hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 19:29:28 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
07e97e20d8cc251bbcab7a97b2fc4e1640123a97
codeql/java/ql/test/stubs
History
Salah Baddou f5131f9bc6 Java: Add XXE sink model for Woodstox WstxInputFactory 
`com.ctc.wstx.stax.WstxInputFactory` overrides `createXMLStreamReader`,
`createXMLEventReader` and `setProperty` from `XMLInputFactory`, so the
existing `XmlInputFactory` model in `XmlParsers.qll` does not match calls
where the static receiver type is `WstxInputFactory` (or its supertype
`org.codehaus.stax2.XMLInputFactory2`). Woodstox is vulnerable to XXE in
its default configuration, so these missed sinks were false negatives in
`java/xxe`.

This adds a scoped framework model under
`semmle/code/java/frameworks/woodstox/WoodstoxXml.qll` (registered in the
`Frameworks` module of `XmlParsers.qll`) that recognises these calls as
XXE sinks and treats the factory as safe when both
`javax.xml.stream.supportDTD` and
`javax.xml.stream.isSupportingExternalEntities` are disabled — mirroring
the existing `XMLInputFactory` safe-configuration logic.
2026-04-17 18:46:51 +04:00
..
akka-2.6.x/akka/util
Initial support for Play Framework > 2.6.x
2020-10-22 20:20:49 +05:30
amazon-aws-sdk-1.11.700
Hardcoded AWS credentials
2020-06-17 02:46:02 +00:00
amqp-client-5.12.0/com/rabbitmq/client
Consider setSslContextFactory and fix tests
2022-01-19 16:43:01 +01:00
apache-ant-1.10.13/org/apache/tools
org.apache.tools.zip tests
2023-03-14 17:41:20 +01:00
apache-camel-4.0.6
Java: add test for Apache Camel dead-code analysis
2024-08-15 17:26:38 +01:00
apache-commons-beanutils/org/apache/commons/beanutils
org.kohsuke.stapler.framework.adjunct tests
2023-03-14 18:21:38 +01:00
apache-commons-codec-1.14
Add test case
2020-04-28 11:26:43 +02:00
apache-commons-collections4-4.4/org
Fix stub
2021-09-27 16:24:41 +01:00
apache-commons-compress/org/apache/commons/compress/archivers
Add stubs
2023-03-10 12:35:13 +01:00
apache-commons-digester3-3.2/org/apache/commons/digester3
Add experimental variants of java/xxe, incorporating new sinks and a version that uses local sources.
2021-09-10 13:49:31 +01:00
apache-commons-email-1.6.0
Add all dependent class stubs
2020-06-09 20:12:05 +00:00
apache-commons-fileupload-1.4/org/apache/commons
Add additional test
2025-12-29 07:09:31 +00:00
apache-commons-io-2.6
org.apache.commons.io tests
2023-03-14 12:50:09 +01:00
apache-commons-jelly-1.0.1/org/apache/commons/jelly
org.apache.commons.jelly tests
2023-03-14 17:04:14 +01:00
apache-commons-jexl-2.1.1/org/apache/commons/jexl2
More csv sinks and sources
2021-05-03 12:44:53 +02:00
apache-commons-jexl-3.1/org/apache/commons/jexl3
Removed commented code from JexlUberspect
2021-02-24 22:31:03 +01:00
apache-commons-lang/org/apache/commons/lang/exception
org.kohsuke.stapler.framework.adjunct tests
2023-03-14 18:21:38 +01:00
apache-commons-lang3-3.7
Review fixup and add test for apache SystemUtils
2022-03-02 12:50:38 -05:00
apache-commons-logging-1.2/org/apache/commons/logging
Add stubs & tests
2021-11-03 17:26:13 +01:00
apache-commons-net-3.8.0/org/apache/commons/net
Add stubs and tests for new hardcoded-credential sinks
2022-08-13 12:39:15 +01:00
apache-commons-text-1.9/org/apache/commons/text
Add models for Apache Commons Lang and Text's Str[ing]Substitutor
2021-03-04 11:11:55 +00:00
apache-cxf/org/apache/cxf
Java: Add new Apache CXF models
2023-08-25 11:17:51 +02:00
apache-freemarker-2.3.31/freemarker
Generate stubs, adapt tests
2022-09-08 17:38:21 +02:00
apache-hive
Add stubs
2023-03-01 09:48:33 +01:00
apache-http-4.4.13/org/apache/http
Fix Apache Commons HTTP Client and SQL Injection tests
2023-03-13 09:36:53 +01:00
apache-http-5/org/apache/hc
Java: add tests
2023-05-26 18:55:13 -04:00
apache-ldap-1.0.2/org/apache/directory
Java: Adjust stubs and unit test.
