", False, "readToString", "", "", "ReturnValue", "file", "manual"]
- ["hudson", "Plugin", True, "configure", "", "", "Parameter", "remote", "manual"]
- ["hudson", "Plugin", True, "newInstance", "", "", "Parameter", "remote", "manual"]
- addsTo:
pack: codeql/java-all
extensible: barrierModel
data:
- ["hudson", "Util", True, "escape", "(String)", "", "ReturnValue", "html-injection", "manual"]
# Not including xmlEscape because it only accounts for >, <, and &. It does not account for ", or ', which makes it an incomplete XSS sanitizer.
- addsTo:
pack: codeql/java-all
extensible: summaryModel

9
java/ql/lib/ext/jakarta.servlet.http.model.yml
View File

@@ -3,7 +3,14 @@ extensions:
pack: codeql/java-all
extensible: sourceModel
data:
- ["jakarta.servlet.http", "HttpServletRequest", True, "getServletPath", "", "", "ReturnValue", "remote", "manual"]
- ["jakarta.servlet.http", "HttpServletRequest", True, "getServletPath", "()", "", "ReturnValue", "remote", "manual"]
- ["jakarta.servlet.http", "Part", True, "getInputStream", "()", "", "ReturnValue", "remote", "manual"]
- ["jakarta.servlet.http", "Part", True, "getName", "()", "", "ReturnValue", "remote", "manual"]
- ["jakarta.servlet.http", "Part", True, "getContentType", "()", "", "ReturnValue", "remote", "manual"]
- ["jakarta.servlet.http", "Part", True, "getHeader", "(String)", "", "ReturnValue", "remote", "manual"]
- ["jakarta.servlet.http", "Part", True, "getHeaderNames", "()", "", "ReturnValue", "remote", "manual"]
- ["jakarta.servlet.http", "Part", True, "getHeaders", "(String)", "", "ReturnValue", "remote", "manual"]
- ["jakarta.servlet.http", "Part", True, "getSubmittedFileName", "()", "", "ReturnValue", "remote", "manual"]
- ["jakarta.servlet.http", "HttpServletRequest", False, "getHeader", "(String)", "", "ReturnValue", "remote", "manual"]
- ["jakarta.servlet.http", "HttpServletRequest", False, "getHeaderNames", "()", "", "ReturnValue", "remote", "manual"]
- ["jakarta.servlet.http", "HttpServletRequest", False, "getHeaders", "(String)", "", "ReturnValue", "remote", "manual"]

5
java/ql/lib/ext/java.io.model.yml
View File

@@ -162,3 +162,8 @@ extensions:
extensible: sourceModel
data:
- ["java.io", "FileInputStream", True, "FileInputStream", "", "", "Argument[this]", "file", "manual"]
- addsTo:
pack: codeql/java-all
extensible: barrierModel
data:
- ["java.io", "File", True, "getName", "()", "", "ReturnValue", "path-injection", "manual"]

5
java/ql/lib/ext/java.net.model.yml
View File

@@ -34,6 +34,11 @@ extensions:
- ["java.net", "URLClassLoader", False, "URLClassLoader", "(URL[],ClassLoader)", "", "Argument[0]", "request-forgery", "manual"]
- ["java.net", "URLClassLoader", False, "URLClassLoader", "(URL[])", "", "Argument[0]", "request-forgery", "manual"]
- ["java.net", "PasswordAuthentication", False, "PasswordAuthentication", "(String,char[])", "", "Argument[0]", "credentials-username", "hq-generated"]
- addsTo:
pack: codeql/java-all
extensible: barrierGuardModel
data:
- ["java.net", "URI", True, "isAbsolute", "()", "", "Argument[this]", "false", "request-forgery", "manual"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel

5
java/ql/lib/ext/java.util.regex.model.yml
View File

@@ -12,6 +12,11 @@ extensions:
- ["java.util.regex", "Pattern", False, "split", "(CharSequence)", "", "Argument[this]", "regex-use[0]", "manual"]
- ["java.util.regex", "Pattern", False, "split", "(CharSequence,int)", "", "Argument[this]", "regex-use[0]", "manual"]
- ["java.util.regex", "Pattern", False, "splitAsStream", "(CharSequence)", "", "Argument[this]", "regex-use[0]", "manual"]
- addsTo:
pack: codeql/java-all
extensible: barrierModel
data:
- ["java.util.regex", "Pattern", False, "quote", "(String)", "", "ReturnValue", "regex-use", "manual"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel

8
java/ql/lib/ext/javax.servlet.http.model.yml
View File

@@ -19,6 +19,14 @@ extensions:
- ["javax.servlet.http", "HttpServletRequest", False, "getRequestURI", "()", "", "ReturnValue", "remote", "manual"]
- ["javax.servlet.http", "HttpServletRequest", False, "getRequestURL", "()", "", "ReturnValue", "remote", "manual"]
- ["javax.servlet.http", "HttpServletRequest", False, "getServletPath", "()", "", "ReturnValue", "remote", "manual"]
- ["javax.servlet.http", "Part", False, "getContentType", "()", "", "ReturnValue", "remote", "manual"]
- ["javax.servlet.http", "Part", False, "getHeader", "(String)", "", "ReturnValue", "remote", "manual"]
- ["javax.servlet.http", "Part", False, "getHeaderNames", "()", "", "ReturnValue", "remote", "manual"]
- ["javax.servlet.http", "Part", False, "getHeaders", "(String)", "", "ReturnValue", "remote", "manual"]
- ["javax.servlet.http", "Part", False, "getInputStream", "()", "", "ReturnValue", "remote", "manual"]
- ["javax.servlet.http", "Part", False, "getName", "()", "", "ReturnValue", "remote", "manual"]
- ["javax.servlet.http", "Part", False, "getSubmittedFileName", "()", "", "ReturnValue", "remote", "manual"]
- addsTo:
pack: codeql/java-all

16
java/ql/lib/ext/org.apache.commons.fileupload.model.yml Normal file
View File

@@ -0,0 +1,16 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sourceModel
data:
- ["org.apache.commons.fileupload", "FileItem", True, "get", "()", "", "ReturnValue", "remote", "manual"]
- ["org.apache.commons.fileupload", "FileItem", True, "getContentType", "()", "", "ReturnValue", "remote", "manual"]
- ["org.apache.commons.fileupload", "FileItem", True, "getFieldName", "()", "", "ReturnValue", "remote", "manual"]
- ["org.apache.commons.fileupload", "FileItem", True, "getInputStream", "()", "", "ReturnValue", "remote", "manual"]
- ["org.apache.commons.fileupload", "FileItem", True, "getName", "()", "", "ReturnValue", "remote", "manual"]
- ["org.apache.commons.fileupload", "FileItem", True, "getString", "()", "", "ReturnValue", "remote", "manual"]
- ["org.apache.commons.fileupload", "FileItem", True, "getString", "(String)", "", "ReturnValue", "remote", "manual"]
- ["org.apache.commons.fileupload", "FileItemStream", True, "getContentType", "()", "", "ReturnValue", "remote", "manual"]
- ["org.apache.commons.fileupload", "FileItemStream", True, "getFieldName", "()", "", "ReturnValue", "remote", "manual"]
- ["org.apache.commons.fileupload", "FileItemStream", True, "getName", "()", "", "ReturnValue", "remote", "manual"]
- ["org.apache.commons.fileupload", "FileItemStream", True, "openStream", "()", "", "ReturnValue", "remote", "manual"]

9
java/ql/lib/ext/org.apache.commons.fileupload.util.model.yml Normal file
View File

@@ -0,0 +1,9 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["org.apache.commons.fileupload.util", "Streams", True, "asString", "(InputStream)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["org.apache.commons.fileupload.util", "Streams", True, "asString", "(InputStream,String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["org.apache.commons.fileupload.util", "Streams", True, "copy", "(InputStream,OutputStream,boolean)", "", "Argument[0]", "Argument[1]", "taint", "manual"]
- ["org.apache.commons.fileupload.util", "Streams", True, "copy", "(InputStream,OutputStream,boolean,byte[])", "", "Argument[0]", "Argument[1]", "taint", "manual"]

38
java/ql/lib/ext/org.owasp.esapi.model.yml
View File

@@ -1,6 +1,42 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: barrierGuardModel
data:
- ["org.owasp.esapi", "Validator", true, "isValidCreditCard", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "isValidDate", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "isValidDirectoryPath", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "isValidDouble", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "isValidFileContent", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "isValidFileName", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "isValidInput", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "isValidInteger", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "isValidListItem", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "isValidNumber", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "isValidPrintable", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "isValidRedirectLocation", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "isValidSafeHTML", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "isValidURI", "", "", "Argument[1]", "true", "trust-boundary-violation", "manual"]
- addsTo:
pack: codeql/java-all
extensible: barrierModel
data:
- ["org.owasp.esapi", "Validator", true, "getValidCreditCard", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "getValidDate", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "getValidDirectoryPath", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "getValidDouble", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "getValidFileContent", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "getValidFileName", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "getValidInput", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "getValidInteger", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "getValidListItem", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "getValidNumber", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "getValidPrintable", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "getValidRedirectLocation", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "getValidSafeHTML", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
- ["org.owasp.esapi", "Validator", true, "getValidURI", "", "", "ReturnValue", "trust-boundary-violation", "manual"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["org.owasp.esapi", "Encoder", true, "encodeForHTML", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
- ["org.owasp.esapi", "Encoder", true, "encodeForHTML", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]

23
java/ql/lib/ext/org.springframework.web.socket.model.yml Normal file
View File

@@ -0,0 +1,23 @@
extensions:
- addsTo:
pack: codeql/java-all
extensible: sourceModel
data:
- ["org.springframework.web.socket", "WebSocketHandler", True, "afterConnectionClosed", "", "", "Parameter[0]", "remote", "manual"]
- ["org.springframework.web.socket", "WebSocketHandler", True, "afterConnectionEstablished", "", "", "Parameter[0]", "remote", "manual"]
- ["org.springframework.web.socket", "WebSocketHandler", True, "handleMessage", "", "", "Parameter[0]", "remote", "manual"]
- ["org.springframework.web.socket", "WebSocketHandler", True, "handleMessage", "", "", "Parameter[1]", "remote", "manual"]
- ["org.springframework.web.socket", "WebSocketHandler", True, "handleTransportError", "", "", "Parameter[0]", "remote", "manual"]
- ["org.springframework.web.socket.handler", "AbstractWebSocketHandler", True, "handleBinaryMessage", "", "", "Parameter[0..1]", "remote", "manual"]
- ["org.springframework.web.socket.handler", "AbstractWebSocketHandler", True, "handlePongMessage", "", "", "Parameter[0..1]", "remote", "manual"]
- ["org.springframework.web.socket.handler", "AbstractWebSocketHandler", True, "handleTextMessage", "", "", "Parameter[0..1]", "remote", "manual"]
- addsTo:
pack: codeql/java-all
extensible: summaryModel
data:
- ["org.springframework.web.socket", "TextMessage", True, "asBytes", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["org.springframework.web.socket", "WebSocketMessage", True, "getPayload", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["org.springframework.web.socket", "WebSocketSession", True, "getAcceptedProtocol", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["org.springframework.web.socket", "WebSocketSession", True, "getHandshakeHeaders", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["org.springframework.web.socket", "WebSocketSession", True, "getPrincipal", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["org.springframework.web.socket", "WebSocketSession", True, "getUri", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]

15
java/ql/lib/semmle/code/java/ConflictingAccess.qll
View File

@@ -63,12 +63,23 @@ class ExposedField extends Field {
not this.getType() instanceof LockType and
// field is not thread-safe
not isThreadSafeType(this.getType()) and
not isThreadSafeType(this.getInitializer().getType()) and
not isThreadSafeType(initialValue(this).getType()) and
// the initializer guarantees thread safety
not isThreadSafeInitializer(this.getInitializer())
not isThreadSafeInitializer(initialValue(this))
}
}
/**
* Gets the initial value for the field `f`.
* This is either a field initializer or an assignment in a constructor.
*/
Expr initialValue(Field f) {
result = f.getInitializer()
or
result = f.getAnAssignedValue() and
result.getEnclosingCallable() = f.getDeclaringType().getAConstructor()
}
/**
* A field access that is exposed to potential data races.
* We require the field to be in a class that is annotated as `@ThreadSafe`.

242
java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
View File

@@ -91,14 +91,60 @@ module;
import java
private import semmle.code.java.dataflow.DataFlow::DataFlow
private import semmle.code.java.controlflow.Guards
private import FlowSummary as FlowSummary
private import internal.DataFlowPrivate
private import internal.FlowSummaryImpl
private import internal.FlowSummaryImpl::Public
private import internal.FlowSummaryImpl::Private
private import internal.FlowSummaryImpl::Private::External
private import internal.ExternalFlowExtensions as Extensions
private import internal.ExternalFlowExtensions::Extensions as Extensions
private import codeql.mad.ModelValidation as SharedModelVal
private import codeql.mad.static.ModelsAsData as SharedMaD
private module MadInput implements SharedMaD::InputSig {
/** Holds if a source model exists for the given parameters. */
predicate additionalSourceModel(
string package, string type, boolean subtypes, string name, string signature, string ext,
string output, string kind, string provenance, string model
) {
exists(QlBuiltins::ExtensionId madId |
any(ActiveExperimentalModelsInternal q)
.sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance,
madId) and
model = "MaD:" + madId.toString()
)
}
/** Holds if a sink model exists for the given parameters. */
predicate additionalSinkModel(
string package, string type, boolean subtypes, string name, string signature, string ext,
string input, string kind, string provenance, string model
) {
exists(QlBuiltins::ExtensionId madId |
any(ActiveExperimentalModelsInternal q)
.sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance, madId) and
model = "MaD:" + madId.toString()
)
}
/** Holds if a summary model exists for the given parameters. */
predicate additionalSummaryModel(
string package, string type, boolean subtypes, string name, string signature, string ext,
string input, string output, string kind, string provenance, string model
) {
exists(QlBuiltins::ExtensionId madId |
any(ActiveExperimentalModelsInternal q)
.summaryModel(package, type, subtypes, name, signature, ext, input, output, kind,
provenance, madId) and
model = "MaD:" + madId.toString()
)
}
}
private module MaD = SharedMaD::ModelsAsData<Extensions, MadInput>;
import MaD
/**
* A class for activating additional model rows.
@@ -146,60 +192,18 @@ abstract private class ActiveExperimentalModelsInternal extends string {
deprecated class ActiveExperimentalModels = ActiveExperimentalModelsInternal;
/** Holds if a source model exists for the given parameters. */
predicate sourceModel(
string package, string type, boolean subtypes, string name, string signature, string ext,
string output, string kind, string provenance, QlBuiltins::ExtensionId madId
) {
(
Extensions::sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance,
madId)
or
any(ActiveExperimentalModelsInternal q)
.sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance, madId)
)
}
/** Holds if a sink model exists for the given parameters. */
predicate sinkModel(
string package, string type, boolean subtypes, string name, string signature, string ext,
string input, string kind, string provenance, QlBuiltins::ExtensionId madId
) {
(
Extensions::sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance,
madId)
or
any(ActiveExperimentalModelsInternal q)
.sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance, madId)
)
}
/** Holds if a summary model exists for the given parameters. */
predicate summaryModel(
string package, string type, boolean subtypes, string name, string signature, string ext,
string input, string output, string kind, string provenance, QlBuiltins::ExtensionId madId
) {
(
Extensions::summaryModel(package, type, subtypes, name, signature, ext, input, output, kind,
provenance, madId)
or
any(ActiveExperimentalModelsInternal q)
.summaryModel(package, type, subtypes, name, signature, ext, input, output, kind,
provenance, madId)
)
}
/**
* Holds if the given extension tuple `madId` should pretty-print as `model`.
*
* This predicate should only be used in tests.
*/
predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) {
MaD::interpretModelForTest(madId, model)
or
exists(
string package, string type, boolean subtypes, string name, string signature, string ext,
string output, string kind, string provenance
|
sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance, madId) or
Extensions::experimentalSourceModel(package, type, subtypes, name, signature, ext, output, kind,
provenance, _, madId)
|
@@ -212,7 +216,6 @@ predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) {
string package, string type, boolean subtypes, string name, string signature, string ext,
string input, string kind, string provenance
|
sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance, madId) or
Extensions::experimentalSinkModel(package, type, subtypes, name, signature, ext, input, kind,
provenance, _, madId)
|
@@ -225,8 +228,6 @@ predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) {
string package, string type, boolean subtypes, string name, string signature, string ext,
string input, string output, string kind, string provenance
|
summaryModel(package, type, subtypes, name, signature, ext, input, output, kind, provenance,
madId) or
Extensions::experimentalSummaryModel(package, type, subtypes, name, signature, ext, input,
output, kind, provenance, _, madId)
|
@@ -236,65 +237,6 @@ predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) {
)
}
/** Holds if a neutral model exists for the given parameters. */
predicate neutralModel = Extensions::neutralModel/6;
private predicate relevantPackage(string package) {
sourceModel(package, _, _, _, _, _, _, _, _, _) or
sinkModel(package, _, _, _, _, _, _, _, _, _) or
summaryModel(package, _, _, _, _, _, _, _, _, _, _)
}
private predicate packageLink(string shortpkg, string longpkg) {
relevantPackage(shortpkg) and
relevantPackage(longpkg) and
longpkg.prefix(longpkg.indexOf(".")) = shortpkg
}
private predicate canonicalPackage(string package) {
relevantPackage(package) and not packageLink(_, package)
}
private predicate canonicalPkgLink(string package, string subpkg) {
canonicalPackage(package) and
(subpkg = package or packageLink(package, subpkg))
}
/**
* Holds if MaD framework coverage of `package` is `n` api endpoints of the
* kind `(kind, part)`, and `pkgs` is the number of subpackages of `package`
* which have MaD framework coverage (including `package` itself).
*/
predicate modelCoverage(string package, int pkgs, string kind, string part, int n) {
pkgs = strictcount(string subpkg | canonicalPkgLink(package, subpkg)) and
(
part = "source" and
n =
strictcount(string subpkg, string type, boolean subtypes, string name, string signature,
string ext, string output, string provenance |
canonicalPkgLink(package, subpkg) and
sourceModel(subpkg, type, subtypes, name, signature, ext, output, kind, provenance, _)
)
or
part = "sink" and
n =
strictcount(string subpkg, string type, boolean subtypes, string name, string signature,
string ext, string input, string provenance |
canonicalPkgLink(package, subpkg) and
sinkModel(subpkg, type, subtypes, name, signature, ext, input, kind, provenance, _)
)
or
part = "summary" and
n =
strictcount(string subpkg, string type, boolean subtypes, string name, string signature,
string ext, string input, string output, string provenance |
canonicalPkgLink(package, subpkg) and
summaryModel(subpkg, type, subtypes, name, signature, ext, input, output, kind, provenance,
_)
)
)
}
/** Provides a query predicate to check the MaD models for validation errors. */
module ModelValidation {
private import codeql.dataflow.internal.AccessPathSyntax as AccessPathSyntax
@@ -303,7 +245,9 @@ module ModelValidation {
summaryModel(_, _, _, _, _, _, path, _, _, _, _) or
summaryModel(_, _, _, _, _, _, _, path, _, _, _) or
sinkModel(_, _, _, _, _, _, path, _, _, _) or
sourceModel(_, _, _, _, _, _, path, _, _, _)
sourceModel(_, _, _, _, _, _, path, _, _, _) or
barrierModel(_, _, _, _, _, _, path, _, _, _) or
barrierGuardModel(_, _, _, _, _, _, path, _, _, _, _)
}
private module MkAccessPath = AccessPathSyntax::AccessPath<getRelevantAccessPath/1>;
@@ -316,6 +260,8 @@ module ModelValidation {
exists(string pred, AccessPath input, AccessPathToken part |
sinkModel(_, _, _, _, _, _, input, _, _, _) and pred = "sink"
or
barrierGuardModel(_, _, _, _, _, _, input, _, _, _, _) and pred = "barrier guard"
or
summaryModel(_, _, _, _, _, _, input, _, _, _, _) and pred = "summary"
|
(
@@ -338,6 +284,8 @@ module ModelValidation {
exists(string pred, AccessPath output, AccessPathToken part |
sourceModel(_, _, _, _, _, _, output, _, _, _) and pred = "source"
or
barrierModel(_, _, _, _, _, _, output, _, _, _) and pred = "barrier"
or
summaryModel(_, _, _, _, _, _, _, output, _, _, _) and pred = "summary"
|
(
@@ -355,7 +303,13 @@ module ModelValidation {
private module KindValConfig implements SharedModelVal::KindValidationConfigSig {
predicate summaryKind(string kind) { summaryModel(_, _, _, _, _, _, _, _, kind, _, _) }
predicate sinkKind(string kind) { sinkModel(_, _, _, _, _, _, _, kind, _, _) }
predicate sinkKind(string kind) {
sinkModel(_, _, _, _, _, _, _, kind, _, _)
or
barrierModel(_, _, _, _, _, _, _, kind, _, _)
or
barrierGuardModel(_, _, _, _, _, _, _, _, kind, _, _)
}
predicate sourceKind(string kind) { sourceModel(_, _, _, _, _, _, _, kind, _, _) }
@@ -373,6 +327,11 @@ module ModelValidation {
or
sinkModel(package, type, _, name, signature, ext, _, _, provenance, _) and pred = "sink"
or
barrierModel(package, type, _, name, signature, ext, _, _, provenance, _) and pred = "barrier"
or
barrierGuardModel(package, type, _, name, signature, ext, _, _, _, provenance, _) and
pred = "barrier guard"
or
summaryModel(package, type, _, name, signature, ext, _, _, _, provenance, _) and
pred = "summary"
or
@@ -398,6 +357,14 @@ module ModelValidation {
invalidProvenance(provenance) and
result = "Unrecognized provenance description \"" + provenance + "\" in " + pred + " model."
)
or
exists(string acceptingvalue |
barrierGuardModel(_, _, _, _, _, _, _, acceptingvalue, _, _, _) and
invalidAcceptingValue(acceptingvalue) and
result =
"Unrecognized accepting value description \"" + acceptingvalue +
"\" in barrier guard model."
)
}
/** Holds if some row in a MaD flow model appears to contain typos. */
@@ -418,6 +385,10 @@ private predicate elementSpec(
or
sinkModel(package, type, subtypes, name, signature, ext, _, _, _, _)
or
barrierModel(package, type, subtypes, name, signature, ext, _, _, _, _)
or
barrierGuardModel(package, type, subtypes, name, signature, ext, _, _, _, _, _)
or
summaryModel(package, type, subtypes, name, signature, ext, _, _, _, _, _)
or
neutralModel(package, type, name, signature, _, _) and ext = "" and subtypes = true
@@ -578,6 +549,53 @@ private module Cached {
isSinkNode(n, kind, model) and n.asNode() = node
)
}
private newtype TKindModelPair =
TMkPair(string kind, string model) { isBarrierGuardNode(_, _, kind, model) }
private GuardValue convertAcceptingValue(AcceptingValue av) {
av.isTrue() and result.asBooleanValue() = true
or
av.isFalse() and result.asBooleanValue() = false
or
av.isNoException() and result.getDualValue().isThrowsException()
or
av.isZero() and result.asIntValue() = 0
or
av.isNotZero() and result.getDualValue().asIntValue() = 0
or
av.isNull() and result.isNullValue()
or
av.isNotNull() and result.isNonNullValue()
}
private predicate barrierGuardChecks(Guard g, Expr e, GuardValue gv, TKindModelPair kmp) {
exists(
SourceSinkInterpretationInput::InterpretNode n, AcceptingValue acceptingvalue, string kind,
string model
|
isBarrierGuardNode(n, acceptingvalue, kind, model) and
n.asNode().asExpr() = e and
kmp = TMkPair(kind, model) and
gv = convertAcceptingValue(acceptingvalue)
|
g.(Call).getAnArgument() = e or g.(MethodCall).getQualifier() = e
)
}
/**
* Holds if `node` is specified as a barrier with the given kind in a MaD flow
* model.
*/
cached
predicate barrierNode(Node node, string kind, string model) {
exists(SourceSinkInterpretationInput::InterpretNode n |
isBarrierNode(n, kind, model) and n.asNode() = node
)
or
ParameterizedBarrierGuard<TKindModelPair, barrierGuardChecks/4>::getABarrierNode(TMkPair(kind,
model)) = node
}
}
import Cached
@@ -594,6 +612,12 @@ predicate sourceNode(Node node, string kind) { sourceNode(node, kind, _) }
*/
predicate sinkNode(Node node, string kind) { sinkNode(node, kind, _) }
/**
* Holds if `node` is specified as a barrier with the given kind in a MaD flow
* model.
*/
predicate barrierNode(Node node, string kind) { barrierNode(node, kind, _) }
// adapter class for converting Mad summaries to `SummarizedCallable`s
private class SummarizedCallableAdapter extends SummarizedCallable {
SummarizedCallableAdapter() { summaryElement(this, _, _, _, _, _, _) }

