Java: update xpath sink kind to xpath-injection

2026-04-26 01:05:15 +02:00 · 2023-05-09 12:00:28 -04:00
parent 55be2e5b67
commit fc58d10a4e
6 changed files with 28 additions and 28 deletions
--- a/java/ql/lib/ext/javax.xml.xpath.model.yml
+++ b/java/ql/lib/ext/javax.xml.xpath.model.yml
@@ -3,6 +3,6 @@ extensions:
      pack: codeql/java-all
      extensible: sinkModel
    data:
-      - ["javax.xml.xpath", "XPath", True, "compile", "", "", "Argument[0]", "xpath", "manual"]
-      - ["javax.xml.xpath", "XPath", True, "evaluate", "", "", "Argument[0]", "xpath", "manual"]
-      - ["javax.xml.xpath", "XPath", True, "evaluateExpression", "", "", "Argument[0]", "xpath", "manual"]
+      - ["javax.xml.xpath", "XPath", True, "compile", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["javax.xml.xpath", "XPath", True, "evaluate", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["javax.xml.xpath", "XPath", True, "evaluateExpression", "", "", "Argument[0]", "xpath-injection", "manual"]
--- a/java/ql/lib/ext/org.dom4j.model.yml
+++ b/java/ql/lib/ext/org.dom4j.model.yml
@@ -3,18 +3,18 @@ extensions:
      pack: codeql/java-all
      extensible: sinkModel
    data:
-      - ["org.dom4j", "DocumentFactory", True, "createPattern", "", "", "Argument[0]", "xpath", "manual"]
-      - ["org.dom4j", "DocumentFactory", True, "createXPath", "", "", "Argument[0]", "xpath", "manual"]
-      - ["org.dom4j", "DocumentFactory", True, "createXPathFilter", "", "", "Argument[0]", "xpath", "manual"]
-      - ["org.dom4j", "DocumentHelper", False, "createPattern", "", "", "Argument[0]", "xpath", "manual"]
-      - ["org.dom4j", "DocumentHelper", False, "createXPath", "", "", "Argument[0]", "xpath", "manual"]
-      - ["org.dom4j", "DocumentHelper", False, "createXPathFilter", "", "", "Argument[0]", "xpath", "manual"]
-      - ["org.dom4j", "DocumentHelper", False, "selectNodes", "", "", "Argument[0]", "xpath", "manual"]
-      - ["org.dom4j", "DocumentHelper", False, "sort", "", "", "Argument[1]", "xpath", "manual"]
-      - ["org.dom4j", "Node", True, "createXPath", "", "", "Argument[0]", "xpath", "manual"]
-      - ["org.dom4j", "Node", True, "matches", "", "", "Argument[0]", "xpath", "manual"]
-      - ["org.dom4j", "Node", True, "numberValueOf", "", "", "Argument[0]", "xpath", "manual"]
-      - ["org.dom4j", "Node", True, "selectNodes", "", "", "Argument[0..1]", "xpath", "manual"]
-      - ["org.dom4j", "Node", True, "selectObject", "", "", "Argument[0]", "xpath", "manual"]
-      - ["org.dom4j", "Node", True, "selectSingleNode", "", "", "Argument[0]", "xpath", "manual"]
-      - ["org.dom4j", "Node", True, "valueOf", "", "", "Argument[0]", "xpath", "manual"]
+      - ["org.dom4j", "DocumentFactory", True, "createPattern", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["org.dom4j", "DocumentFactory", True, "createXPath", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["org.dom4j", "DocumentFactory", True, "createXPathFilter", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["org.dom4j", "DocumentHelper", False, "createPattern", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["org.dom4j", "DocumentHelper", False, "createXPath", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["org.dom4j", "DocumentHelper", False, "createXPathFilter", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["org.dom4j", "DocumentHelper", False, "selectNodes", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["org.dom4j", "DocumentHelper", False, "sort", "", "", "Argument[1]", "xpath-injection", "manual"]