2020-01-30 11:27:33 +01:00
apache-log4j-1.2.17/org/apache/log4j
Add stubs & tests
2021-11-03 17:26:13 +01:00
apache-log4j-2.14.1
Sinks for CloseableThreadContext
2021-12-17 09:17:04 +01:00
apache-mina-sshd-2.8.0/org
Java: adapt stub to ExecutorService change in JDK19
2023-10-13 20:30:28 +01:00
apache-velocity-2.3/org
Generate stubs, adapt tests
2022-09-08 17:38:21 +02:00
aspectj
Java: Add initial version of empty method query
2025-03-14 11:36:03 +01:00
auth0-jwt-2.3/com/auth0/jwt
Query to detect hardcoded JWT secret keys
2022-05-04 23:09:48 +00:00
azure-sdk-for-java/com/azure
Query to detect hard-coded Azure credentials
2021-05-07 13:16:41 +00:00
bsh-2.0b5/bsh
BeanShell Injection
2021-06-18 15:54:13 +08:00
cargo/org/codehaus/cargo
More stubs
2023-03-10 12:35:13 +01:00
castor-1.4.1/org/exolab/castor
Add UnsafeDeserialization
2021-05-12 12:37:16 +08:00
commons-exec-1.3/org/apache/commons/exec
Migrate Java code to separate QL repo.
2018-08-30 10:48:05 +01:00
couchbaseClient/com/couchbase/client
Fix extraction error
2026-01-13 22:33:01 +01:00
dom4j-2.1.1/org/dom4j
Fix stubs and test expectations
2023-03-15 11:33:02 +01:00
ejb-3.2/javax
Add query for enterprise beans
2021-02-20 02:00:42 +00:00
esapi-2.0.1/org/owasp/esapi
Move ESAPI models into the Weak Randomness query
2023-12-11 11:18:39 -05:00
fastjson-1.2.74/com/alibaba/fastjson
*)add JsonHijacking ql query
2021-02-18 18:11:10 +08:00
flexjson-2.1/flexjson
Add support for the Flexjson framework to the unsafe-deserialization query
2021-09-10 16:27:23 +01:00
flogger-0.7.1/com/google/common/flogger
Add stubs & tests
2021-11-03 17:26:13 +01:00
ganymed-ssh-2-260/ch/ethz/ssh2
Add stubs and tests for new hardcoded-credential sinks
2022-08-13 12:39:15 +01:00
google-android-9.0.0
Add unit tests
2024-02-12 13:49:45 +00:00
groovy-all-3.0.7
Java: Add TemplateEngine.createTemplate as a groovy injection sink
2023-05-19 17:45:47 +02:00
gson-2.8.6/com/google/gson
Add tests & stubs
2023-05-30 17:52:00 +02:00
guava-30.0
Add test cases for PolynomialRedos dataflow logic; make fixes
2022-05-04 15:41:35 +01:00
guice-4.2.2/com/google/inject
Java: add test for Guice framework support
2019-02-15 20:01:08 -05:00
guice-servlet-4.2.2/com/google/inject/servlet
Java: add test for Guice framework support
2019-02-15 20:01:08 -05:00
hamcrest-2.2
Java: Respect Hamcrest assertThat(X, notNullValue())
2019-10-29 17:52:13 +00:00
hessian-4.0.38/com/caucho
Add UnsafeDeserialization
2021-05-12 12:37:16 +08:00
HikariCP-3.4.5/com/zaxxer/hikari