2
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowDispatch.qll
View File

@@ -60,7 +60,7 @@ private module DispatchImpl {
not (
// Only use summarized callables with generated summaries in case
// the static call target is not in the source code.
// Note that if applyGeneratedModel holds it implies that there doesn't
// Note that if `applyGeneratedModel` holds it implies that there doesn't
// exist a manual model.
exists(Callable staticTarget | staticTarget = call.getCallee().getSourceDeclaration() |
staticTarget.fromSource() and not staticTarget.isStub()

56
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll
View File

@@ -374,6 +374,29 @@ class ContentSet instanceof Content {
}
}
/**
* Holds if the guard `g` validates the expression `e` upon evaluating to `gv`.
*
* The expression `e` is expected to be a syntactic part of the guard `g`.
* For example, the guard `g` might be a call `isSafe(x)` and the expression `e`
* the argument `x`.
*/
signature predicate valueGuardChecksSig(Guard g, Expr e, GuardValue gv);
/**
* Provides a set of barrier nodes for a guard that validates an expression.
*
* This is expected to be used in `isBarrier`/`isSanitizer` definitions
* in data flow and taint tracking.
*/
module BarrierGuardValue<valueGuardChecksSig/3 guardChecks> {
/** Gets a node that is safely guarded by the given guard check. */
Node getABarrierNode() {
SsaFlow::asNode(result) =
SsaImpl::DataFlowIntegration::BarrierGuard<guardChecks/3>::getABarrierNode()
}
}
/**
* Holds if the guard `g` validates the expression `e` upon evaluating to `branch`.
*
@@ -390,9 +413,38 @@ signature predicate guardChecksSig(Guard g, Expr e, boolean branch);
* in data flow and taint tracking.
*/
module BarrierGuard<guardChecksSig/3 guardChecks> {
private predicate guardChecks0(Guard g, Expr e, GuardValue gv) {
guardChecks(g, e, gv.asBooleanValue())
}
/** Gets a node that is safely guarded by the given guard check. */
Node getABarrierNode() {
Node getABarrierNode() { result = BarrierGuardValue<guardChecks0/3>::getABarrierNode() }
}
bindingset[this]
private signature class ParamSig;
private module WithParam<ParamSig P> {
/**
* Holds if the guard `g` validates the expression `e` upon evaluating to `gv`.
*
* The expression `e` is expected to be a syntactic part of the guard `g`.
* For example, the guard `g` might be a call `isSafe(x)` and the expression `e`
* the argument `x`.
*/
signature predicate guardChecksSig(Guard g, Expr e, GuardValue gv, P param);
}
/**
* Provides a set of barrier nodes for a guard that validates an expression.
*
* This is expected to be used in `isBarrier`/`isSanitizer` definitions
* in data flow and taint tracking.
*/
module ParameterizedBarrierGuard<ParamSig P, WithParam<P>::guardChecksSig/4 guardChecks> {
/** Gets a node that is safely guarded by the given guard check. */
Node getABarrierNode(P param) {
SsaFlow::asNode(result) =
SsaImpl::DataFlowIntegration::BarrierGuard<guardChecks/3>::getABarrierNode()
SsaImpl::DataFlowIntegration::ParameterizedBarrierGuard<P, guardChecks/4>::getABarrierNode(param)
}
}

24
java/ql/lib/semmle/code/java/dataflow/internal/ExternalFlowExtensions.qll
View File

@@ -4,6 +4,8 @@
overlay[local?]
module;
private import codeql.mad.static.ModelsAsData as SharedMaD
/**
* Holds if a source model exists for the given parameters.
*/
@@ -20,6 +22,22 @@ extensible predicate sinkModel(
string input, string kind, string provenance, QlBuiltins::ExtensionId madId
);
/**
* Holds if a barrier model exists for the given parameters.
*/
extensible predicate barrierModel(
string package, string type, boolean subtypes, string name, string signature, string ext,
string output, string kind, string provenance, QlBuiltins::ExtensionId madId
);
/**
* Holds if a barrier guard model exists for the given parameters.
*/
extensible predicate barrierGuardModel(
string package, string type, boolean subtypes, string name, string signature, string ext,
string input, string acceptingvalue, string kind, string provenance, QlBuiltins::ExtensionId madId
);
/**
* Holds if a summary model exists for the given parameters.
*/
@@ -77,3 +95,9 @@ extensible predicate experimentalSummaryModel(
string input, string output, string kind, string provenance, string filter,
QlBuiltins::ExtensionId madId
);
module Extensions implements SharedMaD::ExtensionsSig {
import ExternalFlowExtensions
predicate namespaceGrouping(string group, string namespace) { none() }
}

57
java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
View File

@@ -158,7 +158,9 @@ private predicate relatedArgSpec(Callable c, string spec) {
summaryModel(namespace, type, subtypes, name, signature, ext, spec, _, _, _, _) or
summaryModel(namespace, type, subtypes, name, signature, ext, _, spec, _, _, _) or
sourceModel(namespace, type, subtypes, name, signature, ext, spec, _, _, _) or
sinkModel(namespace, type, subtypes, name, signature, ext, spec, _, _, _)
sinkModel(namespace, type, subtypes, name, signature, ext, spec, _, _, _) or
barrierModel(namespace, type, subtypes, name, signature, ext, spec, _, _, _) or
barrierGuardModel(namespace, type, subtypes, name, signature, ext, spec, _, _, _, _)
|
c = interpretElement(namespace, type, subtypes, name, signature, ext, _)
)
@@ -226,11 +228,10 @@ module SourceSinkInterpretationInput implements
) {
exists(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
SourceOrSinkElement baseSource, string originalOutput, QlBuiltins::ExtensionId madId
SourceOrSinkElement baseSource, string originalOutput
|
sourceModel(namespace, type, subtypes, name, signature, ext, originalOutput, kind, provenance,
madId) and
model = "MaD:" + madId.toString() and
model) and
baseSource = interpretElement(namespace, type, subtypes, name, signature, ext, _) and
(
e = baseSource and output = originalOutput
@@ -245,11 +246,10 @@ module SourceSinkInterpretationInput implements
) {
exists(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
SourceOrSinkElement baseSink, string originalInput, QlBuiltins::ExtensionId madId
SourceOrSinkElement baseSink, string originalInput
|
sinkModel(namespace, type, subtypes, name, signature, ext, originalInput, kind, provenance,
madId) and
model = "MaD:" + madId.toString() and
model) and
baseSink = interpretElement(namespace, type, subtypes, name, signature, ext, _) and
(
e = baseSink and originalInput = input
@@ -259,6 +259,43 @@ module SourceSinkInterpretationInput implements
)
}
predicate barrierElement(
Element e, string output, string kind, Public::Provenance provenance, string model
) {
exists(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
SourceOrSinkElement baseBarrier, string originalOutput
|
barrierModel(namespace, type, subtypes, name, signature, ext, originalOutput, kind,
provenance, model) and
baseBarrier = interpretElement(namespace, type, subtypes, name, signature, ext, _) and
(
e = baseBarrier and output = originalOutput
or
correspondingKotlinParameterDefaultsArgSpec(baseBarrier, e, originalOutput, output)
)
)
}
predicate barrierGuardElement(
Element e, string input, Public::AcceptingValue acceptingvalue, string kind,
Public::Provenance provenance, string model
) {
exists(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
SourceOrSinkElement baseBarrier, string originalInput
|
barrierGuardModel(namespace, type, subtypes, name, signature, ext, originalInput,
acceptingvalue, kind, provenance, model) and
baseBarrier = interpretElement(namespace, type, subtypes, name, signature, ext, _) and
(
e = baseBarrier and input = originalInput
or
correspondingKotlinParameterDefaultsArgSpec(baseBarrier, e, originalInput, input)
)
)
}
class SourceOrSinkElement = Element;
private newtype TInterpretNode =
@@ -343,12 +380,10 @@ module Private {
) {
exists(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
string originalInput, string originalOutput, Callable baseCallable,
QlBuiltins::ExtensionId madId
string originalInput, string originalOutput, Callable baseCallable
|
summaryModel(namespace, type, subtypes, name, signature, ext, originalInput, originalOutput,
kind, provenance, madId) and
model = "MaD:" + madId.toString() and
kind, provenance, model) and
baseCallable = interpretElement(namespace, type, subtypes, name, signature, ext, isExact) and
(
c.asCallable() = baseCallable and input = originalInput and output = originalOutput

38
java/ql/lib/semmle/code/java/dataflow/internal/SsaImpl.qll
View File

@@ -564,12 +564,14 @@ private module Cached {
DataFlowIntegrationImpl::localMustFlowStep(v, nodeFrom, nodeTo)
}
signature predicate guardChecksSig(Guards::Guard g, Expr e, boolean branch);
signature predicate guardChecksSig(Guards::Guard g, Expr e, Guards::GuardValue gv);
cached // nothing is actually cached
module BarrierGuard<guardChecksSig/3 guardChecks> {
private predicate guardChecksAdjTypes(Guards::Guards_v3::Guard g, Expr e, boolean branch) {
guardChecks(g, e, branch)
private predicate guardChecksAdjTypes(
Guards::Guards_v3::Guard g, Expr e, Guards::GuardValue gv
) {
guardChecks(g, e, gv)
}
private predicate guardChecksWithWrappers(
@@ -586,6 +588,36 @@ private module Cached {
predicate getABarrierNode = getABarrierNodeImpl/0;
}
bindingset[this]
private signature class ParamSig;
private module WithParam<ParamSig P> {
signature predicate guardChecksSig(Guards::Guard g, Expr e, Guards::GuardValue gv, P param);
}
cached // nothing is actually cached
module ParameterizedBarrierGuard<ParamSig P, WithParam<P>::guardChecksSig/4 guardChecks> {
private predicate guardChecksAdjTypes(
Guards::Guards_v3::Guard g, Expr e, Guards::GuardValue gv, P param
) {
guardChecks(g, e, gv, param)
}
private predicate guardChecksWithWrappers(
DataFlowIntegrationInput::Guard g, Definition def, Guards::GuardValue val, P param
) {
Guards::Guards_v3::ParameterizedValidationWrapper<P, guardChecksAdjTypes/4>::guardChecksDef(g,
def, val, param)
}
private Node getABarrierNodeImpl(P param) {
result =
DataFlowIntegrationImpl::BarrierGuardDefWithState<P, guardChecksWithWrappers/4>::getABarrierNode(param)
}
predicate getABarrierNode = getABarrierNodeImpl/1;
}
}
cached

35
java/ql/lib/semmle/code/java/frameworks/Regex.qll
View File

@@ -4,11 +4,46 @@ module;
import java
/** The class `java.util.regex.Matcher`. */
class TypeRegexMatcher extends Class {
TypeRegexMatcher() { this.hasQualifiedName("java.util.regex", "Matcher") }
}
/**
* The `matches` method of `java.util.regex.Matcher`.
*/
class MatcherMatchesMethod extends Method {
MatcherMatchesMethod() {
this.getDeclaringType() instanceof TypeRegexMatcher and
this.hasName("matches")
}
}
/** The class `java.util.regex.Pattern`. */
class TypeRegexPattern extends Class {
TypeRegexPattern() { this.hasQualifiedName("java.util.regex", "Pattern") }
}
/**
* The `matches` method of `java.util.regex.Pattern`.
*/
class PatternMatchesMethod extends Method {
PatternMatchesMethod() {
this.getDeclaringType() instanceof TypeRegexPattern and
this.hasName("matches")
}
}
/**
* The `matcher` method of `java.util.regex.Pattern`.
*/
class PatternMatcherMethod extends Method {
PatternMatcherMethod() {
this.getDeclaringType() instanceof TypeRegexPattern and
this.hasName("matcher")
}
}
/** The `quote` method of the `java.util.regex.Pattern` class. */
class PatternQuoteMethod extends Method {
PatternQuoteMethod() {

4
java/ql/lib/semmle/code/java/frameworks/google/GoogleHttpClientApi.qll
View File

@@ -26,9 +26,7 @@ private module TypeLiteralToParseAsFlowConfig implements DataFlow::ConfigSig {
private module TypeLiteralToParseAsFlow = DataFlow::Global<TypeLiteralToParseAsFlowConfig>;
private TypeLiteral getSourceWithFlowToParseAs() {
TypeLiteralToParseAsFlow::flow(DataFlow::exprNode(result), _)
}
private TypeLiteral getSourceWithFlowToParseAs() { TypeLiteralToParseAsFlow::flowFromExpr(result) }
/** A field that is deserialized by `HttpResponse.parseAs`. */
class HttpResponseParseAsDeserializableField extends DeserializableField {

11
java/ql/lib/semmle/code/java/frameworks/hudson/Hudson.qll
View File

@@ -14,14 +14,3 @@ class HudsonWebMethod extends Method {
this.getDeclaringType().getASourceSupertype*().hasQualifiedName("hudson.model", "Descriptor")
}
}
private class HudsonUtilXssSanitizer extends XssSanitizer {
HudsonUtilXssSanitizer() {
this.asExpr()
.(MethodCall)
.getMethod()
// Not including xmlEscape because it only accounts for >, <, and &.
// It does not account for ", or ', which makes it an incomplete XSS sanitizer.
.hasQualifiedName("hudson", "Util", "escape")
}
}

2
java/ql/lib/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
View File

@@ -110,7 +110,7 @@ private module TypeLiteralToJacksonDatabindFlow =
DataFlow::Global<TypeLiteralToJacksonDatabindFlowConfig>;
private TypeLiteral getSourceWithFlowToJacksonDatabind() {
TypeLiteralToJacksonDatabindFlow::flow(DataFlow::exprNode(result), _)
TypeLiteralToJacksonDatabindFlow::flowFromExpr(result)
}
/** A type whose values are explicitly deserialized in a call to a Jackson method. */

42
java/ql/lib/semmle/code/java/frameworks/owasp/Esapi.qll
View File

@@ -1,42 +0,0 @@
/** Classes and predicates for reasoning about the `owasp.easpi` package. */
overlay[local?]
module;
import java
/**
* The `org.owasp.esapi.Validator` interface.
*/
class EsapiValidator extends RefType {
EsapiValidator() { this.hasQualifiedName("org.owasp.esapi", "Validator") }
}
/**
* The methods of `org.owasp.esapi.Validator` which validate data.
*/
class EsapiIsValidMethod extends Method {
EsapiIsValidMethod() {
this.getDeclaringType() instanceof EsapiValidator and
this.hasName([
"isValidCreditCard", "isValidDate", "isValidDirectoryPath", "isValidDouble",
"isValidFileContent", "isValidFileName", "isValidInput", "isValidInteger",
"isValidListItem", "isValidNumber", "isValidPrintable", "isValidRedirectLocation",
"isValidSafeHTML", "isValidURI"
])
}
}
/**
* The methods of `org.owasp.esapi.Validator` which return validated data.
*/
class EsapiGetValidMethod extends Method {
EsapiGetValidMethod() {
this.getDeclaringType() instanceof EsapiValidator and
this.hasName([
"getValidCreditCard", "getValidDate", "getValidDirectoryPath", "getValidDouble",
"getValidFileContent", "getValidFileName", "getValidInput", "getValidInteger",
"getValidListItem", "getValidNumber", "getValidPrintable", "getValidRedirectLocation",
"getValidSafeHTML", "getValidURI"
])
}
}

2
java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll
View File

@@ -164,7 +164,7 @@ private module RegexFlowConfig implements DataFlow::ConfigSig {
private module RegexFlow = DataFlow::Global<RegexFlowConfig>;
private predicate usedAsRegexImpl(StringLiteral regex, string mode, boolean match_full_string) {
RegexFlow::flow(DataFlow::exprNode(regex), _) and
RegexFlow::flowFromExpr(regex) and
mode = "None" and // TODO: proper mode detection
(if matchesFullString(regex) then match_full_string = true else match_full_string = false)
}

5
java/ql/lib/semmle/code/java/security/AndroidIntentRedirection.qll
View File

@@ -35,6 +35,11 @@ private class DefaultIntentRedirectionSink extends IntentRedirectionSink {
DefaultIntentRedirectionSink() { sinkNode(this, "intent-redirection") }
}
/** An external sanitizer for Intent redirection vulnerabilities. */
private class ExternalIntentRedirectionSanitizer extends IntentRedirectionSanitizer {
ExternalIntentRedirectionSanitizer() { barrierNode(this, "intent-redirection") }
}
/**
* A default sanitizer for `Intent` nodes dominated by calls to `ComponentName.getPackageName`
* and `ComponentName.getClassName`. These are used to check whether the origin or destination

4
java/ql/lib/semmle/code/java/security/CommandLineQuery.qll
View File

@@ -37,6 +37,10 @@ private class DefaultCommandInjectionSink extends CommandInjectionSink {
DefaultCommandInjectionSink() { sinkNode(this, "command-injection") }
}
private class ExternalCommandInjectionSanitizer extends CommandInjectionSanitizer {
ExternalCommandInjectionSanitizer() { barrierNode(this, "command-injection") }
}
private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer {
DefaultCommandInjectionSanitizer() {
this instanceof SimpleTypeSanitizer

9
java/ql/lib/semmle/code/java/security/FragmentInjection.qll
View File

@@ -49,6 +49,15 @@ private class DefaultFragmentInjectionSink extends FragmentInjectionSink {
DefaultFragmentInjectionSink() { sinkNode(this, "fragment-injection") }
}
/**
* A sanitizer for Fragment injection vulnerabilities.
*/
abstract class FragmentInjectionSanitizer extends DataFlow::Node { }
private class ExternalFragmentInjectionSanitizer extends FragmentInjectionSanitizer {
ExternalFragmentInjectionSanitizer() { barrierNode(this, "fragment-injection") }
}
private class DefaultFragmentInjectionAdditionalTaintStep extends FragmentInjectionAdditionalTaintStep
{
override predicate step(DataFlow::Node n1, DataFlow::Node n2) {

2
java/ql/lib/semmle/code/java/security/FragmentInjectionQuery.qll
View File

@@ -14,6 +14,8 @@ module FragmentInjectionTaintConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) { sink instanceof FragmentInjectionSink }
predicate isBarrier(DataFlow::Node node) { node instanceof FragmentInjectionSanitizer }
predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
any(FragmentInjectionAdditionalTaintStep c).step(n1, n2)
}

7
java/ql/lib/semmle/code/java/security/GroovyInjection.qll
View File

@@ -26,6 +26,13 @@ private class DefaultGroovyInjectionSink extends GroovyInjectionSink {
DefaultGroovyInjectionSink() { sinkNode(this, "groovy-injection") }
}
/** A data flow sanitizer for Groovy expression injection vulnerabilities. */
abstract class GroovyInjectionSanitizer extends DataFlow::ExprNode { }
private class ExternalGroovyInjectionSanitizer extends GroovyInjectionSanitizer {
ExternalGroovyInjectionSanitizer() { barrierNode(this, "groovy-injection") }
}
/** A set of additional taint steps to consider when taint tracking Groovy related data flows. */
private class DefaultGroovyInjectionAdditionalTaintStep extends GroovyInjectionAdditionalTaintStep {
override predicate step(DataFlow::Node node1, DataFlow::Node node2) {

2
java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll
View File

@@ -51,7 +51,7 @@ private module VerifiedIntentFlow = DataFlow::Global<VerifiedIntentConfig>;
/** An `onReceive` method that doesn't verify the action of the intent it receives. */
private class UnverifiedOnReceiveMethod extends OnReceiveMethod {
UnverifiedOnReceiveMethod() {
not VerifiedIntentFlow::flow(DataFlow::parameterNode(this.getIntentParameter()), _) and
not VerifiedIntentFlow::flowFrom(DataFlow::parameterNode(this.getIntentParameter())) and
// Empty methods do not need to be verified since they do not perform any actions.
this.getBody().getNumStmt() > 0
}

16
java/ql/lib/semmle/code/java/security/PathSanitizer.qll
View File

@@ -4,6 +4,7 @@ module;
import java
private import semmle.code.java.controlflow.Guards
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.FlowSources
private import semmle.code.java.dataflow.SSA
private import semmle.code.java.frameworks.kotlin.IO
@@ -288,19 +289,8 @@ private Method getSourceMethod(Method m) {
result = m
}
/**
* A sanitizer that protects against path injection vulnerabilities
* by extracting the final component of the user provided path.
*
* TODO: convert this class to models-as-data if sanitizer support is added
*/
private class FileGetNameSanitizer extends PathInjectionSanitizer {
FileGetNameSanitizer() {
exists(MethodCall mc |
mc.getMethod().hasQualifiedName("java.io", "File", "getName") and
this.asExpr() = mc
)
}
private class ExternalPathInjectionSanitizer extends PathInjectionSanitizer {
ExternalPathInjectionSanitizer() { barrierNode(this, "path-injection") }
}
/** Holds if `g` is a guard that checks for `..` components. */

42
java/ql/lib/semmle/code/java/security/RequestForgery.qll
View File

@@ -118,25 +118,8 @@ private class ContainsUrlSanitizer extends RequestForgerySanitizer {
}
}
/**
* A check that the URL is relative, and therefore safe for URL redirects.
*/
private predicate isRelativeUrlSanitizer(Guard guard, Expr e, boolean branch) {
guard =
any(MethodCall call |
call.getMethod().hasQualifiedName("java.net", "URI", "isAbsolute") and
e = call.getQualifier() and
branch = false
)
}
/**
* A check that the URL is relative, and therefore safe for URL redirects.
*/
private class RelativeUrlSanitizer extends RequestForgerySanitizer {
RelativeUrlSanitizer() {
this = DataFlow::BarrierGuard<isRelativeUrlSanitizer/3>::getABarrierNode()
}
private class ExternalRequestForgerySanitizer extends RequestForgerySanitizer {
ExternalRequestForgerySanitizer() { barrierNode(this, "request-forgery") }
}
/**
@@ -166,22 +149,7 @@ private class HostComparisonSanitizer extends RequestForgerySanitizer {
}
/**
* A qualifier in a call to a `.matches()` method that is a sanitizer for URL redirects.
*
* Matches any method call where the method is named `matches`.
* A comparison with a regular expression that is a sanitizer for URL redirects.
*/
private predicate isMatchesSanitizer(Guard guard, Expr e, boolean branch) {
guard =
any(MethodCall method |
method.getMethod().getName() = "matches" and
e = method.getQualifier() and
branch = true
)
}
/**
* A qualifier in a call to `.matches()` that is a sanitizer for URL redirects.
*/
private class MatchesSanitizer extends RequestForgerySanitizer {
MatchesSanitizer() { this = DataFlow::BarrierGuard<isMatchesSanitizer/3>::getABarrierNode() }
}
private class RegexpCheckRequestForgerySanitizer extends RequestForgerySanitizer instanceof RegexpCheckBarrier
{ }

43
java/ql/lib/semmle/code/java/security/Sanitizers.qll
View File

@@ -3,7 +3,9 @@ overlay[local?]
module;
import java
private import semmle.code.java.controlflow.Guards
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.frameworks.Regex
/**
* A node whose type is a simple type unlikely to carry taint, such as primitives and their boxed counterparts,
@@ -29,3 +31,44 @@ class SimpleTypeSanitizer extends DataFlow::Node {
this.getType() instanceof EnumType
}
}
/**
* Holds if `guard` holds with branch `branch` if `e` matches a regular expression.
*
* This is overapproximate: we do not attempt to reason about the correctness of the regexp.
*
* Use this if you want to define a derived `DataFlow::BarrierGuard` without
* make the type recursive. Otherwise use `RegexpCheckBarrier`.
*/
predicate regexpMatchGuardChecks(Guard guard, Expr e, boolean branch) {
exists(Method method, MethodCall mc |
method = mc.getMethod() and
guard = mc and
branch = true
|
// `String.matches` and other `matches` methods.
method.getName() = "matches" and
e = mc.getQualifier()
or
method instanceof PatternMatchesMethod and
e = mc.getArgument(1)
or
method instanceof MatcherMatchesMethod and
exists(MethodCall matcherCall |
matcherCall.getMethod() instanceof PatternMatcherMethod and
e = matcherCall.getArgument(0) and
DataFlow::localExprFlow(matcherCall, mc.getQualifier())
)
)
}
/**
* A check against a regular expression, considered as a barrier guard.
*
* This is overapproximate: we do not attempt to reason about the correctness of the regexp.
*/
class RegexpCheckBarrier extends DataFlow::Node {
RegexpCheckBarrier() {
this = DataFlow::BarrierGuard<regexpMatchGuardChecks/3>::getABarrierNode()
}
}

22
java/ql/lib/semmle/code/java/security/TrustBoundaryViolationQuery.qll
View File

@@ -5,7 +5,6 @@ private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.controlflow.Guards
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.FlowSources
private import semmle.code.java.frameworks.owasp.Esapi
private import semmle.code.java.security.Sanitizers
/**
@@ -28,25 +27,8 @@ class TrustBoundaryViolationSink extends DataFlow::Node {
*/
abstract class TrustBoundaryValidationSanitizer extends DataFlow::Node { }
/**
* A node validated by an OWASP ESAPI validation method.
*/
private class EsapiValidatedInputSanitizer extends TrustBoundaryValidationSanitizer {
EsapiValidatedInputSanitizer() {
this = DataFlow::BarrierGuard<esapiIsValidData/3>::getABarrierNode() or
this.asExpr().(MethodCall).getMethod() instanceof EsapiGetValidMethod
}
}
/**
* Holds if `g` is a guard that checks that `e` is valid data according to an OWASP ESAPI validation method.
*/
private predicate esapiIsValidData(Guard g, Expr e, boolean branch) {
branch = true and
exists(MethodCall ma | ma.getMethod() instanceof EsapiIsValidMethod |
g = ma and
e = ma.getArgument(1)
)
private class ExternalTrustBoundaryValidationSanitizer extends TrustBoundaryValidationSanitizer {
ExternalTrustBoundaryValidationSanitizer() { barrierNode(this, "trust-boundary-violation") }
}
/**

22
java/ql/lib/semmle/code/java/security/XSS.qll
View File

@@ -54,12 +54,24 @@ private class DefaultXssSink extends XssSink {
}
}
/** A default sanitizer that considers numeric and boolean typed data safe for writing to output. */
private class DefaultXssSanitizer extends XssSanitizer {
DefaultXssSanitizer() {
private class ExternalXssSanitizer extends XssSanitizer {
ExternalXssSanitizer() { barrierNode(this, ["html-injection", "js-injection"]) }
}
/** A sanitizer that considers numeric and boolean typed data safe for writing to output. */
private class PrimitiveSanitizer extends XssSanitizer {
PrimitiveSanitizer() {
this.getType() instanceof NumericType or
this.getType() instanceof BooleanType or
// Match `org.springframework.web.util.HtmlUtils.htmlEscape` and possibly other methods like it.
this.getType() instanceof BooleanType
}
}
/**
* A call to `org.springframework.web.util.HtmlUtils.htmlEscape`, or possibly
* other methods like it, considered as a sanitizer for XSS.
*/
private class HtmlEscapeXssSanitizer extends XssSanitizer {
HtmlEscapeXssSanitizer() {
this.asExpr().(MethodCall).getMethod().getName().regexpMatch("(?i)html_?escape.*")
}
}

13
java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll
View File

@@ -21,17 +21,8 @@ private class DefaultRegexInjectionSink extends RegexInjectionSink {
}
}
/**
* A call to the `Pattern.quote` method, which gives metacharacters or escape sequences
* no special meaning.
*/
private class PatternQuoteCall extends RegexInjectionSanitizer {
PatternQuoteCall() {
exists(MethodCall ma, Method m | m = ma.getMethod() |
ma.getArgument(0) = this.asExpr() and
m instanceof PatternQuoteMethod
)
}
private class ExternalRegexInjectionSanitizer extends RegexInjectionSanitizer {
ExternalRegexInjectionSanitizer() { barrierNode(this, "regex-use") }
}
/**

2
java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql
View File

@@ -118,7 +118,7 @@ where
// implicit: no setAllowContentAccess(false)
exists(WebViewSource source |
source.asExpr() = e and
not WebViewDisallowContentAccessFlow::flow(source, _)
not WebViewDisallowContentAccessFlow::flowFrom(source)
)
select e,
"Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView."

4
java/ql/src/change-notes/2025-11-25-thread-safe-initializers.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Java thread safety analysis now understands initialization to thread safe classes inside constructors.

2
java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
View File

@@ -85,7 +85,7 @@ private module JxBrowserFlow = DataFlow::Global<JxBrowserFlowConfig>;
deprecated query predicate problems(DataFlow::Node src, string message) {
JxBrowserFlowConfig::isSource(src) and
not JxBrowserFlow::flow(src, _) and
not JxBrowserFlow::flowFrom(src) and
not isSafeJxBrowserVersion() and
message = "This JxBrowser instance may not check HTTPS certificates."
}

4
java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
View File

@@ -50,7 +50,7 @@ private Expr getAccessControlAllowOriginHeaderName() {
* A taint-tracking configuration for flow from a source node to CorsProbableCheckAccess methods.
*/
module CorsSourceReachesCheckConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { CorsOriginFlow::flow(source, _) }
predicate isSource(DataFlow::Node source) { CorsOriginFlow::flowFrom(source) }
predicate isSink(DataFlow::Node sink) {
sink.asExpr() = any(CorsProbableCheckAccess check).getAnArgument()
@@ -86,7 +86,7 @@ deprecated query predicate problems(
string message1, DataFlow::Node sourceNode, string message2
) {
CorsOriginFlow::flowPath(source, sink) and
not CorsSourceReachesCheckFlow::flow(sourceNode, _) and
not CorsSourceReachesCheckFlow::flowFrom(sourceNode) and
sinkNode = sink.getNode() and
message1 = "CORS header is being set using user controlled value $@." and
sourceNode = source.getNode() and

2
java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql
View File

@@ -17,7 +17,7 @@ deprecated import JwtAuth0 as JwtAuth0
deprecated module JwtDecodeConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof RemoteFlowSource and
not FlowToJwtVerify::flow(source, _)
not FlowToJwtVerify::flowFrom(source)
}
predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(JwtAuth0::GetPayload a) }

2
java/ql/src/experimental/semmle/code/java/security/DecompressionBombQuery.qll
View File

@@ -1,7 +1,7 @@
deprecated module;
import experimental.semmle.code.java.security.FileAndFormRemoteSource
import experimental.semmle.code.java.security.DecompressionBomb::DecompressionBomb
import semmle.code.java.dataflow.FlowSources
module DecompressionBombsConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

120
java/ql/src/experimental/semmle/code/java/security/FileAndFormRemoteSource.qll
View File

@@ -1,120 +0,0 @@
deprecated module;
import java
import semmle.code.java.dataflow.FlowSources
class CommonsFileUploadAdditionalTaintStep extends Unit {
abstract predicate step(DataFlow::Node n1, DataFlow::Node n2);
}
module ApacheCommonsFileUpload {
module RemoteFlowSource {
class TypeServletFileUpload extends RefType {
TypeServletFileUpload() {
this.hasQualifiedName("org.apache.commons.fileupload.servlet", "ServletFileUpload")
}
}
class TypeFileUpload extends RefType {
TypeFileUpload() {
this.getAStrictAncestor*().hasQualifiedName("org.apache.commons.fileupload", "FileItem")
}
}
class TypeFileItemStream extends RefType {
TypeFileItemStream() {
this.getAStrictAncestor*()
.hasQualifiedName("org.apache.commons.fileupload", "FileItemStream")
}
}
class ServletFileUpload extends RemoteFlowSource {
ServletFileUpload() {
exists(MethodCall ma |
ma.getReceiverType() instanceof TypeServletFileUpload and
ma.getCallee().hasName("parseRequest") and
this.asExpr() = ma
)
}
override string getSourceType() { result = "Apache Commons Fileupload" }
}
private class FileItemRemoteSource extends RemoteFlowSource {
FileItemRemoteSource() {
exists(MethodCall ma |
ma.getReceiverType() instanceof TypeFileUpload and
ma.getCallee()
.hasName([
"getInputStream", "getFieldName", "getContentType", "get", "getName", "getString"
]) and
this.asExpr() = ma
)
}
override string getSourceType() { result = "Apache Commons Fileupload" }
}
private class FileItemStreamRemoteSource extends RemoteFlowSource {
FileItemStreamRemoteSource() {
exists(MethodCall ma |
ma.getReceiverType() instanceof TypeFileItemStream and
ma.getCallee().hasName(["getContentType", "getFieldName", "getName", "openStream"]) and
this.asExpr() = ma
)
}
override string getSourceType() { result = "Apache Commons Fileupload" }
}
}
module Util {
class TypeStreams extends RefType {
TypeStreams() { this.hasQualifiedName("org.apache.commons.fileupload.util", "Streams") }
}
private class AsStringAdditionalTaintStep extends CommonsFileUploadAdditionalTaintStep {
override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
exists(Call call |
call.getCallee().getDeclaringType() instanceof TypeStreams and
call.getArgument(0) = n1.asExpr() and
call = n2.asExpr() and
call.getCallee().hasName("asString")
)
}
}
private class CopyAdditionalTaintStep extends CommonsFileUploadAdditionalTaintStep {
override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
exists(Call call |
call.getCallee().getDeclaringType() instanceof TypeStreams and
call.getArgument(0) = n1.asExpr() and
call.getArgument(1) = n2.asExpr() and
call.getCallee().hasName("copy")
)
}
}
}
}
module ServletRemoteMultiPartSources {
class TypePart extends RefType {
TypePart() { this.hasQualifiedName(["javax.servlet.http", "jakarta.servlet.http"], "Part") }
}
private class ServletPartCalls extends RemoteFlowSource {
ServletPartCalls() {
exists(MethodCall ma |
ma.getReceiverType() instanceof TypePart and
ma.getCallee()
.hasName([
"getInputStream", "getName", "getContentType", "getHeader", "getHeaders",
"getHeaderNames", "getSubmittedFileName", "write"
]) and
this.asExpr() = ma
)
}
override string getSourceType() { result = "Javax Servlet Http" }
}
}

