Add java data extensions various#22034
Conversation
Click to show differences in coveragejavaGenerated file changes for java
- Others,"``actions.osgi``, ``antlr``, ``ch.ethz.ssh2``, ``cn.hutool.core.codec``, ``com.alibaba.com.caucho.hessian.io``, ``com.alibaba.druid.sql``, ``com.alibaba.fastjson2``, ``com.amazonaws.auth``, ``com.auth0.jwt.algorithms``, ``com.azure.identity``, ``com.caucho.burlap.io``, ``com.caucho.hessian.io``, ``com.cedarsoftware.util.io``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.esotericsoftware.yamlbeans``, ``com.hubspot.jinjava``, ``com.jcraft.jsch``, ``com.microsoft.sqlserver.jdbc``, ``com.mitchellbosecke.pebble``, ``com.opensymphony.xwork2``, ``com.sshtools.j2ssh.authentication``, ``com.sun.crypto.provider``, ``com.sun.jndi.ldap``, ``com.sun.net.httpserver``, ``com.sun.net.ssl``, ``com.sun.rowset``, ``com.sun.security.auth.module``, ``com.sun.security.ntlm``, ``com.sun.security.sasl.digest``, ``com.thoughtworks.xstream``, ``com.trilead.ssh2``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``hudson``, ``io.jsonwebtoken``, ``io.undertow.server.handlers.resource``, ``javafx.scene.web``, ``jenkins``, ``jodd.json``, ``liquibase.database.jvm``, ``liquibase.statement.core``, ``net.lingala.zip4j``, ``net.schmizz.sshj``, ``net.sf.json``, ``net.sf.saxon.s9api``, ``ognl``, ``org.acegisecurity``, ``org.antlr.runtime``, ``org.apache.avro``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.exec``, ``org.apache.commons.fileupload``, ``org.apache.commons.httpclient.util``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.lang``, ``org.apache.commons.logging``, ``org.apache.commons.net``, ``org.apache.commons.ognl``, ``org.apache.cxf.catalog``, ``org.apache.cxf.common.classloader``, ``org.apache.cxf.common.jaxb``, ``org.apache.cxf.common.logging``, ``org.apache.cxf.configuration.jsse``, ``org.apache.cxf.helpers``, ``org.apache.cxf.resource``, ``org.apache.cxf.staxutils``, ``org.apache.cxf.tools.corba.utils``, ``org.apache.cxf.tools.util``, ``org.apache.cxf.transform``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.fs``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hadoop.hive.ql.exec``, ``org.apache.hadoop.hive.ql.metadata``, ``org.apache.hc.client5.http.async.methods``, ``org.apache.hc.client5.http.classic.methods``, ``org.apache.hc.client5.http.fluent``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.ibatis.mapping``, ``org.apache.log4j``, ``org.apache.shiro.authc``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.shiro.mgt``, ``org.apache.sshd.client.session``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.codehaus.cargo.container.installer``, ``org.dom4j``, ``org.exolab.castor.xml``, ``org.fusesource.leveldbjni``, ``org.geogebra.web.full.main``, ``org.gradle.api.file``, ``org.ho.yaml``, ``org.influxdb``, ``org.jabsorb``, ``org.jboss.vfs``, ``org.jdbi.v3.core``, ``org.jenkins.ui.icon``, ``org.jenkins.ui.symbol``, ``org.keycloak.models.map.storage``, ``org.kohsuke.stapler``, ``org.lastaflute.web``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.owasp.esapi``, ``org.pac4j.jwt.config.encryption``, ``org.pac4j.jwt.config.signature``, ``org.scijava.log``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.libs.ws``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``software.amazon.awssdk.transfer.s3.model``, ``sun.jvmstat.perfdata.monitor.protocol.local``, ``sun.jvmstat.perfdata.monitor.protocol.rmi``, ``sun.misc``, ``sun.net.ftp``, ``sun.net.www.protocol.http``, ``sun.security.acl``, ``sun.security.jgss.krb5``, ``sun.security.krb5``, ``sun.security.pkcs``, ``sun.security.pkcs11``, ``sun.security.provider``, ``sun.security.ssl``, ``sun.security.x509``, ``sun.tools.jconsole``",127,6034,775,148,6,14,18,,186