Java: Add JDBC connection SSRF sinks
2022-03-12 16:35:32 +04:00
j2objc
Add j2objc license
2019-08-17 16:31:18 +01:00
j2ssh-1.5.5/com/sshtools/j2ssh/authentication
Add stubs and tests for new hardcoded-credential sinks
2022-08-13 12:39:15 +01:00
jabsorb-1.3.2/org/jabsorb
Add unsafe-deserialization support for Jabsorb
2021-08-04 15:35:50 +01:00
jackson-core-2.12/com/fasterxml/jackson/core
Add full integration test for Ratpack example
2021-10-18 12:21:11 -04:00
jackson-databind-2.12
Add full integration test for Ratpack example
2021-10-18 12:21:11 -04:00
jakarta-json-2.0.1/jakarta/json
Also cover jakarta version of javax.json, and some missed methods
2021-06-30 15:04:15 +01:00
jakarta-mail-2.0.1/jakarta/mail
Consider Jakarta Mail
2021-10-05 09:18:47 +02:00
jakarta-persistence-api-3.2.0/jakarta/persistence
Add basic test for SQL injection vs Jakarta Persistence
2025-04-01 17:13:23 +01:00
jakarta.servlet-api-6.0.0/jakarta/servlet
Finished up
2024-09-27 19:24:40 +00:00
java-ee-el/javax/el
Added setVariable() sink
2021-04-08 20:41:43 +03:00
javafx-web
Fix stubs
2023-03-15 12:43:45 +01:00
javamail-api-1.6.2
Add all dependent class stubs
2020-06-09 20:12:05 +00:00
javax-annotation-api-1.3.2/javax/annotation
Java: Model the Stapler framework
2023-06-14 12:34:52 +02:00
javax-faces-2.3/javax/faces
Query to detect XSS with JavaServer Faces (JSF)
2021-09-14 11:47:32 +01:00
javax-json-api-1.1.4/javax/json
Also cover jakarta version of javax.json, and some missed methods
2021-06-30 15:04:15 +01:00
javax-servlet-2.5/javax
Fix stubs
2023-03-15 12:43:45 +01:00
javax-validation-constraints/javax/validation
Add failing test for @Pattern validation
2026-02-12 16:57:04 +00:00
javax-ws-rs-api-2.1.1/javax/ws/rs
Add sources for Jax-RS filters
2021-09-10 16:36:34 +01:00
javax-ws-rs-api-3.0.0/jakarta/ws/rs
Add sources for Jax-RS filters
2021-09-10 16:36:34 +01:00
jaxb-api-2.3.1/javax/xml/bind
Java: Add XXE tests.
2021-04-19 10:58:21 +02:00
jaxen-1.2.0/org/jaxen
org.apache.commons.jelly tests
2023-03-14 17:04:14 +01:00
jaxws-api-2.0
Merge pull request #13900 from atorralba/atorralba/java/jaxws-getaremotemethod-improv
2023-08-24 13:37:15 +02:00
jboss-logging-3.4.2/org/jboss/logging
Add stubs & tests
2021-11-03 17:26:13 +01:00
jboss-vfs-3.2/org/jboss/vfs
Add more test cases
2022-04-29 02:31:43 +00:00
jdbi3-core-3.27.2/org/jdbi/v3/core
Java: Add JDBC connection SSRF sinks
2022-03-12 16:35:32 +04:00
jdom-1.1.3/org/jdom
Migrate Java code to separate QL repo.