2
java/ql/src/utils/modelgenerator/internal/CaptureModels.qll
View File

@@ -218,6 +218,8 @@ module SummaryModelGeneratorInput implements SummaryModelGeneratorInputSig {
)
}
int contentAccessPathLimitInternal() { result = 2 }
predicate isField(DataFlow::ContentSet c) {
c instanceof DataFlowUtil::FieldContent or
c instanceof DataFlowUtil::SyntheticFieldContent

4
java/ql/test-kotlin1/library-tests/parameter-defaults/flowTest.ql
View File

@@ -25,9 +25,7 @@ module Config implements DataFlow::ConfigSig {
module Flow = DataFlow::Global<Config>;
predicate isSunk(StringLiteral sl) {
exists(DataFlow::Node source | Flow::flow(source, _) and sl = source.asExpr())
}
predicate isSunk(StringLiteral sl) { Flow::flowFromExpr(sl) }
query predicate shouldBeSunkButIsnt(ShouldBeSunk src) { not isSunk(src) }

4
java/ql/test-kotlin2/library-tests/parameter-defaults/flowTest.ql
View File

@@ -25,9 +25,7 @@ module Config implements DataFlow::ConfigSig {
module Flow = DataFlow::Global<Config>;
predicate isSunk(StringLiteral sl) {
exists(DataFlow::Node source | Flow::flow(source, _) and sl = source.asExpr())
}
predicate isSunk(StringLiteral sl) { Flow::flowFromExpr(sl) }
query predicate shouldBeSunkButIsnt(ShouldBeSunk src) { not isSunk(src) }

27
java/ql/test/library-tests/dataflow/ssa/A.java
View File

@@ -4,7 +4,13 @@ public class A {
boolean isSafe(Object o) { return o == null; }
void foo() {
void assertSafe(Object o) { if (o != null) throw new RuntimeException(); }
private boolean wrapIsSafe(Object o) { return isSafe(o); }
private void wrapAssertSafe(Object o) { assertSafe(o); }
void test1() {
Object x = source();
if (!isSafe(x)) {
x = null;
@@ -21,4 +27,23 @@ public class A {
}
sink(x);
}
void test2() {
Object x = source();
assertSafe(x);
sink(x);
}
void test3() {
Object x = source();
if (wrapIsSafe(x)) {
sink(x);
}
}
void test4() {
Object x = source();
wrapAssertSafe(x);
sink(x);
}
}

10
java/ql/test/library-tests/dataflow/ssa/test.ql
View File

@@ -10,6 +10,14 @@ private predicate isSafe(Guard g, Expr checked, boolean branch) {
)
}
private predicate assertSafe(Guard g, Expr checked, GuardValue gv) {
exists(MethodCall mc | g = mc |
mc.getMethod().hasName("assertSafe") and
checked = mc.getAnArgument() and
gv.getDualValue().isThrowsException()
)
}
module TestConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source.asExpr().(MethodCall).getMethod().hasName("source")
@@ -21,6 +29,8 @@ module TestConfig implements DataFlow::ConfigSig {
predicate isBarrier(DataFlow::Node node) {
node = DataFlow::BarrierGuard<isSafe/3>::getABarrierNode()
or
node = DataFlow::BarrierGuardValue<assertSafe/3>::getABarrierNode()
}
}

52
java/ql/test/library-tests/dataflow/taintsources/FileUpload.java Normal file
View File

@@ -0,0 +1,52 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.fileupload.FileItem;
import org.apache.commons.fileupload.FileItemStream;
import org.apache.commons.fileupload.servlet.ServletFileUpload;
public class FileUpload {
private HttpServletRequest request;
private HttpServletResponse response;
private javax.servlet.http.Part filePart;
private FileItem fileItem;
private FileItemStream fileItemStream;
private jakarta.servlet.http.Part jakartaPart;
private ServletFileUpload servletFileUpload;
private static void sink(Object o) {}
public void test() throws Exception {
sink(filePart.getContentType()); // $ hasRemoteValueFlow
sink(filePart.getHeader("test")); // $ hasRemoteValueFlow
sink(filePart.getHeaderNames()); // $ hasRemoteValueFlow
sink(filePart.getHeaders("test")); // $ hasRemoteValueFlow
sink(filePart.getInputStream()); // $ hasRemoteValueFlow
sink(filePart.getName()); // $ hasRemoteValueFlow
sink(filePart.getSubmittedFileName()); // $ hasRemoteValueFlow
sink(fileItem.get()); // $ hasRemoteValueFlow
sink(fileItem.getContentType()); // $ hasRemoteValueFlow
sink(fileItem.getFieldName()); // $ hasRemoteValueFlow
sink(fileItem.getInputStream()); // $ hasRemoteValueFlow
sink(fileItem.getName()); // $ hasRemoteValueFlow
sink(fileItem.getName()); // $ hasRemoteValueFlow
sink(fileItem.getString()); // $ hasRemoteValueFlow
sink(fileItemStream.getContentType()); // $ hasRemoteValueFlow
sink(fileItemStream.getFieldName()); // $ hasRemoteValueFlow
sink(fileItemStream.getName()); // $ hasRemoteValueFlow
sink(fileItemStream.openStream()); // $ hasRemoteValueFlow
sink(jakartaPart.getContentType()); // $ hasRemoteValueFlow
sink(jakartaPart.getHeader("test")); // $ hasRemoteValueFlow
sink(jakartaPart.getHeaderNames()); // $ hasRemoteValueFlow
sink(jakartaPart.getHeaders("test")); // $ hasRemoteValueFlow
sink(jakartaPart.getInputStream()); // $ hasRemoteValueFlow
sink(jakartaPart.getName()); // $ hasRemoteValueFlow
sink(jakartaPart.getSubmittedFileName()); // $ hasRemoteValueFlow
FileItem item = servletFileUpload.parseRequest(request).get(0);
sink(item.getName()); // $ hasRemoteValueFlow
}
}

2
java/ql/test/library-tests/dataflow/taintsources/options
View File

@@ -1 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.8.x:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12:${testdir}/../../../stubs/akka-2.6.x:${testdir}/../../../stubs/jwtk-jjwt-0.11.2:${testdir}/../../../stubs/jenkins:${testdir}/../../../stubs/stapler-1.263
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jakarta.servlet-api-6.0.0:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.8.x:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12:${testdir}/../../../stubs/akka-2.6.x:${testdir}/../../../stubs/jwtk-jjwt-0.11.2:${testdir}/../../../stubs/jenkins:${testdir}/../../../stubs/stapler-1.263

2
java/ql/test/library-tests/frameworks/android/taint-database/flowSteps.ql
View File

@@ -20,7 +20,7 @@ module FlowStepTest implements TestSig {
predicate hasActualResult(Location l, string element, string tag, string value) {
tag = "taintReachesReturn" and
value = "" and
exists(DataFlow::Node source | Flow::flow(source, _) |
exists(DataFlow::Node source | Flow::flowFrom(source) |
l = source.getLocation() and
element = source.toString()
)

2
java/ql/test/library-tests/frameworks/android/taint-database/sinks.ql
View File

@@ -20,7 +20,7 @@ module SinkTest implements TestSig {
predicate hasActualResult(Location l, string element, string tag, string value) {
tag = "taintReachesSink" and
value = "" and
exists(DataFlow::Node source | Flow::flow(source, _) |
exists(DataFlow::Node source | Flow::flowFrom(source) |
l = source.getLocation() and
element = source.toString()
)

55
java/ql/test/library-tests/frameworks/apache-commons-fileupload-1.4/Test.java Normal file
View File

@@ -0,0 +1,55 @@
package com.mycompany.app;
import org.apache.commons.fileupload.util.Streams;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.ByteArrayOutputStream;
// Test case generated by GenerateFlowTestCase.ql
public class Test {
Object source() {
return null;
}
void sink(Object o) {
}
public void test() throws Exception {
{
InputStream in = (InputStream)source();
OutputStream os = new ByteArrayOutputStream(1024);
InputStream in2 = (InputStream)source();
OutputStream os2 = new ByteArrayOutputStream(1024);
byte[] myArray = new byte[1024];
// "org.apache.commons.fileupload.util;Streams;true;copy;(InputStream,OutputStream,boolean,byte[]);;Argument[0];Argument[1];taint;manual"
long status = Streams.copy(in, os, true, myArray);
sink(os); // $ hasTaintFlow
// "org.apache.commons.fileupload.util;Streams;true;copy;(InputStream,OutputStream,boolean);;Argument[0];Argument[1];taint;manual"
long status2 = Streams.copy(in2, os2, true);
sink(os2); // $ hasTaintFlow
}
}
public void test2() throws Exception {
{
InputStream in = (InputStream)source();
// "org.apache.commons.fileupload.util;Streams;true;asString;(InputStream,String);;Argument[0];ReturnValue;taint;manual"
String result = Streams.asString(in);
sink(result); // $ hasTaintFlow
InputStream in1 = (InputStream)source();
// "org.apache.commons.fileupload.util;Streams;true;asString;(InputStream,String);;Argument[0];ReturnValue;taint;manual"
String result1 = Streams.asString(in1, "test");
sink(result1); // $ hasTaintFlow
}
}
}

1
java/ql/test/library-tests/frameworks/apache-commons-fileupload-1.4/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/apache-commons-fileupload-1.4

45
java/ql/test/library-tests/frameworks/apache-commons-fileupload-1.4/test.expected Normal file
View File

@@ -0,0 +1,45 @@
models
| 1 | Summary: org.apache.commons.fileupload.util; Streams; true; asString; (InputStream); ; Argument[0]; ReturnValue; taint; manual |
| 2 | Summary: org.apache.commons.fileupload.util; Streams; true; asString; (InputStream,String); ; Argument[0]; ReturnValue; taint; manual |
| 3 | Summary: org.apache.commons.fileupload.util; Streams; true; copy; (InputStream,OutputStream,boolean); ; Argument[0]; Argument[1]; taint; manual |
| 4 | Summary: org.apache.commons.fileupload.util; Streams; true; copy; (InputStream,OutputStream,boolean,byte[]); ; Argument[0]; Argument[1]; taint; manual |
edges
| Test.java:21:30:21:50 | (...)... : InputStream | Test.java:30:31:30:32 | in : InputStream | provenance | |
| Test.java:21:43:21:50 | source(...) : Object | Test.java:21:30:21:50 | (...)... : InputStream | provenance | |
| Test.java:24:22:24:42 | (...)... : InputStream | Test.java:33:32:33:34 | in2 : InputStream | provenance | |
| Test.java:24:35:24:42 | source(...) : Object | Test.java:24:22:24:42 | (...)... : InputStream | provenance | |
| Test.java:30:31:30:32 | in : InputStream | Test.java:30:35:30:36 | os [post update] : ByteArrayOutputStream | provenance | MaD:4 |
| Test.java:30:35:30:36 | os [post update] : ByteArrayOutputStream | Test.java:31:9:31:10 | os | provenance | |
| Test.java:33:32:33:34 | in2 : InputStream | Test.java:33:37:33:39 | os2 [post update] : ByteArrayOutputStream | provenance | MaD:3 |
| Test.java:33:37:33:39 | os2 [post update] : ByteArrayOutputStream | Test.java:34:9:34:11 | os2 | provenance | |
| Test.java:42:30:42:50 | (...)... : InputStream | Test.java:44:37:44:38 | in : InputStream | provenance | |
| Test.java:42:43:42:50 | source(...) : Object | Test.java:42:30:42:50 | (...)... : InputStream | provenance | |
| Test.java:44:20:44:39 | asString(...) : String | Test.java:45:9:45:14 | result | provenance | |
| Test.java:44:37:44:38 | in : InputStream | Test.java:44:20:44:39 | asString(...) : String | provenance | MaD:1 |
| Test.java:47:31:47:51 | (...)... : InputStream | Test.java:49:47:49:49 | in1 : InputStream | provenance | |
| Test.java:47:44:47:51 | source(...) : Object | Test.java:47:31:47:51 | (...)... : InputStream | provenance | |
| Test.java:49:30:49:58 | asString(...) : String | Test.java:50:18:50:24 | result1 | provenance | |
| Test.java:49:47:49:49 | in1 : InputStream | Test.java:49:30:49:58 | asString(...) : String | provenance | MaD:2 |
nodes
| Test.java:21:30:21:50 | (...)... : InputStream | semmle.label | (...)... : InputStream |
| Test.java:21:43:21:50 | source(...) : Object | semmle.label | source(...) : Object |
| Test.java:24:22:24:42 | (...)... : InputStream | semmle.label | (...)... : InputStream |
| Test.java:24:35:24:42 | source(...) : Object | semmle.label | source(...) : Object |
| Test.java:30:31:30:32 | in : InputStream | semmle.label | in : InputStream |
| Test.java:30:35:30:36 | os [post update] : ByteArrayOutputStream | semmle.label | os [post update] : ByteArrayOutputStream |
| Test.java:31:9:31:10 | os | semmle.label | os |
| Test.java:33:32:33:34 | in2 : InputStream | semmle.label | in2 : InputStream |
| Test.java:33:37:33:39 | os2 [post update] : ByteArrayOutputStream | semmle.label | os2 [post update] : ByteArrayOutputStream |
| Test.java:34:9:34:11 | os2 | semmle.label | os2 |
| Test.java:42:30:42:50 | (...)... : InputStream | semmle.label | (...)... : InputStream |
| Test.java:42:43:42:50 | source(...) : Object | semmle.label | source(...) : Object |
| Test.java:44:20:44:39 | asString(...) : String | semmle.label | asString(...) : String |
| Test.java:44:37:44:38 | in : InputStream | semmle.label | in : InputStream |
| Test.java:45:9:45:14 | result | semmle.label | result |
| Test.java:47:31:47:51 | (...)... : InputStream | semmle.label | (...)... : InputStream |
| Test.java:47:44:47:51 | source(...) : Object | semmle.label | source(...) : Object |
| Test.java:49:30:49:58 | asString(...) : String | semmle.label | asString(...) : String |
| Test.java:49:47:49:49 | in1 : InputStream | semmle.label | in1 : InputStream |
| Test.java:50:18:50:24 | result1 | semmle.label | result1 |
subpaths
testFailures

4
java/ql/test/library-tests/frameworks/apache-commons-fileupload-1.4/test.ql Normal file
View File

@@ -0,0 +1,4 @@
import java
import utils.test.InlineFlowTest
import DefaultFlowTest
import TaintFlow::PathGraph

64
java/ql/test/library-tests/frameworks/spring/websocket/Test.java Normal file
View File

@@ -0,0 +1,64 @@
import org.springframework.web.socket.handler.TextWebSocketHandler;
import org.springframework.web.socket.WebSocketSession;
import org.springframework.web.socket.WebSocketMessage;
import org.springframework.web.socket.TextMessage;
import org.springframework.web.socket.BinaryMessage;
import org.springframework.web.socket.PongMessage;
import org.springframework.web.socket.CloseStatus;
public class Test {
void sink(Object o) {}
public class A extends TextWebSocketHandler {
@Override
public void handleMessage(WebSocketSession s, WebSocketMessage<?> m) {
sink(s); // $hasTaintFlow
sink(s.getAcceptedProtocol()); // $hasTaintFlow
sink(s.getHandshakeHeaders()); // $hasTaintFlow
sink(s.getPrincipal()); // $hasTaintFlow
sink(s.getUri()); // $hasTaintFlow
sink(m); // $hasTaintFlow
sink(m.getPayload()); // $hasTaintFlow
}
@Override
protected void handleTextMessage(WebSocketSession s, TextMessage m) {
sink(s); // $hasTaintFlow
sink(m); // $hasTaintFlow
sink(m.asBytes()); // $hasTaintFlow
}
@Override
protected void handleBinaryMessage(WebSocketSession s, BinaryMessage m) {
sink(s); // $hasTaintFlow
sink(m); // $hasTaintFlow
}
@Override
protected void handlePongMessage(WebSocketSession s, PongMessage m) {
sink(s); // $hasTaintFlow
sink(m); // $hasTaintFlow
}
@Override
public void afterConnectionEstablished(WebSocketSession s) {
sink(s); // $hasTaintFlow
}
@Override
public void afterConnectionClosed(WebSocketSession s, CloseStatus c) {
sink(s); // $hasTaintFlow
}
@Override
public void handleTransportError(WebSocketSession s, Throwable exc) {
sink(s); // $hasTaintFlow
}
}
}

1
java/ql/test/library-tests/frameworks/spring/websocket/options Normal file
View File

@@ -0,0 +1 @@
//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.8.x:${testdir}/../../../../stubs/javax-servlet-2.5:${testdir}/../../../../stubs/apache-commons-logging-1.2

0
java/ql/test/library-tests/frameworks/spring/websocket/test.expected Normal file
View File

16
java/ql/test/library-tests/frameworks/spring/websocket/test.ql Normal file
View File

@@ -0,0 +1,16 @@
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.FlowSources
import utils.test.InlineFlowTest
module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) {
DefaultFlowConfig::isSource(node)
or
node instanceof ActiveThreatModelSource
}
predicate isSink = DefaultFlowConfig::isSink/1;
}
import FlowTest<DefaultFlowConfig, Config>

1
java/ql/test/query-tests/ThreadSafe/ThreadSafe.expected
View File

@@ -43,3 +43,4 @@
| examples/Test.java:60:5:60:10 | this.y | This field access (publicly accessible via $@) is not protected by any monitor, but the class is annotated as @ThreadSafe. | examples/Test.java:60:5:60:10 | this.y | this expression |
| examples/Test.java:74:5:74:10 | this.y | This field access (publicly accessible via $@) is not protected by any monitor, but the class is annotated as @ThreadSafe. | examples/Test.java:74:5:74:10 | this.y | this expression |
| examples/Test.java:74:14:74:14 | y | This field access (publicly accessible via $@) is not protected by any monitor, but the class is annotated as @ThreadSafe. | examples/Test.java:74:14:74:14 | y | this expression |
| examples/ThreadSafeInitializers.java:45:9:45:14 | this.y | This field access (publicly accessible via $@) is not protected by any monitor, but the class is annotated as @ThreadSafe. | examples/ThreadSafeInitializers.java:45:9:45:14 | this.y | this expression |

