Merge remote-tracking branch 'upstream/main' into igfoo/mb

java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql

@@ -118,7 +118,7 @@ where
   // implicit: no setAllowContentAccess(false)
   exists(WebViewSource source |
     source.asExpr() = e and
-    not WebViewDisallowContentAccessFlow::flow(source, _)
+    not WebViewDisallowContentAccessFlow::flowFrom(source)
   )
 select e,
   "Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView."

java/ql/src/change-notes/2025-11-25-thread-safe-initializers.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Java thread safety analysis now understands initialization to thread safe classes inside constructors.

java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql

@@ -85,7 +85,7 @@ private module JxBrowserFlow = DataFlow::Global<JxBrowserFlowConfig>;
 
 deprecated query predicate problems(DataFlow::Node src, string message) {
   JxBrowserFlowConfig::isSource(src) and
-  not JxBrowserFlow::flow(src, _) and
+  not JxBrowserFlow::flowFrom(src) and
   not isSafeJxBrowserVersion() and
   message = "This JxBrowser instance may not check HTTPS certificates."
 }

java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql

@@ -50,7 +50,7 @@ private Expr getAccessControlAllowOriginHeaderName() {
  * A taint-tracking configuration for flow from a source node to CorsProbableCheckAccess methods.
  */
 module CorsSourceReachesCheckConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { CorsOriginFlow::flow(source, _) }
+  predicate isSource(DataFlow::Node source) { CorsOriginFlow::flowFrom(source) }
 
   predicate isSink(DataFlow::Node sink) {
     sink.asExpr() = any(CorsProbableCheckAccess check).getAnArgument()
@@ -86,7 +86,7 @@ deprecated query predicate problems(
   string message1, DataFlow::Node sourceNode, string message2
 ) {
   CorsOriginFlow::flowPath(source, sink) and
-  not CorsSourceReachesCheckFlow::flow(sourceNode, _) and
+  not CorsSourceReachesCheckFlow::flowFrom(sourceNode) and
   sinkNode = sink.getNode() and
   message1 = "CORS header is being set using user controlled value $@." and
   sourceNode = source.getNode() and

java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql

@@ -17,7 +17,7 @@ deprecated import JwtAuth0 as JwtAuth0
 deprecated module JwtDecodeConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
     source instanceof RemoteFlowSource and
-    not FlowToJwtVerify::flow(source, _)
+    not FlowToJwtVerify::flowFrom(source)
   }
 
   predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(JwtAuth0::GetPayload a) }

java/ql/src/experimental/semmle/code/java/security/DecompressionBombQuery.qll

@@ -1,7 +1,7 @@
 deprecated module;
 
-import experimental.semmle.code.java.security.FileAndFormRemoteSource
 import experimental.semmle.code.java.security.DecompressionBomb::DecompressionBomb
+import semmle.code.java.dataflow.FlowSources
 
 module DecompressionBombsConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

java/ql/src/experimental/semmle/code/java/security/FileAndFormRemoteSource.qll

@@ -1,120 +0,0 @@
-deprecated module;
-
-import java
-import semmle.code.java.dataflow.FlowSources
-
-class CommonsFileUploadAdditionalTaintStep extends Unit {
-  abstract predicate step(DataFlow::Node n1, DataFlow::Node n2);
-}
-
-module ApacheCommonsFileUpload {
-  module RemoteFlowSource {
-    class TypeServletFileUpload extends RefType {
-      TypeServletFileUpload() {
-        this.hasQualifiedName("org.apache.commons.fileupload.servlet", "ServletFileUpload")
-      }
-    }
-
-    class TypeFileUpload extends RefType {
-      TypeFileUpload() {
-        this.getAStrictAncestor*().hasQualifiedName("org.apache.commons.fileupload", "FileItem")
-      }
-    }
-
-    class TypeFileItemStream extends RefType {
-      TypeFileItemStream() {
-        this.getAStrictAncestor*()
-            .hasQualifiedName("org.apache.commons.fileupload", "FileItemStream")
-      }
-    }
-
-    class ServletFileUpload extends RemoteFlowSource {
-      ServletFileUpload() {
-        exists(MethodCall ma |
-          ma.getReceiverType() instanceof TypeServletFileUpload and
-          ma.getCallee().hasName("parseRequest") and
-          this.asExpr() = ma
-        )
-      }
-
-      override string getSourceType() { result = "Apache Commons Fileupload" }
-    }
-
-    private class FileItemRemoteSource extends RemoteFlowSource {
-      FileItemRemoteSource() {
-        exists(MethodCall ma |
-          ma.getReceiverType() instanceof TypeFileUpload and
-          ma.getCallee()
-              .hasName([
-                  "getInputStream", "getFieldName", "getContentType", "get", "getName", "getString"
-                ]) and
-          this.asExpr() = ma
-        )
-      }
-
-      override string getSourceType() { result = "Apache Commons Fileupload" }
-    }
-
-    private class FileItemStreamRemoteSource extends RemoteFlowSource {
-      FileItemStreamRemoteSource() {
-        exists(MethodCall ma |
-          ma.getReceiverType() instanceof TypeFileItemStream and
-          ma.getCallee().hasName(["getContentType", "getFieldName", "getName", "openStream"]) and
-          this.asExpr() = ma
-        )
-      }
-
-      override string getSourceType() { result = "Apache Commons Fileupload" }
-    }
-  }
-
-  module Util {
-    class TypeStreams extends RefType {
-      TypeStreams() { this.hasQualifiedName("org.apache.commons.fileupload.util", "Streams") }
-    }
-
-    private class AsStringAdditionalTaintStep extends CommonsFileUploadAdditionalTaintStep {
-      override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
-        exists(Call call |
-          call.getCallee().getDeclaringType() instanceof TypeStreams and
-          call.getArgument(0) = n1.asExpr() and
-          call = n2.asExpr() and
-          call.getCallee().hasName("asString")
-        )
-      }
-    }
-
-    private class CopyAdditionalTaintStep extends CommonsFileUploadAdditionalTaintStep {
-      override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
-        exists(Call call |
-          call.getCallee().getDeclaringType() instanceof TypeStreams and
-          call.getArgument(0) = n1.asExpr() and
-          call.getArgument(1) = n2.asExpr() and
-          call.getCallee().hasName("copy")
-        )
-      }
-    }
-  }
-}
-
-module ServletRemoteMultiPartSources {
-  class TypePart extends RefType {
-    TypePart() { this.hasQualifiedName(["javax.servlet.http", "jakarta.servlet.http"], "Part") }
-  }
-
-  private class ServletPartCalls extends RemoteFlowSource {
-    ServletPartCalls() {
-      exists(MethodCall ma |
-        ma.getReceiverType() instanceof TypePart and
-        ma.getCallee()
-            .hasName([
-                "getInputStream", "getName", "getContentType", "getHeader", "getHeaders",
-                "getHeaderNames", "getSubmittedFileName", "write"
-              ]) and
-        this.asExpr() = ma
-      )
-    }
-
-    override string getSourceType() { result = "Javax Servlet Http" }
-  }
-}

java/ql/src/utils/modelgenerator/internal/CaptureModels.qll

@@ -218,6 +218,8 @@ module SummaryModelGeneratorInput implements SummaryModelGeneratorInputSig {
     )
   }
 
+  int contentAccessPathLimitInternal() { result = 2 }
+
   predicate isField(DataFlow::ContentSet c) {
     c instanceof DataFlowUtil::FieldContent or
     c instanceof DataFlowUtil::SyntheticFieldContent