2018-08-30 10:48:05 +01:00
jenkins/hudson
Java: Model the Stapler framework
2023-06-14 12:34:52 +02:00
jfinal-4.9.15/com/jfinal
Correct the data model and update qldoc
2022-02-08 04:02:27 +00:00
jinjava-2.6.0
Generate stubs, adapt tests
2022-09-08 17:38:21 +02:00
jmh-1.3.6/org/openjdk/jmh
org.openjdk.jmh.runner.options tests
2023-03-15 14:47:27 +01:00
jms-api-1/javax/jms
Added sources and steps for JMS API
2022-04-26 13:34:21 +01:00
joddjson-6.0.3/jodd/json
Unsafe deserialization: add support for Jodd JSON library
2021-08-05 16:01:14 +01:00
jsch-0.1.55/com/jcraft/jsch
Add stubs and tests for new hardcoded-credential sinks
2022-08-13 12:39:15 +01:00
json-io-4.10.0/com/cedarsoftware/util/io
Add UnsafeDeserialization
2021-05-12 12:37:16 +08:00
json-java-20210307/org/json
Add models of JSON-java, aka org.json
2021-07-19 17:57:27 +01:00
jsr181-api
Add stubs for JAX-WS
2021-06-08 15:12:04 +01:00
jsr223-api/javax/script
Java: Added JSR 223 sinks for MVEL injections
2020-06-05 17:17:43 +03:00
jsr311-api-1.1.1/javax/ws/rs
Java: Add missing stub.
2021-07-13 15:26:37 +02:00
juel-2.2/de/odysseus/el
Added tests for Jakarta expression injection
2021-03-21 21:19:39 +03:00
junit-4.11/org/junit
Migrate Java code to separate QL repo.
2018-08-30 10:48:05 +01:00
junit-4.13
Java: port java/mocking-all-non-private-methods-means-unit-test-is-too-big query
2025-08-11 13:43:36 +02:00
junit-jupiter-api-5.2.0
Java: include RepeatedTest, ParameterizedTest, TestFactory, and TestTemplate when identifying JUnit 5 test methods
2025-03-23 19:49:55 -04:00
jwtk-jjwt-0.11.2
Add missing methods to jwtk-jjwt stubs
2023-05-04 16:52:40 -04:00
jyaml-1.3/org/ho/yaml
Add UnsafeDeserialization
2021-05-12 12:37:16 +08:00
jython-2.7.2/org/python
Add more methods and update the library name
2021-05-04 02:54:49 +00:00
kryo-4.0.2/com/esotericsoftware/kryo
[Java] Fix Kryo FP & Kryo 5 Support
2021-05-05 17:38:34 -04:00
lastaflute/org/lastaflute/web
Add tests for lastaflute framework
2024-07-18 17:41:02 -04:00
mdht-1.2.0
Java: Add XXE sinks for MDHT
2023-07-31 11:13:17 +02:00
mockito-5.14/org/mockito
Java: port java/mocking-all-non-private-methods-means-unit-test-is-too-big query
2025-08-11 13:43:36 +02:00
mongodbClient
Remove non-ascii char
2022-08-15 12:08:14 +01:00
mssql-jdbc-12.2.0
Adding CWE-798 MSSQL Tests
2023-02-13 19:44:02 -05:00
mvel2-2.4.7/org/mvel2
Moved from experimental
2021-06-02 09:58:30 +02:00
netty-4.1.x
Fix tests
2023-12-13 11:15:27 +01:00
ognl-3.2.14/ognl
Consider ExpressionAccessor
2021-05-12 12:32:38 +02:00
okhttp-4.9.3
Generate more stubs for okhttp and fix tests.
2022-12-09 13:41:17 +00:00
org.mybatis-3.5.4/org/apache/ibatis
Java: more database update tests and stubs
2025-01-30 10:14:14 -05:00
pebble-3.1.5/com/mitchellbosecke/pebble
Generate stubs, adapt tests
2022-09-08 17:38:21 +02:00
playframework-2.6.x/play
Add tests and stubs for the summaries
2023-05-26 12:43:58 +02:00
postgresql-42.3.3/org/postgresql
Java: Add JDBC connection SSRF sinks
2022-03-12 16:35:32 +04:00
projectreactor-3.4.3/reactor/core/publisher
Add URLClassLoader and Spring WebClient SSRF sinks
2021-07-01 03:34:14 +04:00
rabbitmq-4.12.0/com/rabbitmq/client
Removed non-ASCII characters
2022-04-26 13:34:24 +01:00
ratpack-1.9.x
Java: Ratpack HTTP Framework Additional Modeling
2021-11-25 12:55:32 -05:00
retrofit-2.9.0
Add models for OkHttp and Retrofit
2022-05-02 15:42:15 +02:00
rundeck-api-java-client-13.2/org/rundeck/api/parser
Add experimental variants of java/xxe, incorporating new sinks and a version that uses local sources.