+ Others,"``actions.osgi``, ``antlr``, ``ch.ethz.ssh2``, ``cn.hutool.core.codec``, ``com.alibaba.com.caucho.hessian.io``, ``com.alibaba.druid.sql``, ``com.alibaba.fastjson2``, ``com.amazonaws.auth``, ``com.auth0.jwt.algorithms``, ``com.azure.identity``, ``com.caucho.burlap.io``, ``com.caucho.hessian.io``, ``com.cedarsoftware.util.io``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.esotericsoftware.yamlbeans``, ``com.google.cloud.bigquery``, ``com.hubspot.jinjava``, ``com.jcraft.jsch``, ``com.microsoft.sqlserver.jdbc``, ``com.mitchellbosecke.pebble``, ``com.opensymphony.xwork2``, ``com.sshtools.j2ssh.authentication``, ``com.sun.crypto.provider``, ``com.sun.jndi.ldap``, ``com.sun.net.httpserver``, ``com.sun.net.ssl``, ``com.sun.rowset``, ``com.sun.security.auth.module``, ``com.sun.security.ntlm``, ``com.sun.security.sasl.digest``, ``com.thoughtworks.xstream``, ``com.trilead.ssh2``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``hudson``, ``io.javalin.http``, ``io.jsonwebtoken``, ``io.undertow.server.handlers.resource``, ``javafx.scene.web``, ``jenkins``, ``jodd.json``, ``liquibase.database.jvm``, ``liquibase.statement.core``, ``net.lingala.zip4j``, ``net.schmizz.sshj``, ``net.sf.json``, ``net.sf.saxon.s9api``, ``ognl``, ``org.acegisecurity``, ``org.antlr.runtime``, ``org.apache.avro``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.dbutils``, ``org.apache.commons.exec``, ``org.apache.commons.fileupload``, ``org.apache.commons.httpclient.util``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.lang``, ``org.apache.commons.logging``, ``org.apache.commons.net``, ``org.apache.commons.ognl``, ``org.apache.cxf.catalog``, ``org.apache.cxf.common.classloader``, ``org.apache.cxf.common.jaxb``, ``org.apache.cxf.common.logging``, ``org.apache.cxf.configuration.jsse``, ``org.apache.cxf.helpers``, ``org.apache.cxf.resource``, ``org.apache.cxf.staxutils``, ``org.apache.cxf.tools.corba.utils``, ``org.apache.cxf.tools.util``, ``org.apache.cxf.transform``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.fs``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hadoop.hive.ql.exec``, ``org.apache.hadoop.hive.ql.metadata``, ``org.apache.hc.client5.http.async.methods``, ``org.apache.hc.client5.http.classic.methods``, ``org.apache.hc.client5.http.fluent``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.ibatis.mapping``, ``org.apache.log4j``, ``org.apache.shiro.authc``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.shiro.mgt``, ``org.apache.sshd.client.session``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.codehaus.cargo.container.installer``, ``org.dom4j``, ``org.exolab.castor.xml``, ``org.fusesource.leveldbjni``, ``org.geogebra.web.full.main``, ``org.gradle.api.file``, ``org.ho.yaml``, ``org.influxdb``, ``org.jabsorb``, ``org.jboss.vfs``, ``org.jdbi.v3.core``, ``org.jenkins.ui.icon``, ``org.jenkins.ui.symbol``, ``org.keycloak.models.map.storage``, ``org.kohsuke.stapler``, ``org.lastaflute.web``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.owasp.esapi``, ``org.pac4j.jwt.config.encryption``, ``org.pac4j.jwt.config.signature``, ``org.scijava.log``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.libs.ws``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``software.amazon.awssdk.transfer.s3.model``, ``spark``, ``sun.jvmstat.perfdata.monitor.protocol.local``, ``sun.jvmstat.perfdata.monitor.protocol.rmi``, ``sun.misc``, ``sun.net.ftp``, ``sun.net.www.protocol.http``, ``sun.security.acl``, ``sun.security.jgss.krb5``, ``sun.security.krb5``, ``sun.security.pkcs``, ``sun.security.pkcs11``, ``sun.security.provider``, ``sun.security.ssl``, ``sun.security.x509``, ``sun.tools.jconsole``",161,6038,806,148,6,45,18,,186
- Totals,,382,26403,2707,421,16,137,33,1,415
+ Totals,,416,26407,2738,421,16,168,33,1,415
+ com.google.cloud.bigquery,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,,,,,,,,,,,,
+ io.javalin.http,,20,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,20,,
+ org.apache.commons.dbutils,28,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,28,,,,,,,,,,,,,,,,
+ spark,,14,4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,14,4, |
There was a problem hiding this comment.
Pull request overview
This PR adds new Java Models-as-Data (MaD) extensions to improve taint tracking for web frameworks (sources) and to expand SQL injection sink coverage for additional database APIs, along with a change note documenting the additions.
Changes:
- Added remote source models for request/query parameter extraction in Spark (
spark.Request) and Javalin (io.javalin.http.Context). - Added
sql-injectionsink models for Apache Commons DbUtils (AsyncQueryRunner/QueryRunner) and Google BigQuery (QueryJobConfiguration.newBuilder). - Added a Spark
QueryParamsMaptaint summary model and a corresponding Java change note.