55
java/ql/test/query-tests/ThreadSafe/examples/ThreadSafeInitializers.java Normal file
View File

@@ -0,0 +1,55 @@
package examples;
import java.util.Map;
import java.util.Set;
import java.util.HashMap;
import java.util.Collections;
import java.util.concurrent.ConcurrentHashMap;
@ThreadSafe
public class ThreadSafeInitializers {
private int y;
private final Map<Integer, Integer> sync_map;
private final Map<Integer, Integer> sync_map_initialised = Collections.synchronizedMap(new HashMap<Integer, Integer>());
private final Map<String, String> cmap;
private final Map<String, String> cmap_initialised = new ConcurrentHashMap();
private final Set<Integer> set;
private final Set<Integer> set_initialised = ConcurrentHashMap.newKeySet();
public ThreadSafeInitializers() {
sync_map = Collections.synchronizedMap(new HashMap<Integer, Integer>());
cmap = new ConcurrentHashMap();
set = ConcurrentHashMap.newKeySet();
}
public void sync_map_put(Integer i, Integer v) {
sync_map.put(i,v);
}
public void sync_map_initialised_put(Integer i, Integer v) {
sync_map_initialised.put(i,v);
}
public void cmap_put(String s1, String s2) {
cmap.put(s1, s2);
}
public void cmap_initialised_put(String s1, String s2) {
cmap_initialised.put(s1, s2);
}
public void setY(int y) {
this.y = y; // $ Alert
}
public void set_add(Integer i) {
set.add(i);
}
public void set_initialised_add(Integer i) {
set_initialised.add(i);
}
}