2021-09-10 13:49:31 +01:00
Saxon-HE-9.9.1-7/net/sf/saxon
Move from experimental
2021-09-27 11:57:53 +02:00
saxon-xqj-9.x
org.kohsuke.stapler.framework.adjunct tests
2023-03-14 18:21:38 +01:00
scijava-common-2.87.1/org/scijava/log
Add stubs & tests
2021-11-03 17:26:13 +01:00
scriptengine
Include more scenarios and update qldoc
2021-05-18 16:12:22 +00:00
serialkiller-4.0.0/org/nibblesec/tools
Add SerialKiller model
2023-06-23 18:19:43 +02:00
servlet-api-2.4/javax/servlet
Query to detect unsafe request dispatcher usage
2021-12-02 04:00:29 +00:00
shiro-core-1.4.0
Apply suggestions from code review
2021-09-30 14:26:14 +01:00
shiro-core-1.5.2/org/apache/shiro/jndi
Remove some JNDI Injection sinks
2022-01-21 17:47:15 +01:00
simple-xml-2.7.1/org/simpleframework/xml
Migrate Java code to separate QL repo.
2018-08-30 10:48:05 +01:00
slf4j-2.0.0/org/slf4j
Add stubs & tests
2021-11-03 17:26:13 +01:00
snakeyaml-1.21/org/yaml/snakeyaml
Migrate Java code to separate QL repo.
2018-08-30 10:48:05 +01:00
spring-data-commons-2.5.1/org/springframework/data
Add necessary stubs for Spring
2021-07-14 04:57:56 -07:00
spring-jdbc-5.3.8/org/springframework/jdbc/datasource
Java: Add JDBC connection SSRF sinks
2022-03-12 16:35:32 +04:00
spring-ldap-2.3.2/org/springframework
Fix stubs
2022-01-24 09:34:43 +01:00
springframework-5.8.x
Generate stubs
2025-12-09 14:13:02 +00:00
sshj-0.33.0
Add stubs and tests for new hardcoded-credential sinks
2022-08-13 12:39:15 +01:00
stapler-1.263/org/kohsuke/stapler
Java: Stapler tests and stubs
2025-01-30 10:14:11 -05:00
struts2-core-2.5.22/com/opensymphony/xwork2/ognl
Moved from experimental to standard
2021-05-11 15:42:13 +02:00
thymeleaf-3.0.14/org/thymeleaf
Generate stubs, adapt tests
2022-09-08 17:38:21 +02:00
trilead-ssh2-212/com/trilead/ssh2
Add stubs and tests for new hardcoded-credential sinks
2022-08-13 12:39:15 +01:00
unboundid-ldap-4.0.14/com/unboundid/ldap/sdk
Java: Adjust stubs and unit test.
2020-01-30 11:27:33 +01:00
undertow-io-2.2/io/undertow/server/handlers/resource
Add more test cases
2022-04-29 02:31:43 +00:00
validation-api-2.0.1.Final/javax/validation
remove compiled classes from stubs
2020-10-27 15:56:26 +01:00
woodstox-core-6.4.0
Java: Add XXE sink model for Woodstox WstxInputFactory
2026-04-17 18:46:51 +04:00
xstream-1.4.10/com/thoughtworks/xstream
Migrate Java code to separate QL repo.
2018-08-30 10:48:05 +01:00
yamlbeans-1.09/com/esotericsoftware/yamlbeans
Add UnsafeDeserialization
2021-05-12 12:37:16 +08:00
README.md
Add Java stubs readme
2019-08-17 18:57:50 +01:00

README.md

The stubs in this directory are derived from various open-source projects, and used to test that the relevant APIs are correctly modelled. Where a disclaimer or third-party-notice is required, this is included in the top-level directory for each particular library.