Merge pull request #3141 from pwntester/InsecureBeanValidation

Insecure Bean Validation query

java/ql/src/semmle/code/java/dataflow/FlowSources.qll

@@ -183,6 +183,23 @@ private class WebSocketMessageParameterSource extends RemoteFlowSource {
   override string getSourceType() { result = "Websocket onText parameter" }
 }
 
+private class BeanValidationSource extends RemoteFlowSource {
+  BeanValidationSource() {
+    exists(Method m, Parameter v |
+      this.asParameter() = v and
+      m.getParameter(0) = v and
+      m
+          .getDeclaringType()
+          .getASourceSupertype+()
+          .hasQualifiedName("javax.validation", "ConstraintValidator") and
+      m.hasName("isValid") and
+      m.fromSource()
+    )
+  }
+
+  override string getSourceType() { result = "BeanValidation source" }
+}
+
 /** Class for `tainted` user input. */
 abstract class UserInput extends DataFlow::Node { }