474
java/ql/test/query-tests/security/CWE-918/RequestForgery.expected
View File

@@ -228,30 +228,30 @@
| JdbcUrlSSRF.java:88:19:88:25 | jdbcUrl | JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) : String | JdbcUrlSSRF.java:88:19:88:25 | jdbcUrl | Potential server-side request forgery due to a $@. | JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) | user-provided value |
| ReactiveWebClientSSRF.java:16:52:16:54 | url | ReactiveWebClientSSRF.java:15:26:15:52 | getParameter(...) : String | ReactiveWebClientSSRF.java:16:52:16:54 | url | Potential server-side request forgery due to a $@. | ReactiveWebClientSSRF.java:15:26:15:52 | getParameter(...) | user-provided value |
| ReactiveWebClientSSRF.java:35:30:35:32 | url | ReactiveWebClientSSRF.java:32:26:32:52 | getParameter(...) : String | ReactiveWebClientSSRF.java:35:30:35:32 | url | Potential server-side request forgery due to a $@. | ReactiveWebClientSSRF.java:32:26:32:52 | getParameter(...) | user-provided value |
| SanitizationTests.java:22:52:22:54 | uri | SanitizationTests.java:19:31:19:57 | getParameter(...) : String | SanitizationTests.java:22:52:22:54 | uri | Potential server-side request forgery due to a $@. | SanitizationTests.java:19:31:19:57 | getParameter(...) | user-provided value |
| SanitizationTests.java:23:25:23:25 | r | SanitizationTests.java:19:31:19:57 | getParameter(...) : String | SanitizationTests.java:23:25:23:25 | r | Potential server-side request forgery due to a $@. | SanitizationTests.java:19:31:19:57 | getParameter(...) | user-provided value |
| SanitizationTests.java:76:59:76:77 | new URI(...) | SanitizationTests.java:75:33:75:63 | getParameter(...) : String | SanitizationTests.java:76:59:76:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:75:33:75:63 | getParameter(...) | user-provided value |
| SanitizationTests.java:77:25:77:32 | unsafer3 | SanitizationTests.java:75:33:75:63 | getParameter(...) : String | SanitizationTests.java:77:25:77:32 | unsafer3 | Potential server-side request forgery due to a $@. | SanitizationTests.java:75:33:75:63 | getParameter(...) | user-provided value |
| SanitizationTests.java:80:59:80:77 | new URI(...) | SanitizationTests.java:79:49:79:79 | getParameter(...) : String | SanitizationTests.java:80:59:80:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:79:49:79:79 | getParameter(...) | user-provided value |
| SanitizationTests.java:81:25:81:32 | unsafer4 | SanitizationTests.java:79:49:79:79 | getParameter(...) : String | SanitizationTests.java:81:25:81:32 | unsafer4 | Potential server-side request forgery due to a $@. | SanitizationTests.java:79:49:79:79 | getParameter(...) | user-provided value |
| SanitizationTests.java:85:59:85:88 | new URI(...) | SanitizationTests.java:84:31:84:61 | getParameter(...) : String | SanitizationTests.java:85:59:85:88 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:84:31:84:61 | getParameter(...) | user-provided value |
| SanitizationTests.java:86:25:86:32 | unsafer5 | SanitizationTests.java:84:31:84:61 | getParameter(...) : String | SanitizationTests.java:86:25:86:32 | unsafer5 | Potential server-side request forgery due to a $@. | SanitizationTests.java:84:31:84:61 | getParameter(...) | user-provided value |
| SanitizationTests.java:90:60:90:89 | new URI(...) | SanitizationTests.java:88:58:88:86 | getParameter(...) : String | SanitizationTests.java:90:60:90:89 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:88:58:88:86 | getParameter(...) | user-provided value |
| SanitizationTests.java:91:25:91:33 | unsafer5a | SanitizationTests.java:88:58:88:86 | getParameter(...) : String | SanitizationTests.java:91:25:91:33 | unsafer5a | Potential server-side request forgery due to a $@. | SanitizationTests.java:88:58:88:86 | getParameter(...) | user-provided value |
| SanitizationTests.java:95:60:95:90 | new URI(...) | SanitizationTests.java:93:60:93:88 | getParameter(...) : String | SanitizationTests.java:95:60:95:90 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:93:60:93:88 | getParameter(...) | user-provided value |
| SanitizationTests.java:96:25:96:33 | unsafer5b | SanitizationTests.java:93:60:93:88 | getParameter(...) : String | SanitizationTests.java:96:25:96:33 | unsafer5b | Potential server-side request forgery due to a $@. | SanitizationTests.java:93:60:93:88 | getParameter(...) | user-provided value |
| SanitizationTests.java:100:60:100:90 | new URI(...) | SanitizationTests.java:98:77:98:105 | getParameter(...) : String | SanitizationTests.java:100:60:100:90 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:98:77:98:105 | getParameter(...) | user-provided value |
| SanitizationTests.java:101:25:101:33 | unsafer5c | SanitizationTests.java:98:77:98:105 | getParameter(...) : String | SanitizationTests.java:101:25:101:33 | unsafer5c | Potential server-side request forgery due to a $@. | SanitizationTests.java:98:77:98:105 | getParameter(...) | user-provided value |
| SanitizationTests.java:104:59:104:77 | new URI(...) | SanitizationTests.java:103:73:103:103 | getParameter(...) : String | SanitizationTests.java:104:59:104:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:103:73:103:103 | getParameter(...) | user-provided value |
| SanitizationTests.java:105:25:105:32 | unsafer6 | SanitizationTests.java:103:73:103:103 | getParameter(...) : String | SanitizationTests.java:105:25:105:32 | unsafer6 | Potential server-side request forgery due to a $@. | SanitizationTests.java:103:73:103:103 | getParameter(...) | user-provided value |
| SanitizationTests.java:108:59:108:77 | new URI(...) | SanitizationTests.java:107:56:107:86 | getParameter(...) : String | SanitizationTests.java:108:59:108:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:107:56:107:86 | getParameter(...) | user-provided value |
| SanitizationTests.java:109:25:109:32 | unsafer7 | SanitizationTests.java:107:56:107:86 | getParameter(...) : String | SanitizationTests.java:109:25:109:32 | unsafer7 | Potential server-side request forgery due to a $@. | SanitizationTests.java:107:56:107:86 | getParameter(...) | user-provided value |
| SanitizationTests.java:112:59:112:77 | new URI(...) | SanitizationTests.java:111:55:111:85 | getParameter(...) : String | SanitizationTests.java:112:59:112:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:111:55:111:85 | getParameter(...) | user-provided value |
| SanitizationTests.java:113:25:113:32 | unsafer8 | SanitizationTests.java:111:55:111:85 | getParameter(...) : String | SanitizationTests.java:113:25:113:32 | unsafer8 | Potential server-side request forgery due to a $@. | SanitizationTests.java:111:55:111:85 | getParameter(...) | user-provided value |
| SanitizationTests.java:116:59:116:77 | new URI(...) | SanitizationTests.java:115:33:115:63 | getParameter(...) : String | SanitizationTests.java:116:59:116:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:115:33:115:63 | getParameter(...) | user-provided value |
| SanitizationTests.java:117:25:117:32 | unsafer9 | SanitizationTests.java:115:33:115:63 | getParameter(...) : String | SanitizationTests.java:117:25:117:32 | unsafer9 | Potential server-side request forgery due to a $@. | SanitizationTests.java:115:33:115:63 | getParameter(...) | user-provided value |
| SanitizationTests.java:120:60:120:79 | new URI(...) | SanitizationTests.java:119:94:119:125 | getParameter(...) : String | SanitizationTests.java:120:60:120:79 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:119:94:119:125 | getParameter(...) | user-provided value |
| SanitizationTests.java:121:25:121:33 | unsafer10 | SanitizationTests.java:119:94:119:125 | getParameter(...) : String | SanitizationTests.java:121:25:121:33 | unsafer10 | Potential server-side request forgery due to a $@. | SanitizationTests.java:119:94:119:125 | getParameter(...) | user-provided value |
| SanitizationTests.java:24:52:24:54 | uri | SanitizationTests.java:21:31:21:57 | getParameter(...) : String | SanitizationTests.java:24:52:24:54 | uri | Potential server-side request forgery due to a $@. | SanitizationTests.java:21:31:21:57 | getParameter(...) | user-provided value |
| SanitizationTests.java:25:25:25:25 | r | SanitizationTests.java:21:31:21:57 | getParameter(...) : String | SanitizationTests.java:25:25:25:25 | r | Potential server-side request forgery due to a $@. | SanitizationTests.java:21:31:21:57 | getParameter(...) | user-provided value |
| SanitizationTests.java:78:59:78:77 | new URI(...) | SanitizationTests.java:77:33:77:63 | getParameter(...) : String | SanitizationTests.java:78:59:78:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:77:33:77:63 | getParameter(...) | user-provided value |
| SanitizationTests.java:79:25:79:32 | unsafer3 | SanitizationTests.java:77:33:77:63 | getParameter(...) : String | SanitizationTests.java:79:25:79:32 | unsafer3 | Potential server-side request forgery due to a $@. | SanitizationTests.java:77:33:77:63 | getParameter(...) | user-provided value |
| SanitizationTests.java:82:59:82:77 | new URI(...) | SanitizationTests.java:81:49:81:79 | getParameter(...) : String | SanitizationTests.java:82:59:82:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:81:49:81:79 | getParameter(...) | user-provided value |
| SanitizationTests.java:83:25:83:32 | unsafer4 | SanitizationTests.java:81:49:81:79 | getParameter(...) : String | SanitizationTests.java:83:25:83:32 | unsafer4 | Potential server-side request forgery due to a $@. | SanitizationTests.java:81:49:81:79 | getParameter(...) | user-provided value |
| SanitizationTests.java:87:59:87:88 | new URI(...) | SanitizationTests.java:86:31:86:61 | getParameter(...) : String | SanitizationTests.java:87:59:87:88 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:86:31:86:61 | getParameter(...) | user-provided value |
| SanitizationTests.java:88:25:88:32 | unsafer5 | SanitizationTests.java:86:31:86:61 | getParameter(...) : String | SanitizationTests.java:88:25:88:32 | unsafer5 | Potential server-side request forgery due to a $@. | SanitizationTests.java:86:31:86:61 | getParameter(...) | user-provided value |
| SanitizationTests.java:92:60:92:89 | new URI(...) | SanitizationTests.java:90:58:90:86 | getParameter(...) : String | SanitizationTests.java:92:60:92:89 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:90:58:90:86 | getParameter(...) | user-provided value |
| SanitizationTests.java:93:25:93:33 | unsafer5a | SanitizationTests.java:90:58:90:86 | getParameter(...) : String | SanitizationTests.java:93:25:93:33 | unsafer5a | Potential server-side request forgery due to a $@. | SanitizationTests.java:90:58:90:86 | getParameter(...) | user-provided value |
| SanitizationTests.java:97:60:97:90 | new URI(...) | SanitizationTests.java:95:60:95:88 | getParameter(...) : String | SanitizationTests.java:97:60:97:90 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:95:60:95:88 | getParameter(...) | user-provided value |
| SanitizationTests.java:98:25:98:33 | unsafer5b | SanitizationTests.java:95:60:95:88 | getParameter(...) : String | SanitizationTests.java:98:25:98:33 | unsafer5b | Potential server-side request forgery due to a $@. | SanitizationTests.java:95:60:95:88 | getParameter(...) | user-provided value |
| SanitizationTests.java:102:60:102:90 | new URI(...) | SanitizationTests.java:100:77:100:105 | getParameter(...) : String | SanitizationTests.java:102:60:102:90 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:100:77:100:105 | getParameter(...) | user-provided value |
| SanitizationTests.java:103:25:103:33 | unsafer5c | SanitizationTests.java:100:77:100:105 | getParameter(...) : String | SanitizationTests.java:103:25:103:33 | unsafer5c | Potential server-side request forgery due to a $@. | SanitizationTests.java:100:77:100:105 | getParameter(...) | user-provided value |
| SanitizationTests.java:106:59:106:77 | new URI(...) | SanitizationTests.java:105:73:105:103 | getParameter(...) : String | SanitizationTests.java:106:59:106:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:105:73:105:103 | getParameter(...) | user-provided value |
| SanitizationTests.java:107:25:107:32 | unsafer6 | SanitizationTests.java:105:73:105:103 | getParameter(...) : String | SanitizationTests.java:107:25:107:32 | unsafer6 | Potential server-side request forgery due to a $@. | SanitizationTests.java:105:73:105:103 | getParameter(...) | user-provided value |
| SanitizationTests.java:110:59:110:77 | new URI(...) | SanitizationTests.java:109:56:109:86 | getParameter(...) : String | SanitizationTests.java:110:59:110:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:109:56:109:86 | getParameter(...) | user-provided value |
| SanitizationTests.java:111:25:111:32 | unsafer7 | SanitizationTests.java:109:56:109:86 | getParameter(...) : String | SanitizationTests.java:111:25:111:32 | unsafer7 | Potential server-side request forgery due to a $@. | SanitizationTests.java:109:56:109:86 | getParameter(...) | user-provided value |
| SanitizationTests.java:114:59:114:77 | new URI(...) | SanitizationTests.java:113:55:113:85 | getParameter(...) : String | SanitizationTests.java:114:59:114:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:113:55:113:85 | getParameter(...) | user-provided value |
| SanitizationTests.java:115:25:115:32 | unsafer8 | SanitizationTests.java:113:55:113:85 | getParameter(...) : String | SanitizationTests.java:115:25:115:32 | unsafer8 | Potential server-side request forgery due to a $@. | SanitizationTests.java:113:55:113:85 | getParameter(...) | user-provided value |
| SanitizationTests.java:118:59:118:77 | new URI(...) | SanitizationTests.java:117:33:117:63 | getParameter(...) : String | SanitizationTests.java:118:59:118:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:117:33:117:63 | getParameter(...) | user-provided value |
| SanitizationTests.java:119:25:119:32 | unsafer9 | SanitizationTests.java:117:33:117:63 | getParameter(...) : String | SanitizationTests.java:119:25:119:32 | unsafer9 | Potential server-side request forgery due to a $@. | SanitizationTests.java:117:33:117:63 | getParameter(...) | user-provided value |
| SanitizationTests.java:122:60:122:79 | new URI(...) | SanitizationTests.java:121:94:121:125 | getParameter(...) : String | SanitizationTests.java:122:60:122:79 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:121:94:121:125 | getParameter(...) | user-provided value |
| SanitizationTests.java:123:25:123:33 | unsafer10 | SanitizationTests.java:121:94:121:125 | getParameter(...) : String | SanitizationTests.java:123:25:123:33 | unsafer10 | Potential server-side request forgery due to a $@. | SanitizationTests.java:121:94:121:125 | getParameter(...) | user-provided value |
| SpringSSRF.java:32:39:32:59 | ... + ... | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:32:39:32:59 | ... + ... | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value |
| SpringSSRF.java:33:35:33:48 | fooResourceUrl | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:33:35:33:48 | fooResourceUrl | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value |
| SpringSSRF.java:34:34:34:47 | fooResourceUrl | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:34:34:34:47 | fooResourceUrl | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value |
@@ -665,118 +665,118 @@ edges
| JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) : String | JdbcUrlSSRF.java:88:19:88:25 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:240 |
| ReactiveWebClientSSRF.java:15:26:15:52 | getParameter(...) : String | ReactiveWebClientSSRF.java:16:52:16:54 | url | provenance | Src:MaD:277 Sink:MaD:274 |
| ReactiveWebClientSSRF.java:32:26:32:52 | getParameter(...) : String | ReactiveWebClientSSRF.java:35:30:35:32 | url | provenance | Src:MaD:277 Sink:MaD:273 |
| SanitizationTests.java:19:23:19:58 | new URI(...) : URI | SanitizationTests.java:22:52:22:54 | uri | provenance | Sink:MaD:6 |
| SanitizationTests.java:19:23:19:58 | new URI(...) : URI | SanitizationTests.java:22:52:22:54 | uri : URI | provenance | |
| SanitizationTests.java:19:31:19:57 | getParameter(...) : String | SanitizationTests.java:19:23:19:58 | new URI(...) : URI | provenance | Src:MaD:277 Config |
| SanitizationTests.java:19:31:19:57 | getParameter(...) : String | SanitizationTests.java:19:23:19:58 | new URI(...) : URI | provenance | Src:MaD:277 MaD:285 |
| SanitizationTests.java:22:29:22:55 | newBuilder(...) : Builder | SanitizationTests.java:22:29:22:63 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:22:29:22:63 | build(...) : HttpRequest | SanitizationTests.java:23:25:23:25 | r | provenance | Sink:MaD:4 |
| SanitizationTests.java:22:52:22:54 | uri : URI | SanitizationTests.java:22:29:22:55 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:75:33:75:63 | getParameter(...) : String | SanitizationTests.java:76:67:76:76 | unsafeUri3 : String | provenance | Src:MaD:277 |
| SanitizationTests.java:76:36:76:78 | newBuilder(...) : Builder | SanitizationTests.java:76:36:76:86 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:76:36:76:86 | build(...) : HttpRequest | SanitizationTests.java:77:25:77:32 | unsafer3 | provenance | Sink:MaD:4 |
| SanitizationTests.java:76:59:76:77 | new URI(...) : URI | SanitizationTests.java:76:36:76:78 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:76:67:76:76 | unsafeUri3 : String | SanitizationTests.java:76:59:76:77 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:76:67:76:76 | unsafeUri3 : String | SanitizationTests.java:76:59:76:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:76:67:76:76 | unsafeUri3 : String | SanitizationTests.java:76:59:76:77 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:76:67:76:76 | unsafeUri3 : String | SanitizationTests.java:76:59:76:77 | new URI(...) : URI | provenance | MaD:285 |
| SanitizationTests.java:79:49:79:79 | getParameter(...) : String | SanitizationTests.java:80:67:80:76 | unsafeUri4 : String | provenance | Src:MaD:277 |
| SanitizationTests.java:80:36:80:78 | newBuilder(...) : Builder | SanitizationTests.java:80:36:80:86 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:80:36:80:86 | build(...) : HttpRequest | SanitizationTests.java:81:25:81:32 | unsafer4 | provenance | Sink:MaD:4 |
| SanitizationTests.java:80:59:80:77 | new URI(...) : URI | SanitizationTests.java:80:36:80:78 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:80:67:80:76 | unsafeUri4 : String | SanitizationTests.java:80:59:80:77 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:80:67:80:76 | unsafeUri4 : String | SanitizationTests.java:80:59:80:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:80:67:80:76 | unsafeUri4 : String | SanitizationTests.java:80:59:80:77 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:80:67:80:76 | unsafeUri4 : String | SanitizationTests.java:80:59:80:77 | new URI(...) : URI | provenance | MaD:285 |
| SanitizationTests.java:84:13:84:22 | unsafeUri5 [post update] : StringBuilder | SanitizationTests.java:85:67:85:76 | unsafeUri5 : StringBuilder | provenance | |
| SanitizationTests.java:84:31:84:61 | getParameter(...) : String | SanitizationTests.java:84:13:84:22 | unsafeUri5 [post update] : StringBuilder | provenance | Src:MaD:277 MaD:278 |
| SanitizationTests.java:85:36:85:89 | newBuilder(...) : Builder | SanitizationTests.java:85:36:85:97 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:85:36:85:97 | build(...) : HttpRequest | SanitizationTests.java:86:25:86:32 | unsafer5 | provenance | Sink:MaD:4 |
| SanitizationTests.java:85:59:85:88 | new URI(...) : URI | SanitizationTests.java:85:36:85:89 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:85:67:85:76 | unsafeUri5 : StringBuilder | SanitizationTests.java:85:67:85:87 | toString(...) : String | provenance | MaD:280 |
| SanitizationTests.java:85:67:85:87 | toString(...) : String | SanitizationTests.java:85:59:85:88 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:85:67:85:87 | toString(...) : String | SanitizationTests.java:85:59:85:88 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:85:67:85:87 | toString(...) : String | SanitizationTests.java:85:59:85:88 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:85:67:85:87 | toString(...) : String | SanitizationTests.java:85:59:85:88 | new URI(...) : URI | provenance | MaD:285 |
| SanitizationTests.java:88:40:88:87 | new StringBuilder(...) : StringBuilder | SanitizationTests.java:90:68:90:77 | unafeUri5a : StringBuilder | provenance | |
| SanitizationTests.java:88:58:88:86 | getParameter(...) : String | SanitizationTests.java:88:40:88:87 | new StringBuilder(...) : StringBuilder | provenance | Src:MaD:277 MaD:282 |
| SanitizationTests.java:90:37:90:90 | newBuilder(...) : Builder | SanitizationTests.java:90:37:90:98 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:90:37:90:98 | build(...) : HttpRequest | SanitizationTests.java:91:25:91:33 | unsafer5a | provenance | Sink:MaD:4 |
| SanitizationTests.java:90:60:90:89 | new URI(...) : URI | SanitizationTests.java:90:37:90:90 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:90:68:90:77 | unafeUri5a : StringBuilder | SanitizationTests.java:90:68:90:88 | toString(...) : String | provenance | MaD:280 |
| SanitizationTests.java:90:68:90:88 | toString(...) : String | SanitizationTests.java:90:60:90:89 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:90:68:90:88 | toString(...) : String | SanitizationTests.java:90:60:90:89 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:90:68:90:88 | toString(...) : String | SanitizationTests.java:90:60:90:89 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:90:68:90:88 | toString(...) : String | SanitizationTests.java:90:60:90:89 | new URI(...) : URI | provenance | MaD:285 |
| SanitizationTests.java:93:41:93:105 | append(...) : StringBuilder | SanitizationTests.java:95:68:95:78 | unsafeUri5b : StringBuilder | provenance | |
| SanitizationTests.java:93:42:93:89 | new StringBuilder(...) : StringBuilder | SanitizationTests.java:93:41:93:105 | append(...) : StringBuilder | provenance | MaD:279 |
| SanitizationTests.java:93:60:93:88 | getParameter(...) : String | SanitizationTests.java:93:42:93:89 | new StringBuilder(...) : StringBuilder | provenance | Src:MaD:277 MaD:282 |
| SanitizationTests.java:95:37:95:91 | newBuilder(...) : Builder | SanitizationTests.java:95:37:95:99 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:95:37:95:99 | build(...) : HttpRequest | SanitizationTests.java:96:25:96:33 | unsafer5b | provenance | Sink:MaD:4 |
| SanitizationTests.java:95:60:95:90 | new URI(...) : URI | SanitizationTests.java:95:37:95:91 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:95:68:95:78 | unsafeUri5b : StringBuilder | SanitizationTests.java:95:68:95:89 | toString(...) : String | provenance | MaD:280 |
| SanitizationTests.java:95:68:95:89 | toString(...) : String | SanitizationTests.java:95:60:95:90 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:95:68:95:89 | toString(...) : String | SanitizationTests.java:95:60:95:90 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:95:68:95:89 | toString(...) : String | SanitizationTests.java:95:60:95:90 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:95:68:95:89 | toString(...) : String | SanitizationTests.java:95:60:95:90 | new URI(...) : URI | provenance | MaD:285 |
| SanitizationTests.java:98:41:98:106 | append(...) : StringBuilder | SanitizationTests.java:100:68:100:78 | unsafeUri5c : StringBuilder | provenance | |
| SanitizationTests.java:98:77:98:105 | getParameter(...) : String | SanitizationTests.java:98:41:98:106 | append(...) : StringBuilder | provenance | Src:MaD:277 MaD:278+MaD:279 |
| SanitizationTests.java:100:37:100:91 | newBuilder(...) : Builder | SanitizationTests.java:100:37:100:99 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:100:37:100:99 | build(...) : HttpRequest | SanitizationTests.java:101:25:101:33 | unsafer5c | provenance | Sink:MaD:4 |
| SanitizationTests.java:100:60:100:90 | new URI(...) : URI | SanitizationTests.java:100:37:100:91 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:100:68:100:78 | unsafeUri5c : StringBuilder | SanitizationTests.java:100:68:100:89 | toString(...) : String | provenance | MaD:280 |
| SanitizationTests.java:100:68:100:89 | toString(...) : String | SanitizationTests.java:100:60:100:90 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:100:68:100:89 | toString(...) : String | SanitizationTests.java:100:60:100:90 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:100:68:100:89 | toString(...) : String | SanitizationTests.java:100:60:100:90 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:100:68:100:89 | toString(...) : String | SanitizationTests.java:100:60:100:90 | new URI(...) : URI | provenance | MaD:285 |
| SanitizationTests.java:103:33:103:104 | format(...) : String | SanitizationTests.java:104:67:104:76 | unsafeUri6 : String | provenance | |
| SanitizationTests.java:103:33:103:104 | new ..[] { .. } : Object[] [[]] : String | SanitizationTests.java:103:33:103:104 | format(...) : String | provenance | MaD:281 |
| SanitizationTests.java:103:73:103:103 | getParameter(...) : String | SanitizationTests.java:103:33:103:104 | new ..[] { .. } : Object[] [[]] : String | provenance | Src:MaD:277 |
| SanitizationTests.java:104:36:104:78 | newBuilder(...) : Builder | SanitizationTests.java:104:36:104:86 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:104:36:104:86 | build(...) : HttpRequest | SanitizationTests.java:105:25:105:32 | unsafer6 | provenance | Sink:MaD:4 |
| SanitizationTests.java:104:59:104:77 | new URI(...) : URI | SanitizationTests.java:104:36:104:78 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:104:67:104:76 | unsafeUri6 : String | SanitizationTests.java:104:59:104:77 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:104:67:104:76 | unsafeUri6 : String | SanitizationTests.java:104:59:104:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:104:67:104:76 | unsafeUri6 : String | SanitizationTests.java:104:59:104:77 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:104:67:104:76 | unsafeUri6 : String | SanitizationTests.java:104:59:104:77 | new URI(...) : URI | provenance | MaD:285 |
| SanitizationTests.java:107:33:107:110 | format(...) : String | SanitizationTests.java:108:67:108:76 | unsafeUri7 : String | provenance | |
| SanitizationTests.java:107:33:107:110 | new ..[] { .. } : Object[] [[]] : String | SanitizationTests.java:107:33:107:110 | format(...) : String | provenance | MaD:281 |
| SanitizationTests.java:107:56:107:86 | getParameter(...) : String | SanitizationTests.java:107:33:107:110 | new ..[] { .. } : Object[] [[]] : String | provenance | Src:MaD:277 |
| SanitizationTests.java:108:36:108:78 | newBuilder(...) : Builder | SanitizationTests.java:108:36:108:86 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:108:36:108:86 | build(...) : HttpRequest | SanitizationTests.java:109:25:109:32 | unsafer7 | provenance | Sink:MaD:4 |
| SanitizationTests.java:108:59:108:77 | new URI(...) : URI | SanitizationTests.java:108:36:108:78 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:108:67:108:76 | unsafeUri7 : String | SanitizationTests.java:108:59:108:77 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:108:67:108:76 | unsafeUri7 : String | SanitizationTests.java:108:59:108:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:108:67:108:76 | unsafeUri7 : String | SanitizationTests.java:108:59:108:77 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:108:67:108:76 | unsafeUri7 : String | SanitizationTests.java:108:59:108:77 | new URI(...) : URI | provenance | MaD:285 |
| SanitizationTests.java:111:33:111:110 | format(...) : String | SanitizationTests.java:112:67:112:76 | unsafeUri8 : String | provenance | |
| SanitizationTests.java:111:33:111:110 | new ..[] { .. } : Object[] [[]] : String | SanitizationTests.java:111:33:111:110 | format(...) : String | provenance | MaD:281 |
| SanitizationTests.java:111:55:111:85 | getParameter(...) : String | SanitizationTests.java:111:33:111:110 | new ..[] { .. } : Object[] [[]] : String | provenance | Src:MaD:277 |
| SanitizationTests.java:112:36:112:78 | newBuilder(...) : Builder | SanitizationTests.java:112:36:112:86 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:112:36:112:86 | build(...) : HttpRequest | SanitizationTests.java:113:25:113:32 | unsafer8 | provenance | Sink:MaD:4 |
| SanitizationTests.java:112:59:112:77 | new URI(...) : URI | SanitizationTests.java:112:36:112:78 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:112:67:112:76 | unsafeUri8 : String | SanitizationTests.java:112:59:112:77 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:112:67:112:76 | unsafeUri8 : String | SanitizationTests.java:112:59:112:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:112:67:112:76 | unsafeUri8 : String | SanitizationTests.java:112:59:112:77 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:112:67:112:76 | unsafeUri8 : String | SanitizationTests.java:112:59:112:77 | new URI(...) : URI | provenance | MaD:285 |
| SanitizationTests.java:115:33:115:63 | getParameter(...) : String | SanitizationTests.java:116:67:116:76 | unsafeUri9 : String | provenance | Src:MaD:277 |
| SanitizationTests.java:116:36:116:78 | newBuilder(...) : Builder | SanitizationTests.java:116:36:116:86 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:116:36:116:86 | build(...) : HttpRequest | SanitizationTests.java:117:25:117:32 | unsafer9 | provenance | Sink:MaD:4 |
| SanitizationTests.java:116:59:116:77 | new URI(...) : URI | SanitizationTests.java:116:36:116:78 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:116:67:116:76 | unsafeUri9 : String | SanitizationTests.java:116:59:116:77 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:116:67:116:76 | unsafeUri9 : String | SanitizationTests.java:116:59:116:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:116:67:116:76 | unsafeUri9 : String | SanitizationTests.java:116:59:116:77 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:116:67:116:76 | unsafeUri9 : String | SanitizationTests.java:116:59:116:77 | new URI(...) : URI | provenance | MaD:285 |
| SanitizationTests.java:119:34:119:126 | format(...) : String | SanitizationTests.java:120:68:120:78 | unsafeUri10 : String | provenance | |
| SanitizationTests.java:119:34:119:126 | new ..[] { .. } : Object[] [[]] : String | SanitizationTests.java:119:34:119:126 | format(...) : String | provenance | MaD:281 |
| SanitizationTests.java:119:94:119:125 | getParameter(...) : String | SanitizationTests.java:119:34:119:126 | new ..[] { .. } : Object[] [[]] : String | provenance | Src:MaD:277 |
| SanitizationTests.java:120:37:120:80 | newBuilder(...) : Builder | SanitizationTests.java:120:37:120:88 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:120:37:120:88 | build(...) : HttpRequest | SanitizationTests.java:121:25:121:33 | unsafer10 | provenance | Sink:MaD:4 |
| SanitizationTests.java:120:60:120:79 | new URI(...) : URI | SanitizationTests.java:120:37:120:80 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:120:68:120:78 | unsafeUri10 : String | SanitizationTests.java:120:60:120:79 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:120:68:120:78 | unsafeUri10 : String | SanitizationTests.java:120:60:120:79 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:120:68:120:78 | unsafeUri10 : String | SanitizationTests.java:120:60:120:79 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:120:68:120:78 | unsafeUri10 : String | SanitizationTests.java:120:60:120:79 | new URI(...) : URI | provenance | MaD:285 |
| SanitizationTests.java:21:23:21:58 | new URI(...) : URI | SanitizationTests.java:24:52:24:54 | uri | provenance | Sink:MaD:6 |
| SanitizationTests.java:21:23:21:58 | new URI(...) : URI | SanitizationTests.java:24:52:24:54 | uri : URI | provenance | |
| SanitizationTests.java:21:31:21:57 | getParameter(...) : String | SanitizationTests.java:21:23:21:58 | new URI(...) : URI | provenance | Src:MaD:277 Config |
| SanitizationTests.java:21:31:21:57 | getParameter(...) : String | SanitizationTests.java:21:23:21:58 | new URI(...) : URI | provenance | Src:MaD:277 MaD:285 |
| SanitizationTests.java:24:29:24:55 | newBuilder(...) : Builder | SanitizationTests.java:24:29:24:63 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:24:29:24:63 | build(...) : HttpRequest | SanitizationTests.java:25:25:25:25 | r | provenance | Sink:MaD:4 |
| SanitizationTests.java:24:52:24:54 | uri : URI | SanitizationTests.java:24:29:24:55 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:77:33:77:63 | getParameter(...) : String | SanitizationTests.java:78:67:78:76 | unsafeUri3 : String | provenance | Src:MaD:277 |
| SanitizationTests.java:78:36:78:78 | newBuilder(...) : Builder | SanitizationTests.java:78:36:78:86 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:78:36:78:86 | build(...) : HttpRequest | SanitizationTests.java:79:25:79:32 | unsafer3 | provenance | Sink:MaD:4 |
| SanitizationTests.java:78:59:78:77 | new URI(...) : URI | SanitizationTests.java:78:36:78:78 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:78:67:78:76 | unsafeUri3 : String | SanitizationTests.java:78:59:78:77 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:78:67:78:76 | unsafeUri3 : String | SanitizationTests.java:78:59:78:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:78:67:78:76 | unsafeUri3 : String | SanitizationTests.java:78:59:78:77 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:78:67:78:76 | unsafeUri3 : String | SanitizationTests.java:78:59:78:77 | new URI(...) : URI | provenance | MaD:285 |
| SanitizationTests.java:81:49:81:79 | getParameter(...) : String | SanitizationTests.java:82:67:82:76 | unsafeUri4 : String | provenance | Src:MaD:277 |
| SanitizationTests.java:82:36:82:78 | newBuilder(...) : Builder | SanitizationTests.java:82:36:82:86 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:82:36:82:86 | build(...) : HttpRequest | SanitizationTests.java:83:25:83:32 | unsafer4 | provenance | Sink:MaD:4 |
| SanitizationTests.java:82:59:82:77 | new URI(...) : URI | SanitizationTests.java:82:36:82:78 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:82:67:82:76 | unsafeUri4 : String | SanitizationTests.java:82:59:82:77 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:82:67:82:76 | unsafeUri4 : String | SanitizationTests.java:82:59:82:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:82:67:82:76 | unsafeUri4 : String | SanitizationTests.java:82:59:82:77 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:82:67:82:76 | unsafeUri4 : String | SanitizationTests.java:82:59:82:77 | new URI(...) : URI | provenance | MaD:285 |
| SanitizationTests.java:86:13:86:22 | unsafeUri5 [post update] : StringBuilder | SanitizationTests.java:87:67:87:76 | unsafeUri5 : StringBuilder | provenance | |
| SanitizationTests.java:86:31:86:61 | getParameter(...) : String | SanitizationTests.java:86:13:86:22 | unsafeUri5 [post update] : StringBuilder | provenance | Src:MaD:277 MaD:278 |
| SanitizationTests.java:87:36:87:89 | newBuilder(...) : Builder | SanitizationTests.java:87:36:87:97 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:87:36:87:97 | build(...) : HttpRequest | SanitizationTests.java:88:25:88:32 | unsafer5 | provenance | Sink:MaD:4 |
| SanitizationTests.java:87:59:87:88 | new URI(...) : URI | SanitizationTests.java:87:36:87:89 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:87:67:87:76 | unsafeUri5 : StringBuilder | SanitizationTests.java:87:67:87:87 | toString(...) : String | provenance | MaD:280 |
| SanitizationTests.java:87:67:87:87 | toString(...) : String | SanitizationTests.java:87:59:87:88 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:87:67:87:87 | toString(...) : String | SanitizationTests.java:87:59:87:88 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:87:67:87:87 | toString(...) : String | SanitizationTests.java:87:59:87:88 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:87:67:87:87 | toString(...) : String | SanitizationTests.java:87:59:87:88 | new URI(...) : URI | provenance | MaD:285 |
| SanitizationTests.java:90:40:90:87 | new StringBuilder(...) : StringBuilder | SanitizationTests.java:92:68:92:77 | unafeUri5a : StringBuilder | provenance | |
| SanitizationTests.java:90:58:90:86 | getParameter(...) : String | SanitizationTests.java:90:40:90:87 | new StringBuilder(...) : StringBuilder | provenance | Src:MaD:277 MaD:282 |
| SanitizationTests.java:92:37:92:90 | newBuilder(...) : Builder | SanitizationTests.java:92:37:92:98 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:92:37:92:98 | build(...) : HttpRequest | SanitizationTests.java:93:25:93:33 | unsafer5a | provenance | Sink:MaD:4 |
| SanitizationTests.java:92:60:92:89 | new URI(...) : URI | SanitizationTests.java:92:37:92:90 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:92:68:92:77 | unafeUri5a : StringBuilder | SanitizationTests.java:92:68:92:88 | toString(...) : String | provenance | MaD:280 |
| SanitizationTests.java:92:68:92:88 | toString(...) : String | SanitizationTests.java:92:60:92:89 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:92:68:92:88 | toString(...) : String | SanitizationTests.java:92:60:92:89 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:92:68:92:88 | toString(...) : String | SanitizationTests.java:92:60:92:89 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:92:68:92:88 | toString(...) : String | SanitizationTests.java:92:60:92:89 | new URI(...) : URI | provenance | MaD:285 |
| SanitizationTests.java:95:41:95:105 | append(...) : StringBuilder | SanitizationTests.java:97:68:97:78 | unsafeUri5b : StringBuilder | provenance | |
| SanitizationTests.java:95:42:95:89 | new StringBuilder(...) : StringBuilder | SanitizationTests.java:95:41:95:105 | append(...) : StringBuilder | provenance | MaD:279 |
| SanitizationTests.java:95:60:95:88 | getParameter(...) : String | SanitizationTests.java:95:42:95:89 | new StringBuilder(...) : StringBuilder | provenance | Src:MaD:277 MaD:282 |
| SanitizationTests.java:97:37:97:91 | newBuilder(...) : Builder | SanitizationTests.java:97:37:97:99 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:97:37:97:99 | build(...) : HttpRequest | SanitizationTests.java:98:25:98:33 | unsafer5b | provenance | Sink:MaD:4 |
| SanitizationTests.java:97:60:97:90 | new URI(...) : URI | SanitizationTests.java:97:37:97:91 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:97:68:97:78 | unsafeUri5b : StringBuilder | SanitizationTests.java:97:68:97:89 | toString(...) : String | provenance | MaD:280 |
| SanitizationTests.java:97:68:97:89 | toString(...) : String | SanitizationTests.java:97:60:97:90 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:97:68:97:89 | toString(...) : String | SanitizationTests.java:97:60:97:90 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:97:68:97:89 | toString(...) : String | SanitizationTests.java:97:60:97:90 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:97:68:97:89 | toString(...) : String | SanitizationTests.java:97:60:97:90 | new URI(...) : URI | provenance | MaD:285 |
| SanitizationTests.java:100:41:100:106 | append(...) : StringBuilder | SanitizationTests.java:102:68:102:78 | unsafeUri5c : StringBuilder | provenance | |
| SanitizationTests.java:100:77:100:105 | getParameter(...) : String | SanitizationTests.java:100:41:100:106 | append(...) : StringBuilder | provenance | Src:MaD:277 MaD:278+MaD:279 |
| SanitizationTests.java:102:37:102:91 | newBuilder(...) : Builder | SanitizationTests.java:102:37:102:99 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:102:37:102:99 | build(...) : HttpRequest | SanitizationTests.java:103:25:103:33 | unsafer5c | provenance | Sink:MaD:4 |
| SanitizationTests.java:102:60:102:90 | new URI(...) : URI | SanitizationTests.java:102:37:102:91 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:102:68:102:78 | unsafeUri5c : StringBuilder | SanitizationTests.java:102:68:102:89 | toString(...) : String | provenance | MaD:280 |
| SanitizationTests.java:102:68:102:89 | toString(...) : String | SanitizationTests.java:102:60:102:90 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:102:68:102:89 | toString(...) : String | SanitizationTests.java:102:60:102:90 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:102:68:102:89 | toString(...) : String | SanitizationTests.java:102:60:102:90 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:102:68:102:89 | toString(...) : String | SanitizationTests.java:102:60:102:90 | new URI(...) : URI | provenance | MaD:285 |
| SanitizationTests.java:105:33:105:104 | format(...) : String | SanitizationTests.java:106:67:106:76 | unsafeUri6 : String | provenance | |
| SanitizationTests.java:105:33:105:104 | new ..[] { .. } : Object[] [[]] : String | SanitizationTests.java:105:33:105:104 | format(...) : String | provenance | MaD:281 |
| SanitizationTests.java:105:73:105:103 | getParameter(...) : String | SanitizationTests.java:105:33:105:104 | new ..[] { .. } : Object[] [[]] : String | provenance | Src:MaD:277 |
| SanitizationTests.java:106:36:106:78 | newBuilder(...) : Builder | SanitizationTests.java:106:36:106:86 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:106:36:106:86 | build(...) : HttpRequest | SanitizationTests.java:107:25:107:32 | unsafer6 | provenance | Sink:MaD:4 |
| SanitizationTests.java:106:59:106:77 | new URI(...) : URI | SanitizationTests.java:106:36:106:78 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:106:67:106:76 | unsafeUri6 : String | SanitizationTests.java:106:59:106:77 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:106:67:106:76 | unsafeUri6 : String | SanitizationTests.java:106:59:106:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:106:67:106:76 | unsafeUri6 : String | SanitizationTests.java:106:59:106:77 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:106:67:106:76 | unsafeUri6 : String | SanitizationTests.java:106:59:106:77 | new URI(...) : URI | provenance | MaD:285 |
| SanitizationTests.java:109:33:109:110 | format(...) : String | SanitizationTests.java:110:67:110:76 | unsafeUri7 : String | provenance | |
| SanitizationTests.java:109:33:109:110 | new ..[] { .. } : Object[] [[]] : String | SanitizationTests.java:109:33:109:110 | format(...) : String | provenance | MaD:281 |
| SanitizationTests.java:109:56:109:86 | getParameter(...) : String | SanitizationTests.java:109:33:109:110 | new ..[] { .. } : Object[] [[]] : String | provenance | Src:MaD:277 |
| SanitizationTests.java:110:36:110:78 | newBuilder(...) : Builder | SanitizationTests.java:110:36:110:86 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:110:36:110:86 | build(...) : HttpRequest | SanitizationTests.java:111:25:111:32 | unsafer7 | provenance | Sink:MaD:4 |
| SanitizationTests.java:110:59:110:77 | new URI(...) : URI | SanitizationTests.java:110:36:110:78 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:110:67:110:76 | unsafeUri7 : String | SanitizationTests.java:110:59:110:77 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:110:67:110:76 | unsafeUri7 : String | SanitizationTests.java:110:59:110:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:110:67:110:76 | unsafeUri7 : String | SanitizationTests.java:110:59:110:77 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:110:67:110:76 | unsafeUri7 : String | SanitizationTests.java:110:59:110:77 | new URI(...) : URI | provenance | MaD:285 |
| SanitizationTests.java:113:33:113:110 | format(...) : String | SanitizationTests.java:114:67:114:76 | unsafeUri8 : String | provenance | |
| SanitizationTests.java:113:33:113:110 | new ..[] { .. } : Object[] [[]] : String | SanitizationTests.java:113:33:113:110 | format(...) : String | provenance | MaD:281 |
| SanitizationTests.java:113:55:113:85 | getParameter(...) : String | SanitizationTests.java:113:33:113:110 | new ..[] { .. } : Object[] [[]] : String | provenance | Src:MaD:277 |
| SanitizationTests.java:114:36:114:78 | newBuilder(...) : Builder | SanitizationTests.java:114:36:114:86 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:114:36:114:86 | build(...) : HttpRequest | SanitizationTests.java:115:25:115:32 | unsafer8 | provenance | Sink:MaD:4 |
| SanitizationTests.java:114:59:114:77 | new URI(...) : URI | SanitizationTests.java:114:36:114:78 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:114:67:114:76 | unsafeUri8 : String | SanitizationTests.java:114:59:114:77 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:114:67:114:76 | unsafeUri8 : String | SanitizationTests.java:114:59:114:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:114:67:114:76 | unsafeUri8 : String | SanitizationTests.java:114:59:114:77 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:114:67:114:76 | unsafeUri8 : String | SanitizationTests.java:114:59:114:77 | new URI(...) : URI | provenance | MaD:285 |
| SanitizationTests.java:117:33:117:63 | getParameter(...) : String | SanitizationTests.java:118:67:118:76 | unsafeUri9 : String | provenance | Src:MaD:277 |
| SanitizationTests.java:118:36:118:78 | newBuilder(...) : Builder | SanitizationTests.java:118:36:118:86 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:118:36:118:86 | build(...) : HttpRequest | SanitizationTests.java:119:25:119:32 | unsafer9 | provenance | Sink:MaD:4 |
| SanitizationTests.java:118:59:118:77 | new URI(...) : URI | SanitizationTests.java:118:36:118:78 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:118:67:118:76 | unsafeUri9 : String | SanitizationTests.java:118:59:118:77 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:118:67:118:76 | unsafeUri9 : String | SanitizationTests.java:118:59:118:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:118:67:118:76 | unsafeUri9 : String | SanitizationTests.java:118:59:118:77 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:118:67:118:76 | unsafeUri9 : String | SanitizationTests.java:118:59:118:77 | new URI(...) : URI | provenance | MaD:285 |
| SanitizationTests.java:121:34:121:126 | format(...) : String | SanitizationTests.java:122:68:122:78 | unsafeUri10 : String | provenance | |
| SanitizationTests.java:121:34:121:126 | new ..[] { .. } : Object[] [[]] : String | SanitizationTests.java:121:34:121:126 | format(...) : String | provenance | MaD:281 |
| SanitizationTests.java:121:94:121:125 | getParameter(...) : String | SanitizationTests.java:121:34:121:126 | new ..[] { .. } : Object[] [[]] : String | provenance | Src:MaD:277 |
| SanitizationTests.java:122:37:122:80 | newBuilder(...) : Builder | SanitizationTests.java:122:37:122:88 | build(...) : HttpRequest | provenance | MaD:283 |
| SanitizationTests.java:122:37:122:88 | build(...) : HttpRequest | SanitizationTests.java:123:25:123:33 | unsafer10 | provenance | Sink:MaD:4 |
| SanitizationTests.java:122:60:122:79 | new URI(...) : URI | SanitizationTests.java:122:37:122:80 | newBuilder(...) : Builder | provenance | MaD:284 |
| SanitizationTests.java:122:68:122:78 | unsafeUri10 : String | SanitizationTests.java:122:60:122:79 | new URI(...) | provenance | Config Sink:MaD:6 |
| SanitizationTests.java:122:68:122:78 | unsafeUri10 : String | SanitizationTests.java:122:60:122:79 | new URI(...) | provenance | MaD:285 Sink:MaD:6 |
| SanitizationTests.java:122:68:122:78 | unsafeUri10 : String | SanitizationTests.java:122:60:122:79 | new URI(...) : URI | provenance | Config |
| SanitizationTests.java:122:68:122:78 | unsafeUri10 : String | SanitizationTests.java:122:60:122:79 | new URI(...) : URI | provenance | MaD:285 |
| SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:32:39:32:59 | ... + ... | provenance | Src:MaD:277 Sink:MaD:264 |
| SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:33:35:33:48 | fooResourceUrl | provenance | Src:MaD:277 Sink:MaD:262 |
| SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:34:34:34:47 | fooResourceUrl | provenance | Src:MaD:277 Sink:MaD:263 |
@@ -1580,107 +1580,107 @@ nodes
| ReactiveWebClientSSRF.java:16:52:16:54 | url | semmle.label | url |
| ReactiveWebClientSSRF.java:32:26:32:52 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| ReactiveWebClientSSRF.java:35:30:35:32 | url | semmle.label | url |
| SanitizationTests.java:19:23:19:58 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:19:31:19:57 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:22:29:22:55 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:22:29:22:63 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:22:52:22:54 | uri | semmle.label | uri |
| SanitizationTests.java:22:52:22:54 | uri : URI | semmle.label | uri : URI |
| SanitizationTests.java:23:25:23:25 | r | semmle.label | r |
| SanitizationTests.java:75:33:75:63 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:76:36:76:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:76:36:76:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:76:59:76:77 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:76:59:76:77 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:76:67:76:76 | unsafeUri3 : String | semmle.label | unsafeUri3 : String |
| SanitizationTests.java:77:25:77:32 | unsafer3 | semmle.label | unsafer3 |
| SanitizationTests.java:79:49:79:79 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:80:36:80:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:80:36:80:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:80:59:80:77 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:80:59:80:77 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:80:67:80:76 | unsafeUri4 : String | semmle.label | unsafeUri4 : String |
| SanitizationTests.java:81:25:81:32 | unsafer4 | semmle.label | unsafer4 |
| SanitizationTests.java:84:13:84:22 | unsafeUri5 [post update] : StringBuilder | semmle.label | unsafeUri5 [post update] : StringBuilder |
| SanitizationTests.java:84:31:84:61 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:85:36:85:89 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:85:36:85:97 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:85:59:85:88 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:85:59:85:88 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:85:67:85:76 | unsafeUri5 : StringBuilder | semmle.label | unsafeUri5 : StringBuilder |
| SanitizationTests.java:85:67:85:87 | toString(...) : String | semmle.label | toString(...) : String |
| SanitizationTests.java:86:25:86:32 | unsafer5 | semmle.label | unsafer5 |
| SanitizationTests.java:88:40:88:87 | new StringBuilder(...) : StringBuilder | semmle.label | new StringBuilder(...) : StringBuilder |
| SanitizationTests.java:88:58:88:86 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:90:37:90:90 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:90:37:90:98 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:90:60:90:89 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:90:60:90:89 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:90:68:90:77 | unafeUri5a : StringBuilder | semmle.label | unafeUri5a : StringBuilder |
| SanitizationTests.java:90:68:90:88 | toString(...) : String | semmle.label | toString(...) : String |
| SanitizationTests.java:91:25:91:33 | unsafer5a | semmle.label | unsafer5a |
| SanitizationTests.java:93:41:93:105 | append(...) : StringBuilder | semmle.label | append(...) : StringBuilder |
| SanitizationTests.java:93:42:93:89 | new StringBuilder(...) : StringBuilder | semmle.label | new StringBuilder(...) : StringBuilder |
| SanitizationTests.java:93:60:93:88 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:95:37:95:91 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:95:37:95:99 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:95:60:95:90 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:95:60:95:90 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:95:68:95:78 | unsafeUri5b : StringBuilder | semmle.label | unsafeUri5b : StringBuilder |
| SanitizationTests.java:95:68:95:89 | toString(...) : String | semmle.label | toString(...) : String |
| SanitizationTests.java:96:25:96:33 | unsafer5b | semmle.label | unsafer5b |
| SanitizationTests.java:98:41:98:106 | append(...) : StringBuilder | semmle.label | append(...) : StringBuilder |
| SanitizationTests.java:98:77:98:105 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:100:37:100:91 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:100:37:100:99 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:100:60:100:90 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:100:60:100:90 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:100:68:100:78 | unsafeUri5c : StringBuilder | semmle.label | unsafeUri5c : StringBuilder |
| SanitizationTests.java:100:68:100:89 | toString(...) : String | semmle.label | toString(...) : String |
| SanitizationTests.java:101:25:101:33 | unsafer5c | semmle.label | unsafer5c |
| SanitizationTests.java:103:33:103:104 | format(...) : String | semmle.label | format(...) : String |
| SanitizationTests.java:103:33:103:104 | new ..[] { .. } : Object[] [[]] : String | semmle.label | new ..[] { .. } : Object[] [[]] : String |
| SanitizationTests.java:103:73:103:103 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:104:36:104:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:104:36:104:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:104:59:104:77 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:104:59:104:77 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:104:67:104:76 | unsafeUri6 : String | semmle.label | unsafeUri6 : String |
| SanitizationTests.java:105:25:105:32 | unsafer6 | semmle.label | unsafer6 |
| SanitizationTests.java:107:33:107:110 | format(...) : String | semmle.label | format(...) : String |
| SanitizationTests.java:107:33:107:110 | new ..[] { .. } : Object[] [[]] : String | semmle.label | new ..[] { .. } : Object[] [[]] : String |
| SanitizationTests.java:107:56:107:86 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:108:36:108:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:108:36:108:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:108:59:108:77 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:108:59:108:77 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:108:67:108:76 | unsafeUri7 : String | semmle.label | unsafeUri7 : String |
| SanitizationTests.java:109:25:109:32 | unsafer7 | semmle.label | unsafer7 |
| SanitizationTests.java:111:33:111:110 | format(...) : String | semmle.label | format(...) : String |
| SanitizationTests.java:111:33:111:110 | new ..[] { .. } : Object[] [[]] : String | semmle.label | new ..[] { .. } : Object[] [[]] : String |
| SanitizationTests.java:111:55:111:85 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:112:36:112:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:112:36:112:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:112:59:112:77 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:112:59:112:77 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:112:67:112:76 | unsafeUri8 : String | semmle.label | unsafeUri8 : String |
| SanitizationTests.java:113:25:113:32 | unsafer8 | semmle.label | unsafer8 |
| SanitizationTests.java:115:33:115:63 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:116:36:116:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:116:36:116:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:116:59:116:77 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:116:59:116:77 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:116:67:116:76 | unsafeUri9 : String | semmle.label | unsafeUri9 : String |
| SanitizationTests.java:117:25:117:32 | unsafer9 | semmle.label | unsafer9 |
| SanitizationTests.java:119:34:119:126 | format(...) : String | semmle.label | format(...) : String |
| SanitizationTests.java:119:34:119:126 | new ..[] { .. } : Object[] [[]] : String | semmle.label | new ..[] { .. } : Object[] [[]] : String |
| SanitizationTests.java:119:94:119:125 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:120:37:120:80 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:120:37:120:88 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:120:60:120:79 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:120:60:120:79 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:120:68:120:78 | unsafeUri10 : String | semmle.label | unsafeUri10 : String |
| SanitizationTests.java:121:25:121:33 | unsafer10 | semmle.label | unsafer10 |
| SanitizationTests.java:21:23:21:58 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:21:31:21:57 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:24:29:24:55 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:24:29:24:63 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:24:52:24:54 | uri | semmle.label | uri |
| SanitizationTests.java:24:52:24:54 | uri : URI | semmle.label | uri : URI |
| SanitizationTests.java:25:25:25:25 | r | semmle.label | r |
| SanitizationTests.java:77:33:77:63 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:78:36:78:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:78:36:78:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:78:59:78:77 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:78:59:78:77 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:78:67:78:76 | unsafeUri3 : String | semmle.label | unsafeUri3 : String |
| SanitizationTests.java:79:25:79:32 | unsafer3 | semmle.label | unsafer3 |
| SanitizationTests.java:81:49:81:79 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:82:36:82:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:82:36:82:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:82:59:82:77 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:82:59:82:77 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:82:67:82:76 | unsafeUri4 : String | semmle.label | unsafeUri4 : String |
| SanitizationTests.java:83:25:83:32 | unsafer4 | semmle.label | unsafer4 |
| SanitizationTests.java:86:13:86:22 | unsafeUri5 [post update] : StringBuilder | semmle.label | unsafeUri5 [post update] : StringBuilder |
| SanitizationTests.java:86:31:86:61 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:87:36:87:89 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:87:36:87:97 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:87:59:87:88 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:87:59:87:88 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:87:67:87:76 | unsafeUri5 : StringBuilder | semmle.label | unsafeUri5 : StringBuilder |
| SanitizationTests.java:87:67:87:87 | toString(...) : String | semmle.label | toString(...) : String |
| SanitizationTests.java:88:25:88:32 | unsafer5 | semmle.label | unsafer5 |
| SanitizationTests.java:90:40:90:87 | new StringBuilder(...) : StringBuilder | semmle.label | new StringBuilder(...) : StringBuilder |
| SanitizationTests.java:90:58:90:86 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:92:37:92:90 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:92:37:92:98 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:92:60:92:89 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:92:60:92:89 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:92:68:92:77 | unafeUri5a : StringBuilder | semmle.label | unafeUri5a : StringBuilder |
| SanitizationTests.java:92:68:92:88 | toString(...) : String | semmle.label | toString(...) : String |
| SanitizationTests.java:93:25:93:33 | unsafer5a | semmle.label | unsafer5a |
| SanitizationTests.java:95:41:95:105 | append(...) : StringBuilder | semmle.label | append(...) : StringBuilder |
| SanitizationTests.java:95:42:95:89 | new StringBuilder(...) : StringBuilder | semmle.label | new StringBuilder(...) : StringBuilder |
| SanitizationTests.java:95:60:95:88 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:97:37:97:91 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:97:37:97:99 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:97:60:97:90 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:97:60:97:90 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:97:68:97:78 | unsafeUri5b : StringBuilder | semmle.label | unsafeUri5b : StringBuilder |
| SanitizationTests.java:97:68:97:89 | toString(...) : String | semmle.label | toString(...) : String |
| SanitizationTests.java:98:25:98:33 | unsafer5b | semmle.label | unsafer5b |
| SanitizationTests.java:100:41:100:106 | append(...) : StringBuilder | semmle.label | append(...) : StringBuilder |
| SanitizationTests.java:100:77:100:105 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:102:37:102:91 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:102:37:102:99 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:102:60:102:90 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:102:60:102:90 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:102:68:102:78 | unsafeUri5c : StringBuilder | semmle.label | unsafeUri5c : StringBuilder |
| SanitizationTests.java:102:68:102:89 | toString(...) : String | semmle.label | toString(...) : String |
| SanitizationTests.java:103:25:103:33 | unsafer5c | semmle.label | unsafer5c |
| SanitizationTests.java:105:33:105:104 | format(...) : String | semmle.label | format(...) : String |
| SanitizationTests.java:105:33:105:104 | new ..[] { .. } : Object[] [[]] : String | semmle.label | new ..[] { .. } : Object[] [[]] : String |
| SanitizationTests.java:105:73:105:103 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:106:36:106:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:106:36:106:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:106:59:106:77 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:106:59:106:77 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:106:67:106:76 | unsafeUri6 : String | semmle.label | unsafeUri6 : String |
| SanitizationTests.java:107:25:107:32 | unsafer6 | semmle.label | unsafer6 |
| SanitizationTests.java:109:33:109:110 | format(...) : String | semmle.label | format(...) : String |
| SanitizationTests.java:109:33:109:110 | new ..[] { .. } : Object[] [[]] : String | semmle.label | new ..[] { .. } : Object[] [[]] : String |
| SanitizationTests.java:109:56:109:86 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:110:36:110:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:110:36:110:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:110:59:110:77 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:110:59:110:77 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:110:67:110:76 | unsafeUri7 : String | semmle.label | unsafeUri7 : String |
| SanitizationTests.java:111:25:111:32 | unsafer7 | semmle.label | unsafer7 |
| SanitizationTests.java:113:33:113:110 | format(...) : String | semmle.label | format(...) : String |
| SanitizationTests.java:113:33:113:110 | new ..[] { .. } : Object[] [[]] : String | semmle.label | new ..[] { .. } : Object[] [[]] : String |
| SanitizationTests.java:113:55:113:85 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:114:36:114:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:114:36:114:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:114:59:114:77 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:114:59:114:77 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:114:67:114:76 | unsafeUri8 : String | semmle.label | unsafeUri8 : String |
| SanitizationTests.java:115:25:115:32 | unsafer8 | semmle.label | unsafer8 |
| SanitizationTests.java:117:33:117:63 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:118:36:118:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:118:36:118:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:118:59:118:77 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:118:59:118:77 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:118:67:118:76 | unsafeUri9 : String | semmle.label | unsafeUri9 : String |
| SanitizationTests.java:119:25:119:32 | unsafer9 | semmle.label | unsafer9 |
| SanitizationTests.java:121:34:121:126 | format(...) : String | semmle.label | format(...) : String |
| SanitizationTests.java:121:34:121:126 | new ..[] { .. } : Object[] [[]] : String | semmle.label | new ..[] { .. } : Object[] [[]] : String |
| SanitizationTests.java:121:94:121:125 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SanitizationTests.java:122:37:122:80 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder |
| SanitizationTests.java:122:37:122:88 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest |
| SanitizationTests.java:122:60:122:79 | new URI(...) | semmle.label | new URI(...) |
| SanitizationTests.java:122:60:122:79 | new URI(...) : URI | semmle.label | new URI(...) : URI |
| SanitizationTests.java:122:68:122:78 | unsafeUri10 : String | semmle.label | unsafeUri10 : String |
| SanitizationTests.java:123:25:123:33 | unsafer10 | semmle.label | unsafer10 |
| SpringSSRF.java:28:33:28:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
| SpringSSRF.java:32:39:32:59 | ... + ... | semmle.label | ... + ... |
| SpringSSRF.java:33:35:33:48 | fooResourceUrl | semmle.label | fooResourceUrl |