+      - ["org.dom4j", "Node", True, "createXPath", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["org.dom4j", "Node", True, "matches", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["org.dom4j", "Node", True, "numberValueOf", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["org.dom4j", "Node", True, "selectNodes", "", "", "Argument[0..1]", "xpath-injection", "manual"]
+      - ["org.dom4j", "Node", True, "selectObject", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["org.dom4j", "Node", True, "selectSingleNode", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["org.dom4j", "Node", True, "valueOf", "", "", "Argument[0]", "xpath-injection", "manual"]
--- a/java/ql/lib/ext/org.dom4j.tree.model.yml
+++ b/java/ql/lib/ext/org.dom4j.tree.model.yml
@@ -3,5 +3,5 @@ extensions:
      pack: codeql/java-all
      extensible: sinkModel
    data:
-      - ["org.dom4j.tree", "AbstractNode", True, "createPattern", "", "", "Argument[0]", "xpath", "manual"]
-      - ["org.dom4j.tree", "AbstractNode", True, "createXPathFilter", "", "", "Argument[0]", "xpath", "manual"]
+      - ["org.dom4j.tree", "AbstractNode", True, "createPattern", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["org.dom4j.tree", "AbstractNode", True, "createXPathFilter", "", "", "Argument[0]", "xpath-injection", "manual"]
--- a/java/ql/lib/ext/org.dom4j.util.model.yml
+++ b/java/ql/lib/ext/org.dom4j.util.model.yml
@@ -3,6 +3,6 @@ extensions:
      pack: codeql/java-all
      extensible: sinkModel
    data:
-      - ["org.dom4j.util", "ProxyDocumentFactory", True, "createPattern", "", "", "Argument[0]", "xpath", "manual"]
-      - ["org.dom4j.util", "ProxyDocumentFactory", True, "createXPath", "", "", "Argument[0]", "xpath", "manual"]
-      - ["org.dom4j.util", "ProxyDocumentFactory", True, "createXPathFilter", "", "", "Argument[0]", "xpath", "manual"]
+      - ["org.dom4j.util", "ProxyDocumentFactory", True, "createPattern", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["org.dom4j.util", "ProxyDocumentFactory", True, "createXPath", "", "", "Argument[0]", "xpath-injection", "manual"]
+      - ["org.dom4j.util", "ProxyDocumentFactory", True, "createXPathFilter", "", "", "Argument[0]", "xpath-injection", "manual"]
--- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -275,10 +275,10 @@ module ModelValidation {
      not kind =
        [
          "open-url", "jndi-injection", "ldap", "sql-injection", "jdbc-url", "logging", "mvel",
-          "xpath", "groovy", "xss", "ognl-injection", "intent-start", "pending-intent-sent",
-          "url-redirection", "create-file", "read-file", "write-file", "set-hostname-verifier",
-          "header-splitting", "information-leak", "xslt", "jexl", "bean-validation", "ssti",
-          "fragment-injection", "command-injection"
+          "xpath-injection", "groovy", "xss", "ognl-injection", "intent-start",
+          "pending-intent-sent", "url-redirection", "create-file", "read-file", "write-file",
+          "set-hostname-verifier", "header-splitting", "information-leak", "xslt", "jexl",
+          "bean-validation", "ssti", "fragment-injection", "command-injection"
        ] and
      not kind.matches("regex-use%") and
      not kind.matches("qltest%") and
--- a/java/ql/lib/semmle/code/java/security/XPath.qll
+++ b/java/ql/lib/semmle/code/java/security/XPath.qll
@@ -13,7 +13,7 @@ abstract class XPathInjectionSink extends DataFlow::Node { }
 /** A default sink representing methods susceptible to XPath Injection attacks. */
 private class DefaultXPathInjectionSink extends XPathInjectionSink {
  DefaultXPathInjectionSink() {
-    sinkNode(this, "xpath")
+    sinkNode(this, "xpath-injection")
    or
    exists(ClassInstanceExpr constructor |
      constructor.getConstructedType().getASourceSupertype*().hasQualifiedName("org.dom4j", "XPath")