Show a summary per file
| File | Description |
|---|---|
| java/ql/lib/ext/spark.model.yml | Adds Spark request sources and a QueryParamsMap summary model (currently contains a broken/inverted summary model that needs correction). |
| java/ql/lib/ext/org.apache.commons.dbutils.model.yml | Adds sql-injection sinks for Commons DbUtils query/insert/update APIs. |
| java/ql/lib/ext/io.javalin.http.model.yml | Adds Javalin Context remote source models for common request data accessors. |
| java/ql/lib/ext/com.google.cloud.bigquery.model.yml | Adds a sql-injection sink model for BigQuery query configuration building. |
| java/ql/lib/change-notes/2026-06-22-various-mad-additions.md | Documents the new MaD models as a major analysis change. |
Copilot's findings
- Files reviewed: 5/5 changed files
- Comments generated: 1
owen-mc
left a comment
There was a problem hiding this comment.
I've only partially reviewed. One question: do you intend to add tests (along with stubs)? Copilot might well be able to do it for you.
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
owen-mc
left a comment
There was a problem hiding this comment.
I reviewed the models for another library. You should also add source models for uploadedFile, uploadedFiles (both), uploadedFileMap. You'll also need summary models for content(), filename, extension and (I think) contentType methods on UploadedFile. I think we might also want source models for metadata like url, fullUrl contentType, userAgent? Are they in total control of the external user?
| pack: codeql/java-all | ||
| extensible: sourceModel | ||
| data: | ||
| - ["io.javalin.http", "Context", true, "basicAuthCredentials", "", "", "ReturnValue", "remote", "manual"] |
There was a problem hiding this comment.
This is correct, but as there are no summary models for BasicAuthCredentials.getUsername or BasicAuthCredentials.getPassword we may well not be able to follow any taint paths starting here. (Unless java automatically models getters, but I don't think it does, since we don't even model reads of fields from tainted classes as tainted.) Please add those models.
| data: | ||
| - ["io.javalin.http", "Context", true, "basicAuthCredentials", "", "", "ReturnValue", "remote", "manual"] | ||
| - ["io.javalin.http", "Context", true, "body", "", "", "ReturnValue", "remote", "manual"] | ||
| - ["io.javalin.http", "Context", true, "bodyAsClass", "", "", "ReturnValue", "remote", "manual"] |
There was a problem hiding this comment.
Should we also model bodyAsBytes, bodyStreamAsClass and bodyInputStream?
| - ["io.javalin.http", "Context", true, "basicAuthCredentials", "", "", "ReturnValue", "remote", "manual"] | ||
| - ["io.javalin.http", "Context", true, "body", "", "", "ReturnValue", "remote", "manual"] | ||
| - ["io.javalin.http", "Context", true, "bodyAsClass", "", "", "ReturnValue", "remote", "manual"] | ||
| - ["io.javalin.http", "Context", true, "cookie", "", "", "ReturnValue", "remote", "manual"] |
There was a problem hiding this comment.
Only one overload is a source.
| - ["io.javalin.http", "Context", true, "cookie", "", "", "ReturnValue", "remote", "manual"] | |
| - ["io.javalin.http", "Context", true, "cookie", "(String)", "", "ReturnValue", "remote", "manual"] |
| - ["io.javalin.http", "Context", true, "body", "", "", "ReturnValue", "remote", "manual"] | ||
| - ["io.javalin.http", "Context", true, "bodyAsClass", "", "", "ReturnValue", "remote", "manual"] | ||
| - ["io.javalin.http", "Context", true, "cookie", "", "", "ReturnValue", "remote", "manual"] | ||
| - ["io.javalin.http", "Context", true, "header", "", "", "ReturnValue", "remote", "manual"] |
There was a problem hiding this comment.
Again, only one overload.
| - ["io.javalin.http", "Context", true, "header", "", "", "ReturnValue", "remote", "manual"] | |
| - ["io.javalin.http", "Context", true, "header", "(String)", "", "ReturnValue", "remote", "manual"] |
| - ["io.javalin.http", "Context", true, "formParamAsClass", "", "", "ReturnValue", "remote", "manual"] | ||
| - ["io.javalin.http", "Context", true, "formParamsAsClass", "", "", "ReturnValue", "remote", "manual"] |
There was a problem hiding this comment.
We also need summary models for get, getOrNull, getOrDefault, getOrThrow on Validator.
| - ["io.javalin.http", "Context", true, "queryParamsAsClass", "", "", "ReturnValue", "remote", "manual"] | ||
| - ["io.javalin.http", "Context", true, "queryParamMap", "", "", "ReturnValue", "remote", "manual"] | ||
| - ["io.javalin.http", "Context", true, "queryString", "", "", "ReturnValue", "remote", "manual"] | ||
| - ["io.javalin.http", "Context", true, "sessionAttribute", "", "", "ReturnValue", "remote", "manual"] |
There was a problem hiding this comment.
This shouldn't be a remote source. Session attributes seem to be things that the code can set and get, but not things which come from the user. (Well, they can be, but in general they aren't.)
| - ["io.javalin.http", "Context", true, "sessionAttribute", "", "", "ReturnValue", "remote", "manual"] |
Added data extensions for : sql injection sinks, sources, and a taint flow summary