18
java/ql/test/query-tests/security/CWE-918/SanitizationTests.java
View File

@@ -2,6 +2,8 @@ import java.io.IOException;
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.util.regex.Pattern;
import java.util.regex.Matcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
@@ -126,11 +128,25 @@ public class SanitizationTests extends HttpServlet {
HttpRequest r10 = HttpRequest.newBuilder(new URI(param10)).build();
client.send(r10, null);
}
String param11 = request.getParameter("uri11");
validate(param11);
HttpRequest r11 = HttpRequest.newBuilder(new URI(param11)).build();
client.send(r11, null);
String param12 = request.getParameter("uri12");
if (Pattern.matches("[a-zA-Z0-9_-]+", param12)) {
HttpRequest r12 = HttpRequest.newBuilder(new URI(param12)).build();
client.send(r12, null);
}
Pattern pattern = Pattern.compile("[a-zA-Z0-9_-]+");
String param13 = request.getParameter("uri13");
Matcher matcher = pattern.matcher(param13);
if (matcher.matches()) {
HttpRequest r13 = HttpRequest.newBuilder(new URI(param13)).build();
client.send(r13, null);
}
} catch (Exception e) {
// TODO: handle exception
}

14
java/ql/test/stubs/apache-commons-fileupload-1.4/org/apache/commons/fileupload/FileItemStream.java generated Normal file
View File

@@ -0,0 +1,14 @@
package org.apache.commons.fileupload;
import java.io.InputStream;
import org.apache.commons.fileupload.FileItemHeadersSupport;
public interface FileItemStream extends FileItemHeadersSupport
{
InputStream openStream() throws java.io.IOException;
String getContentType();
String getName();
String getFieldName();
boolean isFormField();
}

11
java/ql/test/stubs/apache-commons-fileupload-1.4/org/apache/commons/fileupload/servlet/ServletFileUpload.java generated Normal file
View File

@@ -0,0 +1,11 @@
// Generated automatically from org.apache.commons.fileupload.servlet.ServletFileUpload for testing purposes
package org.apache.commons.fileupload.servlet;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.fileupload.FileItem;
public class ServletFileUpload {
public List<FileItem> parseRequest(HttpServletRequest p0){ return null; }
}

16
java/ql/test/stubs/apache-commons-fileupload-1.4/org/apache/commons/fileupload/util/Streams.java generated Normal file
View File

@@ -0,0 +1,16 @@
// Generated automatically from org.apache.commons.fileupload.util.Streams for testing purposes
package org.apache.commons.fileupload.util;
import java.io.InputStream;
import java.io.OutputStream;
public class Streams
{
protected Streams() {}
public static String asString(InputStream p0){ return null; }
public static String asString(InputStream p0, String p1){ return null; }
public static String checkFileName(String p0){ return null; }
public static long copy(InputStream p0, OutputStream p1, boolean p2){ return 0; }
public static long copy(InputStream p0, OutputStream p1, boolean p2, byte[] p3){ return 0; }
}

31
java/ql/test/stubs/jakarta.servlet-api-6.0.0/jakarta/servlet/AsyncContext.java generated Normal file
View File

@@ -0,0 +1,31 @@
// Generated automatically from jakarta.servlet.AsyncContext for testing purposes
package jakarta.servlet;
import jakarta.servlet.AsyncListener;
import jakarta.servlet.ServletContext;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
public interface AsyncContext
{
<T extends AsyncListener> T createListener(java.lang.Class<T> p0);
ServletRequest getRequest();
ServletResponse getResponse();
boolean hasOriginalRequestAndResponse();
long getTimeout();
static String ASYNC_CONTEXT_PATH = null;
static String ASYNC_MAPPING = null;
static String ASYNC_PATH_INFO = null;
static String ASYNC_QUERY_STRING = null;
static String ASYNC_REQUEST_URI = null;
static String ASYNC_SERVLET_PATH = null;
void addListener(AsyncListener p0);
void addListener(AsyncListener p0, ServletRequest p1, ServletResponse p2);
void complete();
void dispatch();
void dispatch(ServletContext p0, String p1);
void dispatch(String p0);
void setTimeout(long p0);
void start(Runnable p0);
}

20
java/ql/test/stubs/jakarta.servlet-api-6.0.0/jakarta/servlet/AsyncEvent.java generated Normal file
View File

@@ -0,0 +1,20 @@
// Generated automatically from jakarta.servlet.AsyncEvent for testing purposes
package jakarta.servlet;
import jakarta.servlet.AsyncContext;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
public class AsyncEvent
{
protected AsyncEvent() {}
public AsyncContext getAsyncContext(){ return null; }
public AsyncEvent(AsyncContext p0){}
public AsyncEvent(AsyncContext p0, ServletRequest p1, ServletResponse p2){}
public AsyncEvent(AsyncContext p0, ServletRequest p1, ServletResponse p2, Throwable p3){}
public AsyncEvent(AsyncContext p0, Throwable p1){}
public ServletRequest getSuppliedRequest(){ return null; }
public ServletResponse getSuppliedResponse(){ return null; }
public Throwable getThrowable(){ return null; }
}

14
java/ql/test/stubs/jakarta.servlet-api-6.0.0/jakarta/servlet/AsyncListener.java generated Normal file
View File

@@ -0,0 +1,14 @@
// Generated automatically from jakarta.servlet.AsyncListener for testing purposes
package jakarta.servlet;
import jakarta.servlet.AsyncEvent;
import java.util.EventListener;
public interface AsyncListener extends EventListener
{
void onComplete(AsyncEvent p0);
void onError(AsyncEvent p0);
void onStartAsync(AsyncEvent p0);
void onTimeout(AsyncEvent p0);
}

10
java/ql/test/stubs/jakarta.servlet-api-6.0.0/jakarta/servlet/DispatcherType.java generated Normal file
View File

@@ -0,0 +1,10 @@
// Generated automatically from jakarta.servlet.DispatcherType for testing purposes
package jakarta.servlet;
public enum DispatcherType
{
ASYNC, ERROR, FORWARD, INCLUDE, REQUEST;
private DispatcherType() {}
}

15
java/ql/test/stubs/jakarta.servlet-api-6.0.0/jakarta/servlet/Filter.java generated Normal file
View File

@@ -0,0 +1,15 @@
// Generated automatically from jakarta.servlet.Filter for testing purposes
package jakarta.servlet;
import jakarta.servlet.FilterChain;
import jakarta.servlet.FilterConfig;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
public interface Filter
{
default void destroy(){}
default void init(FilterConfig p0){}
void doFilter(ServletRequest p0, ServletResponse p1, FilterChain p2);
}

11
java/ql/test/stubs/jakarta.servlet-api-6.0.0/jakarta/servlet/FilterChain.java generated Normal file
View File

@@ -0,0 +1,11 @@
// Generated automatically from jakarta.servlet.FilterChain for testing purposes
package jakarta.servlet;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
public interface FilterChain
{
void doFilter(ServletRequest p0, ServletResponse p1);
}

14
java/ql/test/stubs/jakarta.servlet-api-6.0.0/jakarta/servlet/FilterConfig.java generated Normal file
View File

@@ -0,0 +1,14 @@
// Generated automatically from jakarta.servlet.FilterConfig for testing purposes
package jakarta.servlet;
import jakarta.servlet.ServletContext;
import java.util.Enumeration;
public interface FilterConfig
{
Enumeration<String> getInitParameterNames();
ServletContext getServletContext();
String getFilterName();
String getInitParameter(String p0);
}

19
java/ql/test/stubs/jakarta.servlet-api-6.0.0/jakarta/servlet/FilterRegistration.java generated Normal file
View File

@@ -0,0 +1,19 @@
// Generated automatically from jakarta.servlet.FilterRegistration for testing purposes
package jakarta.servlet;
import jakarta.servlet.DispatcherType;
import jakarta.servlet.Registration;
import java.util.Collection;
import java.util.EnumSet;
public interface FilterRegistration extends Registration
{
Collection<String> getServletNameMappings();
Collection<String> getUrlPatternMappings();
static public interface Dynamic extends FilterRegistration, Registration.Dynamic
{
}
void addMappingForServletNames(EnumSet<DispatcherType> p0, boolean p1, String... p2);
void addMappingForUrlPatterns(EnumSet<DispatcherType> p0, boolean p1, String... p2);
}

16
java/ql/test/stubs/jakarta.servlet-api-6.0.0/jakarta/servlet/HttpConstraintElement.java generated Normal file
View File

@@ -0,0 +1,16 @@
// Generated automatically from jakarta.servlet.HttpConstraintElement for testing purposes
package jakarta.servlet;
import jakarta.servlet.annotation.ServletSecurity;
public class HttpConstraintElement
{
public HttpConstraintElement(){}
public HttpConstraintElement(ServletSecurity.EmptyRoleSemantic p0){}
public HttpConstraintElement(ServletSecurity.EmptyRoleSemantic p0, ServletSecurity.TransportGuarantee p1, String... p2){}
public HttpConstraintElement(ServletSecurity.TransportGuarantee p0, String... p1){}
public ServletSecurity.EmptyRoleSemantic getEmptyRoleSemantic(){ return null; }
public ServletSecurity.TransportGuarantee getTransportGuarantee(){ return null; }
public String[] getRolesAllowed(){ return null; }
}

13
java/ql/test/stubs/jakarta.servlet-api-6.0.0/jakarta/servlet/HttpMethodConstraintElement.java generated Normal file
View File

@@ -0,0 +1,13 @@
// Generated automatically from jakarta.servlet.HttpMethodConstraintElement for testing purposes
package jakarta.servlet;
import jakarta.servlet.HttpConstraintElement;
public class HttpMethodConstraintElement extends HttpConstraintElement
{
protected HttpMethodConstraintElement() {}
public HttpMethodConstraintElement(String p0){}
public HttpMethodConstraintElement(String p0, HttpConstraintElement p1){}
public String getMethodName(){ return null; }
}

17
java/ql/test/stubs/jakarta.servlet-api-6.0.0/jakarta/servlet/MultipartConfigElement.java generated Normal file
View File

@@ -0,0 +1,17 @@
// Generated automatically from jakarta.servlet.MultipartConfigElement for testing purposes
package jakarta.servlet;
import jakarta.servlet.annotation.MultipartConfig;
public class MultipartConfigElement
{
protected MultipartConfigElement() {}
public MultipartConfigElement(MultipartConfig p0){}
public MultipartConfigElement(String p0){}
public MultipartConfigElement(String p0, long p1, long p2, int p3){}
public String getLocation(){ return null; }
public int getFileSizeThreshold(){ return 0; }
public long getMaxFileSize(){ return 0; }
public long getMaxRequestSize(){ return 0; }
}

12
java/ql/test/stubs/jakarta.servlet-api-6.0.0/jakarta/servlet/ReadListener.java generated Normal file
View File

@@ -0,0 +1,12 @@
// Generated automatically from jakarta.servlet.ReadListener for testing purposes
package jakarta.servlet;
import java.util.EventListener;
public interface ReadListener extends EventListener
{
void onAllDataRead();
void onDataAvailable();
void onError(Throwable p0);
}

20
java/ql/test/stubs/jakarta.servlet-api-6.0.0/jakarta/servlet/Registration.java generated Normal file
View File

@@ -0,0 +1,20 @@
// Generated automatically from jakarta.servlet.Registration for testing purposes
package jakarta.servlet;
import java.util.Map;
import java.util.Set;
public interface Registration
{
Map<String, String> getInitParameters();
Set<String> setInitParameters(Map<String, String> p0);
String getClassName();
String getInitParameter(String p0);
String getName();
boolean setInitParameter(String p0, String p1);
static public interface Dynamic extends Registration
{
void setAsyncSupported(boolean p0);
}
}

30
java/ql/test/stubs/jakarta.servlet-api-6.0.0/jakarta/servlet/RequestDispatcher.java generated Normal file
View File

@@ -0,0 +1,30 @@
// Generated automatically from jakarta.servlet.RequestDispatcher for testing purposes
package jakarta.servlet;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
public interface RequestDispatcher
{
static String ERROR_EXCEPTION = null;
static String ERROR_EXCEPTION_TYPE = null;
static String ERROR_MESSAGE = null;
static String ERROR_REQUEST_URI = null;
static String ERROR_SERVLET_NAME = null;
static String ERROR_STATUS_CODE = null;
static String FORWARD_CONTEXT_PATH = null;
static String FORWARD_MAPPING = null;
static String FORWARD_PATH_INFO = null;
static String FORWARD_QUERY_STRING = null;
static String FORWARD_REQUEST_URI = null;
static String FORWARD_SERVLET_PATH = null;
static String INCLUDE_CONTEXT_PATH = null;
static String INCLUDE_MAPPING = null;
static String INCLUDE_PATH_INFO = null;
static String INCLUDE_QUERY_STRING = null;
static String INCLUDE_REQUEST_URI = null;
static String INCLUDE_SERVLET_PATH = null;
void forward(ServletRequest p0, ServletResponse p1);
void include(ServletRequest p0, ServletResponse p1);
}

16
java/ql/test/stubs/jakarta.servlet-api-6.0.0/jakarta/servlet/Servlet.java generated Normal file
View File

@@ -0,0 +1,16 @@
// Generated automatically from jakarta.servlet.Servlet for testing purposes
package jakarta.servlet;
import jakarta.servlet.ServletConfig;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
public interface Servlet
{
ServletConfig getServletConfig();
String getServletInfo();
void destroy();
void init(ServletConfig p0);
void service(ServletRequest p0, ServletResponse p1);
}

14
java/ql/test/stubs/jakarta.servlet-api-6.0.0/jakarta/servlet/ServletConfig.java generated Normal file
View File

@@ -0,0 +1,14 @@
// Generated automatically from jakarta.servlet.ServletConfig for testing purposes
package jakarta.servlet;
import jakarta.servlet.ServletContext;
import java.util.Enumeration;
public interface ServletConfig
{
Enumeration<String> getInitParameterNames();
ServletContext getServletContext();
String getInitParameter(String p0);
String getServletName();
}

12
java/ql/test/stubs/jakarta.servlet-api-6.0.0/jakarta/servlet/ServletConnection.java generated Normal file
View File

@@ -0,0 +1,12 @@
// Generated automatically from jakarta.servlet.ServletConnection for testing purposes
package jakarta.servlet;
public interface ServletConnection
{
String getConnectionId();
String getProtocol();
String getProtocolConnectionId();
boolean isSecure();
}

Some files were not shown because too many files have changed in this diff Show More