Merge pull request #15188 from github/java/update-mad-decls-after-tri…

…age-2023-12-21T14-39-02 Java: Update MaD Declarations after Triage
github · Jan 23, 2024 · 77e724b · 77e724b
2 parents 95a2004 + fcd9a5e
commit 77e724b
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 1 deletion.
diff --git a/java/ql/lib/change-notes/2023-12-21-new-models.md b/java/ql/lib/change-notes/2023-12-21-new-models.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added a dataflow model for `java.awt.Desktop.browse(URI)`.
diff --git a/java/ql/lib/ext/java.awt.model.yml b/java/ql/lib/ext/java.awt.model.yml
@@ -6,11 +6,15 @@ extensions:
       - ["java.awt", "Container", True, "add", "(Component)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
       - ["java.awt", "Container", True, "add", "(Component)", "", "Argument[0]", "ReturnValue", "value", "manual"]
       - ["java.awt", "Container", True, "add", "(Component,Object)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
-
   - addsTo:
       pack: codeql/java-all
       extensible: neutralModel
     data:
       # The below APIs have numeric flow and are currently being stored as neutral models.
       # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
       - ["java.awt", "Insets", "Insets", "(int,int,int,int)", "summary", "manual"] # value-numeric
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["java.awt", "Desktop", True, "browse", "(URI)", "", "Argument[0]", "url-redirection", "ai-manual"]
diff --git a/java/ql/lib/ext/javax.servlet.http.model.yml b/java/ql/lib/ext/javax.servlet.http.model.yml
@@ -26,6 +26,7 @@ extensions:
       - ["javax.servlet.http", "HttpServletResponse", False, "addHeader", "", "", "Argument[0..1]", "response-splitting", "manual"]
       - ["javax.servlet.http", "HttpServletResponse", False, "sendError", "(int,String)", "", "Argument[1]", "information-leak", "manual"]
       - ["javax.servlet.http", "HttpServletResponse", False, "setHeader", "", "", "Argument[0..1]", "response-splitting", "manual"]
+      # - ["javax.servlet.http", "HttpServletResponse", True, "sendRedirect", "(String)", "", "Argument[0]", "url-redirection", "ai-manual"] # QL model exists in java/ql/lib/semmle/code/java/security/UrlRedirect.qll
       - ["javax.servlet.http", "HttpSession", True, "putValue", "", "", "Argument[0..1]", "trust-boundary-violation", "manual"]
       - ["javax.servlet.http", "HttpSession", True, "setAttribute", "", "", "Argument[0..1]", "trust-boundary-violation", "manual"]
   - addsTo: