diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.addressing.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.addressing.model.yml new file mode 100644 index 000000000000..0d2bf74b720d --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.addressing.model.yml @@ -0,0 +1,9 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.apache.axis2.addressing", "EndpointReference", True, "readExternal", "(ObjectInput)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"] + - ["org.apache.axis2.addressing", "RelatesTo", True, "readExternal", "(ObjectInput)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.builder.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.builder.model.yml new file mode 100644 index 000000000000..83542bedfb70 --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.builder.model.yml @@ -0,0 +1,12 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + #- ["org.apache.axis2.builder", "DiskFileDataSource", True, "getContentType", "()", "", "ReturnValue", "remote", "ai-generated"] # INVALID: Not a remote source; returns local file-item metadata + #- ["org.apache.axis2.builder", "DiskFileDataSource", True, "getInputStream", "()", "", "ReturnValue", "remote", "ai-generated"] # INVALID: Not a remote source; returns local uploaded-file stream + #- ["org.apache.axis2.builder", "DiskFileDataSource", True, "getName", "()", "", "ReturnValue", "remote", "ai-generated"] # INVALID: Not a remote source; returns file-item name metadata + - ["org.apache.axis2.builder", "MultipartFormDataBuilder", True, "processDocument", "(InputStream,String,MessageContext)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.builder", "XFormURLEncodedBuilder", True, "processDocument", "(InputStream,String,MessageContext)", "", "ReturnValue", "remote", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.client.async.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.client.async.model.yml new file mode 100644 index 000000000000..7fbdb442c870 --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.client.async.model.yml @@ -0,0 +1,9 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + - ["org.apache.axis2.client.async", "AxisCallback", True, "onFault", "(MessageContext)", "", "Argument[0]", "remote", "ai-generated"] + - ["org.apache.axis2.client.async", "AxisCallback", True, "onMessage", "(MessageContext)", "", "Argument[0]", "remote", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.client.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.client.model.yml new file mode 100644 index 000000000000..6b88fe899a95 --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.client.model.yml @@ -0,0 +1,26 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.apache.axis2.client", "Options", True, "readExternal", "(ObjectInput)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"] + - ["org.apache.axis2.client", "ServiceClient", True, "ServiceClient", "(ConfigurationContext,URL,QName,String)", "", "Argument[1]", "request-forgery", "ai-generated"] + - ["org.apache.axis2.client", "ServiceClient", True, "fireAndForget", "(OMElement)", "", "this", "request-forgery", "ai-generated"] + - ["org.apache.axis2.client", "ServiceClient", True, "fireAndForget", "(QName,OMElement)", "", "this", "request-forgery", "ai-generated"] + - ["org.apache.axis2.client", "ServiceClient", True, "sendReceive", "(OMElement)", "", "this", "request-forgery", "ai-generated"] + - ["org.apache.axis2.client", "ServiceClient", True, "sendReceive", "(QName,OMElement)", "", "this", "request-forgery", "ai-generated"] + - ["org.apache.axis2.client", "ServiceClient", True, "sendReceiveNonBlocking", "(OMElement,AxisCallback)", "", "this", "request-forgery", "ai-generated"] + - ["org.apache.axis2.client", "ServiceClient", True, "sendReceiveNonBlocking", "(QName,OMElement,AxisCallback)", "", "this", "request-forgery", "ai-generated"] + - ["org.apache.axis2.client", "ServiceClient", True, "sendRobust", "(OMElement)", "", "this", "request-forgery", "ai-generated"] + - ["org.apache.axis2.client", "ServiceClient", True, "sendRobust", "(QName,OMElement)", "", "this", "request-forgery", "ai-generated"] + #- ["org.apache.axis2.client", "Stub", True, "addHttpHeader", "(MessageContext,String,String)", "", "Argument[1..2]", "response-splitting", "ai-generated"] # INVALID: Only stores header in memory; not response-splitting + #- ["org.apache.axis2.client", "Stub", True, "setServiceClientEPR", "(String)", "", "Argument[0]", "request-forgery", "ai-generated"] # INVALID: Just a setter; no request is made + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + - ["org.apache.axis2.client", "OperationClient", True, "getMessageContext", "(String)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.client", "ServiceClient", True, "sendReceive", "(OMElement)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.client", "ServiceClient", True, "sendReceive", "(QName,OMElement)", "", "ReturnValue", "remote", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.context.externalize.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.context.externalize.model.yml new file mode 100644 index 000000000000..69d5965470aa --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.context.externalize.model.yml @@ -0,0 +1,19 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.apache.axis2.context.externalize", "DebugObjectInput", True, "readObject", "()", "", "this", "unsafe-deserialization", "ai-generated"] + #- ["org.apache.axis2.context.externalize", "DebugObjectInput", True, "trace", "(String)", "", "Argument[0]", "log-injection", "ai-generated"] # INVALID: Helper logging API; not a meaningful log-injection sink + - ["org.apache.axis2.context.externalize", "DebugObjectOutputStream", True, "writeBytes", "(String)", "", "Argument[0]", "log-injection", "ai-generated"] + - ["org.apache.axis2.context.externalize", "DebugObjectOutputStream", True, "writeChars", "(String)", "", "Argument[0]", "log-injection", "ai-generated"] + - ["org.apache.axis2.context.externalize", "DebugObjectOutputStream", True, "writeObject", "(Object)", "", "Argument[0]", "log-injection", "ai-generated"] + - ["org.apache.axis2.context.externalize", "DebugObjectOutputStream", True, "writeUTF", "(String)", "", "Argument[0]", "log-injection", "ai-generated"] + - ["org.apache.axis2.context.externalize", "SafeObjectInputStream", True, "readArrayList", "()", "", "this", "unsafe-deserialization", "ai-generated"] + - ["org.apache.axis2.context.externalize", "SafeObjectInputStream", True, "readHashMap", "()", "", "this", "unsafe-deserialization", "ai-generated"] + - ["org.apache.axis2.context.externalize", "SafeObjectInputStream", True, "readLinkedList", "()", "", "this", "unsafe-deserialization", "ai-generated"] + - ["org.apache.axis2.context.externalize", "SafeObjectInputStream", True, "readList", "(List)", "", "this", "unsafe-deserialization", "ai-generated"] + - ["org.apache.axis2.context.externalize", "SafeObjectInputStream", True, "readMap", "(Map)", "", "this", "unsafe-deserialization", "ai-generated"] + - ["org.apache.axis2.context.externalize", "SafeObjectInputStream", True, "readObject", "()", "", "this", "unsafe-deserialization", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.context.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.context.model.yml new file mode 100644 index 000000000000..f705de44c99e --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.context.model.yml @@ -0,0 +1,35 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + #- ["org.apache.axis2.context", "ConfigurationContext", True, "getRealPath", "(String)", "", "Argument[0]", "path-injection", "ai-generated"] # INVALID: Just resolves new File(repo,path); no file access + - ["org.apache.axis2.context", "ConfigurationContextFactory", True, "createConfigurationContextFromFileSystem", "(String)", "", "Argument[0]", "path-injection", "ai-generated"] + - ["org.apache.axis2.context", "ConfigurationContextFactory", True, "createConfigurationContextFromFileSystem", "(String,String)", "", "Argument[0..1]", "path-injection", "ai-generated"] + - ["org.apache.axis2.context", "ConfigurationContextFactory", True, "createConfigurationContextFromURIs", "(URL,URL)", "", "Argument[0..1]", "request-forgery", "ai-generated"] + - ["org.apache.axis2.context", "MessageContext", True, "readExternal", "(ObjectInput)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"] + - ["org.apache.axis2.context", "OperationContext", True, "readExternal", "(ObjectInput)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"] + #- ["org.apache.axis2.context", "SelfManagedDataManager", True, "deserializeSelfManagedData", "(ByteArrayInputStream,MessageContext)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"] # INVALID: Interface declaration only; no implementation + - ["org.apache.axis2.context", "ServiceContext", True, "readExternal", "(ObjectInput)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"] + - ["org.apache.axis2.context", "ServiceGroupContext", True, "readExternal", "(ObjectInput)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"] + - ["org.apache.axis2.context", "SessionContext", True, "readExternal", "(ObjectInput)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"] + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + - ["org.apache.axis2.context", "MessageContext", True, "getAttachment", "(String)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.context", "MessageContext", True, "getAttachmentMap", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.context", "MessageContext", True, "getAttachmentMap", "(boolean)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.context", "MessageContext", True, "getEnvelope", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.context", "MessageContext", True, "getFaultTo", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.context", "MessageContext", True, "getFrom", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.context", "MessageContext", True, "getMessageID", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.context", "MessageContext", True, "getRelatesTo", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.context", "MessageContext", True, "getRelatesTo", "(String)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.context", "MessageContext", True, "getRelationships", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.context", "MessageContext", True, "getReplyTo", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.context", "MessageContext", True, "getSoapAction", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.context", "MessageContext", True, "getTo", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.context", "MessageContext", True, "getWSAAction", "()", "", "ReturnValue", "remote", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.dataretrieval.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.dataretrieval.model.yml new file mode 100644 index 000000000000..9b7726531023 --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.dataretrieval.model.yml @@ -0,0 +1,17 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + #- ["org.apache.axis2.dataretrieval", "AxisDataLocatorImpl", True, "getData", "(DataRetrievalRequest,MessageContext)", "", "Argument[0]", "log-injection", "ai-generated"] # INVALID: No log sink on arg[0] + - ["org.apache.axis2.dataretrieval", "DataRetrievalUtil", True, "buildOM", "(ClassLoader,String)", "", "Argument[1]", "path-injection", "ai-generated"] + - ["org.apache.axis2.dataretrieval", "ServiceData", True, "getFileContent", "(ClassLoader)", "", "this", "path-injection", "ai-generated"] + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + #- ["org.apache.axis2.dataretrieval", "BaseAxisDataLocator", True, "getData", "(DataRetrievalRequest,MessageContext)", "", "ReturnValue", "file", "ai-generated"] # INVALID: Returns in-memory data, not a file source + #- ["org.apache.axis2.dataretrieval", "BaseAxisDataLocator", True, "outputInlineForm", "(MessageContext,ServiceData[])", "", "ReturnValue", "file", "ai-generated"] # INVALID: Builds OM from in-memory metadata; not a file source + #- ["org.apache.axis2.dataretrieval", "ServiceData", True, "getFileContent", "(ClassLoader)", "", "ReturnValue", "file", "ai-generated"] # INVALID: This is a sink, not a source diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.deployment.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.deployment.model.yml new file mode 100644 index 000000000000..18013d807fae --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.deployment.model.yml @@ -0,0 +1,33 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + #- ["org.apache.axis2.deployment", "Deployer", True, "deploy", "(DeploymentFileData)", "", "Argument[0]", "path-injection", "ai-generated"] # INVALID: No implementation found in repo + #- ["org.apache.axis2.deployment", "Deployer", True, "undeploy", "(String)", "", "Argument[0]", "path-injection", "ai-generated"] # INVALID: No method found + #- ["org.apache.axis2.deployment", "DeploymentClassLoader", True, "getResourceAsStream", "(String)", "", "Argument[0]", "path-injection", "ai-generated"] # INVALID: Method not found in repo + - ["org.apache.axis2.deployment", "DeploymentEngine", True, "buildModule", "(File,AxisConfiguration)", "", "Argument[0]", "path-injection", "ai-generated"] + - ["org.apache.axis2.deployment", "DeploymentEngine", True, "getFileList", "(URL)", "", "Argument[0]", "request-forgery", "ai-generated"] + - ["org.apache.axis2.deployment", "DeploymentEngine", True, "loadRepository", "(String)", "", "Argument[0]", "path-injection", "ai-generated"] + - ["org.apache.axis2.deployment", "DeploymentEngine", True, "loadRepositoryFromURL", "(URL)", "", "Argument[0]", "request-forgery", "ai-generated"] + - ["org.apache.axis2.deployment", "DeploymentEngine", True, "loadServiceGroup", "(File,ConfigurationContext)", "", "Argument[0]", "path-injection", "ai-generated"] + - ["org.apache.axis2.deployment", "DeploymentEngine", True, "loadServicesFromUrl", "(URL)", "", "Argument[0]", "request-forgery", "ai-generated"] + - ["org.apache.axis2.deployment", "DeploymentEngine", True, "prepareRepository", "(String)", "", "Argument[0]", "path-injection", "ai-generated"] + - ["org.apache.axis2.deployment", "DeploymentEngine", True, "setClassLoaders", "(String)", "", "Argument[0]", "path-injection", "ai-generated"] + - ["org.apache.axis2.deployment", "FileSystemConfigurator", True, "getAxisConfiguration", "()", "", "this", "path-injection", "ai-generated"] + - ["org.apache.axis2.deployment", "ModuleDeployer", True, "deoloyFromUrl", "(DeploymentFileData)", "", "Argument[0]", "request-forgery", "ai-generated"] + - ["org.apache.axis2.deployment", "ModuleDeployer", True, "deploy", "(DeploymentFileData)", "", "Argument[0]", "path-injection", "ai-generated"] + - ["org.apache.axis2.deployment", "RepositoryListener", True, "findServicesInDirectory", "(File)", "", "Argument[0]", "path-injection", "ai-generated"] + - ["org.apache.axis2.deployment", "ServiceDeployer", True, "deploy", "(DeploymentFileData)", "", "Argument[0]", "path-injection", "ai-generated"] + #- ["org.apache.axis2.deployment", "ServiceDeployer", True, "deploy", "(DeploymentFileData)", "", "Argument[0]", "request-forgery", "ai-generated"] # INVALID: Not a request-forgery sink; URL fetch is in deployFromUrl + - ["org.apache.axis2.deployment", "ServiceDeployer", True, "deployFromUrl", "(Deployer,URL)", "", "Argument[1]", "request-forgery", "ai-generated"] + - ["org.apache.axis2.deployment", "ServiceDeployer", True, "deployFromUrl", "(DeploymentFileData)", "", "Argument[0]", "request-forgery", "ai-generated"] + - ["org.apache.axis2.deployment", "TransportDeployer", True, "deploy", "(DeploymentFileData)", "", "Argument[0]", "path-injection", "ai-generated"] + - ["org.apache.axis2.deployment", "URLBasedAxisConfigurator", True, "getAxisConfiguration", "()", "", "this", "request-forgery", "ai-generated"] + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + #- ["org.apache.axis2.deployment", "DeploymentEngine", True, "getFileList", "(URL)", "", "ReturnValue", "remote", "ai-generated"] # INVALID: Not a source; it is a URL fetch sink diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.deployment.repository.util.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.deployment.repository.util.model.yml new file mode 100644 index 000000000000..e7101872669f --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.deployment.repository.util.model.yml @@ -0,0 +1,13 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.apache.axis2.deployment.repository.util", "ArchiveReader", True, "buildServiceDescription", "(String,ConfigurationContext,boolean)", "", "Argument[0]", "path-injection", "ai-generated"] + - ["org.apache.axis2.deployment.repository.util", "ArchiveReader", True, "processFilesInFolder", "(File,HashMap)", "", "Argument[0]", "path-injection", "ai-generated"] + - ["org.apache.axis2.deployment.repository.util", "ArchiveReader", True, "processServiceGroup", "(String,DeploymentFileData,AxisServiceGroup,boolean,HashMap,ConfigurationContext)", "", "Argument[0]", "path-injection", "ai-generated"] + - ["org.apache.axis2.deployment.repository.util", "DeploymentFileData", True, "setClassLoader", "(boolean,ClassLoader,File,boolean)", "", "Argument[2]", "path-injection", "ai-generated"] + - ["org.apache.axis2.deployment.repository.util", "WSInfoList", True, "addWSInfoItem", "(File,Deployer,int)", "", "Argument[0]", "path-injection", "ai-generated"] + - ["org.apache.axis2.deployment.repository.util", "WSInfoList", True, "addWSInfoItem", "(URL,Deployer,int)", "", "Argument[0]", "path-injection", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.deployment.resolver.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.deployment.resolver.model.yml new file mode 100644 index 000000000000..f051cd3199be --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.deployment.resolver.model.yml @@ -0,0 +1,20 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.apache.axis2.deployment.resolver", "AARBasedWSDLLocator", True, "getImportInputSource", "(String,String)", "", "Argument[0..1]", "path-injection", "ai-generated"] + - ["org.apache.axis2.deployment.resolver", "AARBasedWSDLLocator", True, "getImportInputSource", "(String,String)", "", "Argument[0..1]", "request-forgery", "ai-generated"] + - ["org.apache.axis2.deployment.resolver", "AARFileBasedURIResolver", True, "resolveEntity", "(String,String,String)", "", "Argument[1..2]", "path-injection", "ai-generated"] + #- ["org.apache.axis2.deployment.resolver", "AARFileBasedURIResolver", True, "resolveEntity", "(String,String,String)", "", "Argument[1..2]", "request-forgery", "ai-generated"] # INVALID: Blocks remote URLs; not a request-forgery sink + - ["org.apache.axis2.deployment.resolver", "WarBasedWSDLLocator", True, "getImportInputSource", "(String,String)", "", "Argument[0..1]", "path-injection", "ai-generated"] + - ["org.apache.axis2.deployment.resolver", "WarBasedWSDLLocator", True, "getImportInputSource", "(String,String)", "", "Argument[0..1]", "request-forgery", "ai-generated"] + - ["org.apache.axis2.deployment.resolver", "WarFileBasedURIResolver", True, "resolveEntity", "(String,String,String)", "", "Argument[1..2]", "path-injection", "ai-generated"] + #- ["org.apache.axis2.deployment.resolver", "WarFileBasedURIResolver", True, "resolveEntity", "(String,String,String)", "", "Argument[1..2]", "request-forgery", "ai-generated"] # INVALID: Remote URLs blocked; not a request-forgery sink + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + #- ["org.apache.axis2.deployment.resolver", "AARFileBasedURIResolver", True, "resolveEntity", "(String,String,String)", "", "ReturnValue", "file", "ai-generated"] # INVALID: This is a sink/resolver, not a source diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.deployment.util.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.deployment.util.model.yml new file mode 100644 index 000000000000..b0ac6860356d --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.deployment.util.model.yml @@ -0,0 +1,14 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.apache.axis2.deployment.util", "TempFileManager", True, "createTempFile", "(String,String)", "", "Argument[0..1]", "path-injection", "ai-generated"] + - ["org.apache.axis2.deployment.util", "Utils", True, "createClassLoader", "(File,boolean)", "", "Argument[0]", "path-injection", "ai-generated"] + - ["org.apache.axis2.deployment.util", "Utils", True, "createClassLoader", "(URL,URL[],ClassLoader,File,boolean)", "", "Argument[0]", "request-forgery", "ai-generated"] + - ["org.apache.axis2.deployment.util", "Utils", True, "createTempFile", "(String,InputStream,File)", "", "Argument[0]", "path-injection", "ai-generated"] + - ["org.apache.axis2.deployment.util", "Utils", True, "getClassLoader", "(ClassLoader,File,boolean)", "", "Argument[1]", "path-injection", "ai-generated"] + - ["org.apache.axis2.deployment.util", "Utils", True, "getClassLoader", "(ClassLoader,String,boolean)", "", "Argument[1]", "path-injection", "ai-generated"] + - ["org.apache.axis2.deployment.util", "Utils", True, "getURLsForAllJars", "(URL,File)", "", "Argument[0]", "request-forgery", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.description.java2wsdl.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.description.java2wsdl.model.yml new file mode 100644 index 000000000000..173bb3353b83 --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.description.java2wsdl.model.yml @@ -0,0 +1,8 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + #- ["org.apache.axis2.description.java2wsdl", "DefaultSchemaGenerator", True, "generateSchema", "()", "", "this", "path-injection", "ai-generated"] # INVALID: Generates schemas from classes, not paths diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.description.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.description.model.yml new file mode 100644 index 000000000000..8f127f3e2808 --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.description.model.yml @@ -0,0 +1,12 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.apache.axis2.description", "AxisService", True, "createClientSideAxisService", "(URL,QName,String,Options)", "", "Argument[0]", "request-forgery", "ai-generated"] + - ["org.apache.axis2.description", "Parameter", True, "readExternal", "(ObjectInput)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"] + - ["org.apache.axis2.description", "ParameterIncludeImpl", True, "readExternal", "(ObjectInput)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"] + #- ["org.apache.axis2.description", "WSDL11ToAxisServiceBuilder", True, "populateService", "()", "", "this", "request-forgery", "ai-generated"] # INVALID: Operates on already-loaded WSDL DOM; no URL fetch + #- ["org.apache.axis2.description", "WSDLToAxisServiceBuilder", True, "getXMLSchema", "(Element,String)", "", "Argument[1]", "request-forgery", "ai-generated"] # INVALID: Resolves schemas from in-memory DOM element diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.dispatchers.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.dispatchers.model.yml new file mode 100644 index 000000000000..ddbe04f707ad --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.dispatchers.model.yml @@ -0,0 +1,8 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + #- ["org.apache.axis2.dispatchers", "RequestURIBasedServiceDispatcher", True, "findService", "(MessageContext)", "", "Argument[0]", "log-injection", "ai-generated"] # INVALID: Routes by URI; no log-injection sink diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.engine.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.engine.model.yml new file mode 100644 index 000000000000..833a12622b92 --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.engine.model.yml @@ -0,0 +1,20 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.apache.axis2.engine", "AxisConfiguration", True, "deployModule", "(String)", "", "Argument[0]", "path-injection", "ai-generated"] + #- ["org.apache.axis2.engine", "AxisEngine", True, "resume", "(MessageContext)", "", "Argument[0]", "request-forgery", "ai-generated"] # INVALID: Just resumes flow; no direct network op + #- ["org.apache.axis2.engine", "AxisEngine", True, "resumeSend", "(MessageContext)", "", "Argument[0]", "request-forgery", "ai-generated"] # INVALID: Only invokes handlers; not a direct RF sink + #- ["org.apache.axis2.engine", "AxisEngine", True, "resumeSendFault", "(MessageContext)", "", "Argument[0]", "request-forgery", "ai-generated"] # INVALID: Only resumes fault flow; not a direct RF sink + #- ["org.apache.axis2.engine", "AxisEngine", True, "send", "(MessageContext)", "", "Argument[0]", "request-forgery", "ai-generated"] # INVALID: Engine dispatch; not a direct request sink + #- ["org.apache.axis2.engine", "AxisEngine", True, "sendFault", "(MessageContext)", "", "Argument[0]", "request-forgery", "ai-generated"] # INVALID: Fault dispatch; not a direct RF sink + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + - ["org.apache.axis2.engine", "Handler", True, "flowComplete", "(MessageContext)", "", "Argument[0]", "remote", "ai-generated"] + - ["org.apache.axis2.engine", "Handler", True, "invoke", "(MessageContext)", "", "Argument[0]", "remote", "ai-generated"] + - ["org.apache.axis2.engine", "MessageReceiver", True, "receive", "(MessageContext)", "", "Argument[0]", "remote", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.handlers.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.handlers.model.yml new file mode 100644 index 000000000000..9aba903960d0 --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.handlers.model.yml @@ -0,0 +1,8 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + - ["org.apache.axis2.handlers", "AbstractHandler", True, "flowComplete", "(MessageContext)", "", "Argument[0]", "remote", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.kernel.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.kernel.model.yml new file mode 100644 index 000000000000..78b7a2897e9e --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.kernel.model.yml @@ -0,0 +1,14 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + #- ["org.apache.axis2.kernel", "OutTransportInfo", True, "setContentType", "(String)", "", "Argument[0]", "response-splitting", "ai-generated"] # INVALID: Just an interface setter; not a sink + - ["org.apache.axis2.kernel", "SimpleAxis2Server", True, "SimpleAxis2Server", "(String,String)", "", "Argument[0..1]", "path-injection", "ai-generated"] + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + - ["org.apache.axis2.kernel", "SimpleAxis2Server", True, "main", "(String[])", "", "Argument[0]", "commandargs", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.receivers.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.receivers.model.yml new file mode 100644 index 000000000000..2c2d42c377ae --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.receivers.model.yml @@ -0,0 +1,10 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + - ["org.apache.axis2.receivers", "AbstractInOutMessageReceiver", True, "invokeBusinessLogic", "(MessageContext)", "", "Argument[0]", "remote", "ai-generated"] + - ["org.apache.axis2.receivers", "AbstractInOutMessageReceiver", True, "invokeBusinessLogic", "(MessageContext,MessageContext)", "", "Argument[0]", "remote", "ai-generated"] + - ["org.apache.axis2.receivers", "ServerCallback", True, "handleResult", "(MessageContext)", "", "Argument[0]", "remote", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.util.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.util.model.yml new file mode 100644 index 000000000000..c7209074a58f --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.util.model.yml @@ -0,0 +1,44 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.apache.axis2.util", "FileWriter", True, "createClassFile", "(File,String,String,String)", "", "Argument[0..3]", "path-injection", "ai-generated"] + - ["org.apache.axis2.util", "LogWriter", True, "write", "(char[],int,int)", "", "Argument[0]", "log-injection", "ai-generated"] + - ["org.apache.axis2.util", "MetaDataEntry", True, "readExternal", "(ObjectInput)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"] + - ["org.apache.axis2.util", "ObjectStateUtils", True, "readArrayList", "(ObjectInput,String)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"] + - ["org.apache.axis2.util", "ObjectStateUtils", True, "readHashMap", "(ObjectInput,String)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"] + - ["org.apache.axis2.util", "ObjectStateUtils", True, "readLinkedList", "(ObjectInput,String)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"] + - ["org.apache.axis2.util", "ObjectStateUtils", True, "readObject", "(ObjectInput,String)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"] + - ["org.apache.axis2.util", "ObjectStateUtils", True, "readString", "(ObjectInput,String)", "", "Argument[0]", "unsafe-deserialization", "ai-generated"] + - ["org.apache.axis2.util", "OnDemandLogger", True, "debug", "(Object)", "", "Argument[0]", "log-injection", "ai-generated"] + - ["org.apache.axis2.util", "OnDemandLogger", True, "debug", "(Object,Throwable)", "", "Argument[0]", "log-injection", "ai-generated"] + - ["org.apache.axis2.util", "OnDemandLogger", True, "error", "(Object)", "", "Argument[0]", "log-injection", "ai-generated"] + - ["org.apache.axis2.util", "OnDemandLogger", True, "error", "(Object,Throwable)", "", "Argument[0]", "log-injection", "ai-generated"] + - ["org.apache.axis2.util", "OnDemandLogger", True, "fatal", "(Object)", "", "Argument[0]", "log-injection", "ai-generated"] + - ["org.apache.axis2.util", "OnDemandLogger", True, "fatal", "(Object,Throwable)", "", "Argument[0]", "log-injection", "ai-generated"] + - ["org.apache.axis2.util", "OnDemandLogger", True, "info", "(Object)", "", "Argument[0]", "log-injection", "ai-generated"] + - ["org.apache.axis2.util", "OnDemandLogger", True, "info", "(Object,Throwable)", "", "Argument[0]", "log-injection", "ai-generated"] + - ["org.apache.axis2.util", "OnDemandLogger", True, "trace", "(Object)", "", "Argument[0]", "log-injection", "ai-generated"] + - ["org.apache.axis2.util", "OnDemandLogger", True, "trace", "(Object,Throwable)", "", "Argument[0]", "log-injection", "ai-generated"] + - ["org.apache.axis2.util", "OnDemandLogger", True, "warn", "(Object)", "", "Argument[0]", "log-injection", "ai-generated"] + - ["org.apache.axis2.util", "OnDemandLogger", True, "warn", "(Object,Throwable)", "", "Argument[0]", "log-injection", "ai-generated"] + - ["org.apache.axis2.util", "SecureWSDLLocator", True, "getBaseInputSource", "()", "", "this", "request-forgery", "ai-generated"] + - ["org.apache.axis2.util", "SecureWSDLLocator", True, "getImportInputSource", "(String,String)", "", "Argument[0..1]", "request-forgery", "ai-generated"] + #- ["org.apache.axis2.util", "Utils", True, "getNewConfigurationContext", "(String)", "", "Argument[0]", "path-injection", "ai-generated"] # INVALID: Method not found in repo + - ["org.apache.axis2.util", "XMLPrettyPrinter", True, "prettify", "(File)", "", "Argument[0]", "path-injection", "ai-generated"] + #- ["org.apache.axis2.util", "XMLUtils", True, "getInputSourceFromURI", "(String)", "", "Argument[0]", "request-forgery", "ai-generated"] # INVALID: Only returns new InputSource(uri); no fetch + - ["org.apache.axis2.util", "XMLUtils", True, "newDocument", "(String)", "", "Argument[0]", "request-forgery", "ai-generated"] + - ["org.apache.axis2.util", "XMLUtils", True, "newDocument", "(String,String,String)", "", "Argument[0]", "request-forgery", "ai-generated"] + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + - ["org.apache.axis2.util", "CallbackReceiver", True, "receive", "(MessageContext)", "", "Argument[0]", "remote", "ai-generated"] + - ["org.apache.axis2.util", "OptionsParser", True, "getPassword", "()", "", "ReturnValue", "commandargs", "ai-generated"] + - ["org.apache.axis2.util", "OptionsParser", True, "getRemainingArgs", "()", "", "ReturnValue", "commandargs", "ai-generated"] + - ["org.apache.axis2.util", "OptionsParser", True, "getRemainingFlags", "()", "", "ReturnValue", "commandargs", "ai-generated"] + - ["org.apache.axis2.util", "OptionsParser", True, "getUser", "()", "", "ReturnValue", "commandargs", "ai-generated"] + - ["org.apache.axis2.util", "OptionsParser", True, "isValueSet", "(char)", "", "ReturnValue", "commandargs", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.wsdl.util.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.wsdl.util.model.yml new file mode 100644 index 000000000000..c866eb791817 --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/org.apache.axis2.wsdl.util.model.yml @@ -0,0 +1,11 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.apache.axis2.wsdl.util", "WSDLDefinitionWrapper", True, "WSDLDefinitionWrapper", "(Definition,URL,AxisConfiguration)", "", "Argument[1]", "request-forgery", "ai-generated"] + - ["org.apache.axis2.wsdl.util", "WSDLDefinitionWrapper", True, "WSDLDefinitionWrapper", "(Definition,URL,boolean)", "", "Argument[1]", "request-forgery", "ai-generated"] + - ["org.apache.axis2.wsdl.util", "WSDLDefinitionWrapper", True, "WSDLDefinitionWrapper", "(Definition,URL,boolean,int)", "", "Argument[1]", "request-forgery", "ai-generated"] + - ["org.apache.axis2.wsdl.util", "WSDLDefinitionWrapper", True, "WSDLDefinitionWrapper", "(Definition,URL,int)", "", "Argument[1]", "request-forgery", "ai-generated"] \ No newline at end of file diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/report.md b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/report.md new file mode 100644 index 000000000000..43e81926c83d --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/kernel/report.md @@ -0,0 +1,278 @@ +# MaD Generation Report + +## Included (264) + +| Package | Class | Method | Type | Kind | Certainty | Reason | +|---------|-------|--------|------|------|-----------|--------| +| org.apache.axis2.context | ConfigurationContext | getRealPath | sink | CWE-22 | 5 | Argument 0 is a relative path that is resolved against the repository root directory (via AxisConfiguration.getRepository()) to produce a File. A user-controlled path with '..' sequences could traverse outside the intended directory, leading to path traversal. | +| org.apache.axis2.context | ConfigurationContextFactory | createConfigurationContextFromFileSystem | sink | CWE-22 | 4 | Arguments 0 (path) and 1 (axis2xml) are file system paths used to locate the repository directory and configuration file. An attacker who controls these values can traverse the file system to access arbitrary files/directories. | +| org.apache.axis2.context | ConfigurationContextFactory | createConfigurationContextFromFileSystem | sink | CWE-22 | 4 | Argument 0 (path) is a file system path used to locate the repository directory. An attacker who controls this value can traverse the file system to access arbitrary directories. | +| org.apache.axis2.context | ConfigurationContextFactory | createConfigurationContextFromURIs | sink | CWE-918 | 4 | Arguments 0 (axis2xml) and 1 (repository) are URLs used to load configuration and repository data from potentially remote locations. An attacker controlling these URLs can perform server-side request forgery. | +| org.apache.axis2.context | MessageContext | readExternal | sink | CWE-502 | 5 | readExternal deserializes data from the ObjectInput stream (arg 0), calling SafeObjectInputStream.readObject(), readUTF(), readMap(), etc. This is unsafe deserialization of potentially untrusted data. | +| org.apache.axis2.context | MessageContext | getEnvelope | source | remote | 4 | Returns the SOAPEnvelope of the incoming SOAP message, which contains the full message body and headers from the remote client. | +| org.apache.axis2.context | MessageContext | getSoapAction | source | remote | 4 | Returns the SOAP action string from the incoming message (typically from the HTTP SOAPAction header), which is remote-controlled. | +| org.apache.axis2.context | MessageContext | getWSAAction | source | remote | 4 | Returns the WS-Addressing Action from the incoming message, which is controlled by the remote client. | +| org.apache.axis2.context | MessageContext | getMessageID | source | remote | 4 | Returns the WS-Addressing MessageID from the incoming message, which is controlled by the remote client. | +| org.apache.axis2.context | MessageContext | getFrom | source | remote | 4 | Returns the WS-Addressing From EndpointReference from the incoming message, which is controlled by the remote client. | +| org.apache.axis2.context | MessageContext | getTo | source | remote | 4 | Returns the WS-Addressing To EndpointReference from the incoming message, which is controlled by the remote client. | +| org.apache.axis2.context | MessageContext | getReplyTo | source | remote | 4 | Returns the WS-Addressing ReplyTo EndpointReference from the incoming message, which is controlled by the remote client. | +| org.apache.axis2.context | MessageContext | getFaultTo | source | remote | 4 | Returns the WS-Addressing FaultTo EndpointReference from the incoming message, which is controlled by the remote client. | +| org.apache.axis2.context | MessageContext | getRelatesTo | source | remote | 4 | Returns the WS-Addressing RelatesTo from the incoming message, which is controlled by the remote client. | +| org.apache.axis2.context | MessageContext | getRelatesTo | source | remote | 4 | Returns the WS-Addressing RelatesTo of a specified type from the incoming message, controlled by the remote client. | +| org.apache.axis2.context | MessageContext | getRelationships | source | remote | 4 | Returns all WS-Addressing RelatesTo headers from the incoming message, which are controlled by the remote client. | +| org.apache.axis2.context | MessageContext | getAttachment | source | remote | 4 | Returns the DataHandler for a MIME attachment from the incoming message, which is remote-controlled data. | +| org.apache.axis2.context | MessageContext | getAttachmentMap | source | remote | 4 | Returns the Attachments map from the incoming message. MIME attachments are remote-controlled data. | +| org.apache.axis2.context | MessageContext | getAttachmentMap | source | remote | 4 | Returns the Attachments map from the incoming message. MIME attachments are remote-controlled data. | +| org.apache.axis2.context | OperationContext | readExternal | sink | CWE-502 | 5 | The readExternal method deserializes objects from the ObjectInput stream (argument 0). Callees confirm it delegates to SafeObjectInputStream.readObject(), readHashMap(), and readMap(), which perform deserialization of arbitrary objects. This can lead to arbitrary code execution if the input stream contains untrusted data. | +| org.apache.axis2.context | SelfManagedDataManager | deserializeSelfManagedData | sink | CWE-502 | 4 | Argument 0 is a ByteArrayInputStream containing serialized data that is deserialized (reconstituted) by the implementor. The method's explicit purpose is deserialization of previously serialized handler-specific data, making the data parameter a deserialization sink. | +| org.apache.axis2.context | ServiceContext | readExternal | sink | CWE-502 | 5 | Argument 0 is an ObjectInput stream from which the method deserializes objects by calling SafeObjectInputStream.readObject() and readMap(). Deserializing untrusted data from this stream can lead to arbitrary code execution via gadget chains (CWE-502). | +| org.apache.axis2.context | ServiceGroupContext | readExternal | sink | CWE-502 | 5 | Argument 0 (ObjectInput inObject) is deserialized via SafeObjectInputStream.readObject() and readMap(), which can lead to unsafe deserialization of untrusted data (CWE-502). | +| org.apache.axis2.context | SessionContext | readExternal | sink | CWE-502 | 5 | Argument 0 (ObjectInput inObject) is deserialized via readObject() and readMap() calls on SafeObjectInputStream, which wraps the provided ObjectInput. This can lead to arbitrary code execution if the stream contains untrusted data. | +| org.apache.axis2.description.java2wsdl.bytecode | ClassReader | resolveClass | sink | CWE-470 | 4 | The method calls Class.forName(String) with a class name resolved from the object's internal byte buffer (constant pool). If untrusted bytecode was loaded into this ClassReader, an attacker could control which class is dynamically loaded. | +| org.apache.axis2.description.java2wsdl.bytecode | ClassReader | resolveMethod | sink | CWE-470 | 4 | The method calls resolveClass which calls Class.forName(String) with a class name from the internal byte buffer. If untrusted bytecode was loaded into this ClassReader, an attacker could control which class is dynamically loaded and which method is resolved. | +| org.apache.axis2.description.java2wsdl.bytecode | ClassReader | resolveField | sink | CWE-470 | 4 | The method calls resolveClass which calls Class.forName(String) with a class name from the internal byte buffer. If untrusted bytecode was loaded into this ClassReader, an attacker could control which class is loaded and which field is accessed. | +| org.apache.axis2.receivers | AbstractInOutMessageReceiver | invokeBusinessLogic | source | remote | 4 | This is a framework callback in Apache Axis2 invoked when a SOAP/REST request arrives. Parameter 0 (msgContext) carries the incoming MessageContext with remote request data from the client. | +| org.apache.axis2.receivers | AbstractInOutMessageReceiver | invokeBusinessLogic | source | remote | 4 | This is the abstract framework callback that developers override to handle incoming Axis2 web service requests. Parameter 0 (inMessage) carries the incoming MessageContext with remote request data from the client. | +| org.apache.axis2.receivers | ServerCallback | handleResult | source | remote | 3 | handleResult is a server-side framework callback in Axis2's receiver pipeline. The MessageContext parameter (arg 0) carries the full SOAP message context (envelope, headers, body) originating from a remote client, making it a source of remote data. | +| org.apache.axis2.context.externalize | DebugObjectInput | readObject | sink | CWE-502 | 5 | readObject() delegates to ObjectInput.readObject(), performing Java deserialization on data from the underlying ObjectInput stream held in `this`. Deserializing untrusted data can lead to arbitrary code execution (CWE-502). | +| org.apache.axis2.context.externalize | DebugObjectInput | trace | sink | CWE-117 | 4 | Argument 0 (str) is passed directly to Log.debug(), writing it to the log without sanitization. If the string contains attacker-controlled data, it can lead to log injection (CWE-117). | +| org.apache.axis2.context.externalize | DebugObjectOutputStream | writeUTF | sink | CWE-117 | 4 | Argument 0 (String str) is logged via Log.debug(), which can lead to log injection if the string contains newline or other formatting characters. | +| org.apache.axis2.context.externalize | DebugObjectOutputStream | writeBytes | sink | CWE-117 | 4 | Argument 0 (String s) is logged via Log.debug(), which can lead to log injection if the string contains newline or other formatting characters. | +| org.apache.axis2.context.externalize | DebugObjectOutputStream | writeChars | sink | CWE-117 | 4 | Argument 0 (String s) is logged via Log.debug(), which can lead to log injection if the string contains newline or other formatting characters. | +| org.apache.axis2.context.externalize | DebugObjectOutputStream | writeObject | sink | CWE-117 | 4 | Argument 0 (Object obj) is passed to valueName() and the result is logged via Log.debug(), which can lead to log injection if the object's string representation contains newline or formatting characters. | +| org.apache.axis2.context.externalize | MessageExternalizeUtils | readExternal | sink | CWE-611 | 4 | Argument 0 (ObjectInput in) is read and its content is parsed as XML via OMXMLBuilderFactory.createSOAPModelBuilder(InputStream, String). If the input contains untrusted XML, it could lead to XML External Entity (XXE) attacks if the underlying parser is not configured to disable external entities. | +| org.apache.axis2.context.externalize | ObjectInputStreamWithCL$ClassResolver | resolveClass | sink | CWE-470 | 4 | Argument 0 (className) is used to dynamically load a class via reflection. If an attacker can control this value, they could load arbitrary classes, leading to unsafe reflection / class instantiation vulnerabilities. | +| org.apache.axis2.context.externalize | SafeObjectInputStream | readObject | sink | CWE-502 | 5 | readObject() delegates to readObjectOverride(), performing Java object deserialization on the data in the underlying stream (this). Deserializing untrusted data can lead to arbitrary code execution. | +| org.apache.axis2.context.externalize | SafeObjectInputStream | readList | sink | CWE-502 | 5 | readList() calls ObjectInputStream.readObject() to deserialize objects from the underlying stream (this) into a List. Deserializing untrusted data can lead to arbitrary code execution. | +| org.apache.axis2.context.externalize | SafeObjectInputStream | readLinkedList | sink | CWE-502 | 5 | readLinkedList() delegates to readList(), which calls ObjectInputStream.readObject() to deserialize objects from the underlying stream (this). Deserializing untrusted data can lead to arbitrary code execution. | +| org.apache.axis2.context.externalize | SafeObjectInputStream | readArrayList | sink | CWE-502 | 5 | readArrayList() delegates to readList(), which calls ObjectInputStream.readObject() to deserialize objects from the underlying stream (this). Deserializing untrusted data can lead to arbitrary code execution. | +| org.apache.axis2.context.externalize | SafeObjectInputStream | readMap | sink | CWE-502 | 5 | readMap() calls ObjectInputStream.readObject() to deserialize key/value pairs from the underlying stream (this) into a Map. Deserializing untrusted data can lead to arbitrary code execution. | +| org.apache.axis2.context.externalize | SafeObjectInputStream | readHashMap | sink | CWE-502 | 5 | readHashMap() delegates to readMap(), which calls ObjectInputStream.readObject() to deserialize key/value pairs from the underlying stream (this). Deserializing untrusted data can lead to arbitrary code execution. | +| org.apache.axis2.classloader | MultiParentClassLoader | loadClass | sink | CWE-470 | 5 | Argument 0 (name) specifies the fully-qualified class name to load dynamically. The method delegates to ClassLoader.loadClass and URLClassLoader.findClass. If the class name is externally controlled, this enables unsafe reflection / dynamic class loading attacks. | +| org.apache.axis2.deployment.resolver | AARBasedWSDLLocator | getImportInputSource | sink | CWE-22 | 4 | The importLocation (arg 1) is used to construct a path to look up entries within a zip archive via ZipInputStream iteration and ZipEntry.getName() comparison. The parentLocation (arg 0) is used as a base URI via URI.create(). Both are used to resolve a path within the zip file without validation, enabling path traversal within the archive (CWE-22). | +| org.apache.axis2.deployment.resolver | AARBasedWSDLLocator | getImportInputSource | sink | CWE-918 | 4 | When importLocation (arg 1) is detected as an absolute URI by isAbsolute(), the method delegates to DefaultURIResolver.resolveEntity() which can fetch arbitrary external resources. The parentLocation (arg 0) is used as the base URI. This enables server-side request forgery if an attacker controls the import location. | +| org.apache.axis2.deployment.resolver | AARFileBasedURIResolver | resolveEntity | source | file | 4 | The method reads file content from a ZIP/AAR archive via ZipInputStream and returns it as an InputSource, or delegates to DefaultURIResolver.resolveEntity which may also read from files or network. The return value contains data freshly read from the filesystem. | +| org.apache.axis2.deployment.resolver | AARFileBasedURIResolver | resolveEntity | sink | CWE-22 | 4 | Arguments 1 (schemaLocation) and 2 (baseUri) are used to construct URIs via URI.create/URI.resolve and to look up entries in the ZIP archive. They are also passed to DefaultURIResolver.resolveEntity, which can resolve to arbitrary file paths, enabling path traversal. | +| org.apache.axis2.deployment.resolver | AARFileBasedURIResolver | resolveEntity | sink | CWE-918 | 4 | Arguments 1 (schemaLocation) and 2 (baseUri) are used to construct URIs that are passed to DefaultURIResolver.resolveEntity as a fallback, which can make network requests to attacker-controlled servers, enabling SSRF. | +| org.apache.axis2.deployment.resolver | WarBasedWSDLLocator | getImportInputSource | sink | CWE-22 | 4 | Arguments 0 (parentLocation) and 1 (importLocation) are used to construct a resource path via URI.create/URI.resolve and then load a resource via ClassLoader.getResourceAsStream. An attacker-controlled importLocation could traverse outside the expected resource directory. | +| org.apache.axis2.deployment.resolver | WarBasedWSDLLocator | getImportInputSource | sink | CWE-918 | 4 | Arguments 0 (parentLocation) and 1 (importLocation) are used to construct a URI which may be resolved via DefaultURIResolver.resolveEntity. If the import location is an absolute URL pointing to an attacker-controlled server, this enables SSRF. | +| org.apache.axis2.deployment.resolver | WarFileBasedURIResolver | resolveEntity | sink | CWE-22 | 4 | Arguments 1 (schemaLocation) and 2 (baseUri) are used to construct resource paths via URI.create/resolve and then passed to ClassLoader.getResourceAsStream(), enabling path traversal to read arbitrary classpath resources. | +| org.apache.axis2.deployment.resolver | WarFileBasedURIResolver | resolveEntity | sink | CWE-918 | 4 | Arguments 1 (schemaLocation) and 2 (baseUri) are used to construct URIs. For absolute URIs, the method delegates to DefaultURIResolver.resolveEntity() which can make network requests, enabling SSRF attacks. | +| org.apache.axis2.wsdl.util | WSDLDefinitionWrapper | WSDLDefinitionWrapper | sink | CWE-918 | 3 | Argument 1 (wURL) specifies the URL from which the WSDL definition may be re-read to reduce memory footprint. The class documentation states it manages WSDL definitions and may re-read them, and the constructor delegates to prepare(Definition, URL). An attacker-controlled URL could lead to SSRF. | +| org.apache.axis2.wsdl.util | WSDLDefinitionWrapper | WSDLDefinitionWrapper | sink | CWE-918 | 3 | Argument 1 (wURL) specifies the URL from which the WSDL definition may be re-read. An attacker-controlled URL could lead to SSRF. | +| org.apache.axis2.wsdl.util | WSDLDefinitionWrapper | WSDLDefinitionWrapper | sink | CWE-918 | 3 | Argument 1 (wURL) specifies the URL from which the WSDL definition may be re-read. An attacker-controlled URL could lead to SSRF. | +| org.apache.axis2.wsdl.util | WSDLDefinitionWrapper | WSDLDefinitionWrapper | sink | CWE-918 | 3 | Argument 1 (wURL) specifies the URL from which the WSDL definition may be re-read. An attacker-controlled URL could lead to SSRF. | +| org.apache.axis2.wsdl.util | WSDLWrapperReloadImpl | getTypes | sink | CWE-918 | 4 | This method calls loadDefinition() which uses the URL stored in the object state (this) to make a network request to reload the WSDL definition. If the stored URL is attacker-controlled, this enables SSRF. | +| org.apache.axis2.wsdl.util | WSDLWrapperReloadImpl | getDocumentationElement | sink | CWE-918 | 4 | This method calls loadDefinition() which uses the URL stored in the object state (this) to make a network request to reload the WSDL definition. If the stored URL is attacker-controlled, this enables SSRF. | +| org.apache.axis2.dispatchers | RequestURIBasedServiceDispatcher | findService | sink | CWE-117 | 4 | The method extracts the request URI from messageContext (arg 0) via getTo().getAddress(), and logs derived data via Log.debug(). Attacker-controlled data from the request URI can be injected into log entries without sanitization. | +| org.apache.axis2.client.async | AxisCallback | onMessage | source | remote | 4 | Callback method invoked when a response message is received from a remote service. The msgContext parameter (arg 0) carries the remote response data, making it a source of remote input. | +| org.apache.axis2.client.async | AxisCallback | onFault | source | remote | 4 | Callback method invoked when a fault message is received from a remote service. The msgContext parameter (arg 0) carries the remote fault response data, making it a source of remote input. | +| org.apache.axis2.handlers | AbstractHandler | flowComplete | source | remote | 3 | flowComplete is a handler lifecycle callback in the Axis2 SOAP web services framework. The MessageContext parameter (arg 0) carries data from remote SOAP requests, including the SOAP envelope, headers, and body. When subclasses override this method, the parameter is an entry point for remote data. | +| org.apache.axis2.client | OperationClient | getMessageContext | source | remote | 3 | After the operation client executes a web service call, getMessageContext returns a MessageContext containing the response from the remote service. This response data originates from outside the program boundary (a remote service endpoint). | +| org.apache.axis2.client | Options | readExternal | sink | CWE-502 | 5 | The readExternal method deserializes object state from an ObjectInput stream. Callees confirm it calls SafeObjectInputStream.readObject(), readArrayList(), readHashMap(), which reconstruct objects from the stream. Argument 0 (the ObjectInput stream) is the source of potentially untrusted serialized data, making this a deserialization sink. | +| org.apache.axis2.client | ServiceClient | ServiceClient | sink | CWE-918 | 5 | Argument 1 (wsdlURL) is used to fetch a WSDL document from a remote URL via AxisService.createClientSideAxisService, which can lead to SSRF if the URL is attacker-controlled. | +| org.apache.axis2.client | ServiceClient | sendReceive | sink | CWE-918 | 4 | The method sends a request to the endpoint configured in the object's state (this), which can lead to SSRF if the endpoint is attacker-controlled. | +| org.apache.axis2.client | ServiceClient | sendReceive | source | remote | 4 | The return value is the response from a remote web service, which constitutes externally-provided data entering the program. | +| org.apache.axis2.client | ServiceClient | sendReceive | sink | CWE-918 | 4 | The method sends a request to the endpoint configured in the object's state (this), which can lead to SSRF if the endpoint is attacker-controlled. | +| org.apache.axis2.client | ServiceClient | sendReceive | source | remote | 4 | The return value is the response from a remote web service, constituting externally-provided data entering the program. | +| org.apache.axis2.client | ServiceClient | fireAndForget | sink | CWE-918 | 4 | The method sends a request to the endpoint configured in the object's state (this), which can lead to SSRF if the endpoint is attacker-controlled. | +| org.apache.axis2.client | ServiceClient | fireAndForget | sink | CWE-918 | 4 | The method sends a request to the endpoint configured in the object's state (this), which can lead to SSRF if the endpoint is attacker-controlled. | +| org.apache.axis2.client | ServiceClient | sendRobust | sink | CWE-918 | 4 | The method sends a request to the endpoint configured in the object's state (this), which can lead to SSRF if the endpoint is attacker-controlled. | +| org.apache.axis2.client | ServiceClient | sendRobust | sink | CWE-918 | 4 | The method sends a request to the endpoint configured in the object's state (this), which can lead to SSRF if the endpoint is attacker-controlled. | +| org.apache.axis2.client | ServiceClient | sendReceiveNonBlocking | sink | CWE-918 | 4 | The method sends a request to the endpoint configured in the object's state (this), which can lead to SSRF if the endpoint is attacker-controlled. | +| org.apache.axis2.client | ServiceClient | sendReceiveNonBlocking | sink | CWE-918 | 4 | The method sends a request to the endpoint configured in the object's state (this), which can lead to SSRF if the endpoint is attacker-controlled. | +| org.apache.axis2.client | Stub | addHttpHeader | sink | CWE-113 | 4 | Arguments 1 (name) and 2 (value) are used to set an HTTP header on the message context. If attacker-controlled data flows into these, it can lead to HTTP header injection / response splitting. | +| org.apache.axis2.client | Stub | setServiceClientEPR | sink | CWE-918 | 4 | Argument 0 (address) is used to set the endpoint reference address for the service client, determining where outbound requests are sent. If attacker-controlled data flows in, it enables server-side request forgery. | +| org.apache.axis2.dataretrieval | AxisDataLocatorImpl | getData | sink | CWE-117 | 3 | The method extracts dialect and identifier strings from argument 0 (DataRetrievalRequest) via getDialect() and getIdentifier(), and the method directly calls Log.info(Object) and Log.info(Object, Throwable). Data from the request parameter likely flows to these log calls, making it a log injection sink. | +| org.apache.axis2.dataretrieval | BaseAxisDataLocator | outputInlineForm | source | file | 4 | The method reads file content via ServiceData.getFileContent(ClassLoader) and returns it as Data[]. The returned data contains content read from files on the filesystem/classpath, which is new data brought into the program. | +| org.apache.axis2.dataretrieval | BaseAxisDataLocator | getData | source | file | 4 | The method delegates to outputInlineForm (among others) which reads file content via ServiceData.getFileContent(ClassLoader). The return value Data[] contains data read from files, representing new data brought into the program from the filesystem. | +| org.apache.axis2.dataretrieval | DataRetrievalUtil | convertToOMElement | sink | CWE-611 | 4 | Argument 0 (servicexmlStream) is an InputStream parsed as XML via OMXMLBuilderFactory.createOMBuilder(InputStream). If the XML contains external entity declarations and the parser is not properly configured, this leads to XXE. | +| org.apache.axis2.dataretrieval | DataRetrievalUtil | buildOM | sink | CWE-22 | 4 | Argument 1 (file) is a file path relative to the Service Repository used to load a file via getInputStream(ClassLoader, String). If attacker-controlled, it can traverse to unexpected files. | +| org.apache.axis2.dataretrieval | DataRetrievalUtil | buildOM | sink | CWE-611 | 4 | Argument 1 (file) specifies a file whose content is loaded and then parsed as XML via convertToOMElement, which uses OMXMLBuilderFactory.createOMBuilder. If the file contains malicious XML with external entities, this can lead to XXE. | +| org.apache.axis2.dataretrieval | ServiceData | getFileContent | source | file | 4 | The return value is file content loaded via DataRetrievalUtil.buildOM(ClassLoader, String), which reads a file from the classloader. This brings new data from the filesystem into the program. | +| org.apache.axis2.dataretrieval | ServiceData | getFileContent | sink | CWE-22 | 4 | The file path used to load content via DataRetrievalUtil.buildOM comes from the object's state (this), which was populated from XML data in the constructor. If an attacker controls the ServiceData XML, they can specify arbitrary file paths, leading to path traversal. | +| org.apache.axis2.deployment.repository.util | ArchiveReader | buildServiceDescription | sink | CWE-22 | 4 | Argument 0 (filename) is used to access the filesystem — the method calls File.exists() and opens ZipInputStream to read from the file, allowing path traversal attacks. | +| org.apache.axis2.deployment.repository.util | ArchiveReader | buildServiceDescription | sink | CWE-611 | 4 | Argument 0 (in) is an InputStream that is parsed as XML via DescriptionBuilder.buildOM(). If the XML parser is not configured to disable external entities, this can lead to XXE attacks. | +| org.apache.axis2.deployment.repository.util | ArchiveReader | processServiceGroup | sink | CWE-22 | 4 | Argument 0 (filename) is used to access the filesystem — the method calls File.exists(), opens FileInputStream and ZipInputStream to read from the file, allowing path traversal attacks. | +| org.apache.axis2.deployment.repository.util | ArchiveReader | processFilesInFolder | sink | CWE-22 | 4 | Argument 0 (folder) is used to list and read files — the method calls File.listFiles(), FileInputStream, and File.toURI(), allowing path traversal if the folder path is attacker-controlled. | +| org.apache.axis2.deployment.repository.util | ArchiveReader | getAxisServiceFromWsdl | sink | CWE-611 | 4 | Argument 0 (in) is an InputStream containing WSDL XML that is parsed via XMLUtils.toOM(InputStream). If the XML parser is not configured to disable external entities, this can lead to XXE attacks. | +| org.apache.axis2.deployment.repository.util | ArchiveReader | buildServiceGroup | sink | CWE-611 | 4 | Argument 0 (zin) is an InputStream that is delegated to buildServiceDescription(InputStream, ConfigurationContext) which parses it as XML via DescriptionBuilder.buildOM(). This can lead to XXE if the parser is not hardened. | +| org.apache.axis2.deployment.repository.util | DeploymentFileData | setClassLoader | sink | CWE-22 | 4 | Argument 2 (File file) is used to create a ClassLoader via Utils.createClassLoader/Utils.getClassLoader (confirmed by callees). If the file path is attacker-controlled, path traversal sequences could cause code to be loaded from unintended filesystem locations. | +| org.apache.axis2.deployment.repository.util | WSInfoList | addWSInfoItem | sink | CWE-22 | 4 | Argument 0 (File) is used to determine the file path (via getAbsolutePath()) for deployment. An attacker-controlled file path could lead to path traversal, allowing deployment of services/modules from unexpected file system locations. | +| org.apache.axis2.deployment.repository.util | WSInfoList | addWSInfoItem | sink | CWE-22 | 4 | Argument 0 (URL) has its path extracted via getPath() and used for deployment. An attacker-controlled URL path could lead to path traversal, allowing deployment of services/modules from unexpected locations. | +| org.apache.axis2.deployment | AxisConfigBuilder | processTransportSenders | sink | CWE-470 | 4 | Argument 0 (Iterator of XML transport sender elements) provides class names that are loaded via Loader.loadClass() and instantiated via Class.newInstance(), enabling unsafe reflection / dynamic class instantiation. | +| org.apache.axis2.deployment | AxisConfigBuilder | processTransportReceivers | sink | CWE-470 | 4 | Argument 0 (Iterator of XML transport receiver elements) provides class names that are loaded via Loader.loadClass() and instantiated via Class.newInstance(), enabling unsafe reflection / dynamic class instantiation. | +| org.apache.axis2.deployment | AxisConfigBuilder | processMessageBuilders | sink | CWE-470 | 4 | Argument 0 (OMElement containing message builder XML config) provides class names that are dynamically loaded and instantiated via Class.newInstance() in the delegate method, enabling unsafe reflection. | +| org.apache.axis2.deployment | AxisConfigBuilder | processMessageFormatters | sink | CWE-470 | 4 | Argument 0 (OMElement containing message formatter XML config) provides class names that are dynamically loaded and instantiated via Class.newInstance() in the delegate method, enabling unsafe reflection. | +| org.apache.axis2.deployment | Deployer | undeploy | sink | CWE-22 | 3 | Argument 0 (fileName) specifies the file name/path to remove from the configuration. An attacker-controlled fileName could lead to path traversal, allowing removal of unintended files. | +| org.apache.axis2.deployment | Deployer | deploy | sink | CWE-22 | 3 | Argument 0 (deploymentFileData) contains file path and data information used to process and deploy a file into the configuration. Attacker-controlled deployment file data could lead to path traversal during file processing. | +| org.apache.axis2.deployment | DeploymentClassLoader | loadClass | sink | CWE-470 | 5 | Argument 0 (name) specifies the fully qualified class name to load dynamically. Callees confirm delegation to ClassLoader.loadClass and URLClassLoader.findClass. If attacker-controlled, this allows arbitrary class instantiation (unsafe reflection). | +| org.apache.axis2.deployment | DeploymentClassLoader | getResourceAsStream | sink | CWE-22 | 4 | Argument 0 (name) specifies the resource path to access. Callees show it resolves via getResource/findResource and opens with URL.openStream(). An attacker-controlled name could traverse paths to access unintended resources. | +| org.apache.axis2.deployment | DeploymentEngine | getFileList | source | remote | 5 | The method opens a URL stream (URL.openStream()), reads lines from it via BufferedReader.readLine(), and returns them as an ArrayList. The return value contains data read from an external URL. | +| org.apache.axis2.deployment | DeploymentEngine | getFileList | sink | CWE-918 | 5 | Argument 0 (fileListUrl) is a URL used to open a stream (URL.openStream()), allowing an attacker to control the server-side request destination, leading to SSRF. | +| org.apache.axis2.deployment | DeploymentEngine | loadRepositoryFromURL | sink | CWE-918 | 4 | Argument 0 (repoURL) is used to load modules and services from a remote URL. The method delegates to getFileList which calls URL.openStream(), and to addURLToDeploy which fetches deployable artifacts from the URL. | +| org.apache.axis2.deployment | DeploymentEngine | loadServicesFromUrl | sink | CWE-918 | 4 | Argument 0 (repoURL) is used to load services from a remote URL. The method delegates to getFileList which calls URL.openStream(), and to addURLToDeploy which fetches deployable artifacts from the URL. | +| org.apache.axis2.deployment | DeploymentEngine | buildService | sink | CWE-611 | 4 | Argument 0 (serviceInputStream) is an InputStream that is parsed as XML via DescriptionBuilder.buildOM(). If the XML parser is not configured to disable external entities, this can lead to XXE attacks. | +| org.apache.axis2.deployment | DeploymentEngine | buildServiceGroup | sink | CWE-611 | 4 | Argument 0 (servicesxml) is an InputStream that is parsed as XML via ArchiveReader.buildServiceGroup(). If the XML parser is not configured to disable external entities, this can lead to XXE attacks. | +| org.apache.axis2.deployment | DeploymentEngine | populateAxisConfiguration | sink | CWE-611 | 4 | Argument 0 (in) is an InputStream parsed as axis2.xml via AxisConfigBuilder.populateConfig(). If the XML parser is not configured to disable external entities, this can lead to XXE attacks. | +| org.apache.axis2.deployment | DeploymentEngine | loadRepository | sink | CWE-22 | 4 | Argument 0 (repoDir) is used as a file system directory path. The method accesses the filesystem, creates File objects, sets up classloaders, and loads modules/services from the directory without path validation. | +| org.apache.axis2.deployment | DeploymentEngine | loadServiceGroup | sink | CWE-22 | 4 | Argument 0 (serviceFile) is a File used to load service groups, including creating class loaders and reading service configuration from the archive file. | +| org.apache.axis2.deployment | DeploymentEngine | buildModule | sink | CWE-22 | 4 | Argument 0 (modulearchive) is a File used to read module archives and set up class loaders, accessing the filesystem based on the File path. | +| org.apache.axis2.deployment | DeploymentEngine | prepareRepository | sink | CWE-22 | 4 | Argument 0 (repositoryName) is used as a directory path to create filesystem directories for modules and services. | +| org.apache.axis2.deployment | DeploymentEngine | setClassLoaders | sink | CWE-22 | 4 | Argument 0 (axis2repoURI) is used as a filesystem path to set up classloader hierarchy, accessing the filesystem to load classes from the specified repository location. | +| org.apache.axis2.deployment | DescriptionBuilder | findAndValidateSelectorClass | sink | CWE-470 | 5 | Argument 0 (className) is used to dynamically load a class via AccessController.doPrivileged, enabling unsafe reflection/class instantiation. | +| org.apache.axis2.deployment | DescriptionBuilder | processMessageBuilders | sink | CWE-470 | 5 | Argument 0 (messageBuildersElement) contains XML elements from which class names are extracted and dynamically loaded via findAndValidateSelectorClass and Class.newInstance(). | +| org.apache.axis2.deployment | DescriptionBuilder | processMessageFormatters | sink | CWE-470 | 5 | Argument 0 (messageFormattersElement) contains XML elements from which class names are extracted and dynamically loaded via findAndValidateSelectorClass and Class.newInstance(). | +| org.apache.axis2.deployment | DescriptionBuilder | loadMessageReceiver | sink | CWE-470 | 5 | Argument 1 (element) is an OMElement from which a class name is extracted via getAttribute and passed to Loader.loadClass followed by Class.newInstance(), enabling dynamic class loading. | +| org.apache.axis2.deployment | DescriptionBuilder | processMessageReceivers | sink | CWE-470 | 5 | Argument 0 (messageReceivers) is an OMElement from which class names are extracted and dynamically loaded via AccessController.doPrivileged. | +| org.apache.axis2.deployment | DescriptionBuilder | processMessageReceivers | sink | CWE-470 | 5 | Argument 1 (element) is an OMElement from which class names are extracted and dynamically loaded via delegation to loadMessageReceiver. | +| org.apache.axis2.deployment | DescriptionBuilder | buildOM | sink | CWE-611 | 4 | The object state (this) contains an InputStream set during construction. buildOM() parses this InputStream as XML via XMLUtils.toOM(InputStream), which may be vulnerable to XXE if the parser is not properly configured. | +| org.apache.axis2.deployment | FileSystemConfigurator | getAxisConfiguration | sink | CWE-22 | 4 | The method uses stored file paths (repoLocation, axis2xml) from object state to load files from the filesystem via DeploymentEngine.loadRepository(String) and Loader.getResourceAsStream(String). An attacker-controlled path could lead to path traversal. | +| org.apache.axis2.deployment | FileSystemConfigurator | getAxisConfiguration | sink | CWE-611 | 4 | The method parses an XML configuration file (axis2xml path stored in this) via DeploymentEngine.populateAxisConfiguration(InputStream). If the XML file is attacker-controlled, this could lead to XML External Entity (XXE) attacks. | +| org.apache.axis2.deployment | ModuleBuilder | ModuleBuilder | sink | CWE-611 | 3 | Argument 0 (serviceInputStream) is an InputStream containing XML data that is parsed to build a module description (OM = AXIOM XML Object Model). If the XML parser is not securely configured, this can lead to XXE (XML External Entity) attacks. | +| org.apache.axis2.deployment | ModuleDeployer | deploy | sink | CWE-22 | 4 | Argument 0 (DeploymentFileData) contains file paths used to access the filesystem: the method calls File.isDirectory(), DeploymentFileData.getFile(), readModuleArchive(), and setClassLoader() with a File argument — all derived from the deployment file data's path, enabling path traversal attacks. | +| org.apache.axis2.deployment | ModuleDeployer | deoloyFromUrl | sink | CWE-918 | 4 | Argument 0 (DeploymentFileData) contains a URL (obtained via getUrl()) that is used to fetch remote resources and create a class loader via Utils.createClassLoader. An attacker controlling this URL could cause the server to make requests to arbitrary destinations (SSRF). | +| org.apache.axis2.deployment | POJODeployer | deploy | sink | CWE-94 | 4 | Argument 0 (DeploymentFileData) provides the file from which classes are dynamically loaded and executed. The method creates ClassLoaders from the file's URL (Utils.createClassLoader), loads classes (Utils.getListOfClasses), and deploys them as services. If the deployment file data is attacker-controlled, arbitrary code can be loaded and executed. | +| org.apache.axis2.deployment | RepositoryListener | findServicesInDirectory | sink | CWE-22 | 4 | Argument 0 (root) specifies a directory that the method directly accesses via File.exists(), File.listFiles(), File.isDirectory(), and recursively traverses. If attacker-controlled, the root path could point to arbitrary directories on the filesystem, enabling path traversal. | +| org.apache.axis2.deployment | ServiceBuilder | populateService | sink | CWE-470 | 4 | Argument 0 (service_element) is an OMElement containing XML service configuration. The method extracts class names from this element and dynamically loads/instantiates them via loadServiceLifeCycleClass, loadObjectSupplierClass, and processMessageReceivers. If the XML content is attacker-controlled, arbitrary classes can be instantiated. | +| org.apache.axis2.deployment | ServiceDeployer | deploy | sink | CWE-22 | 4 | Argument 0 (DeploymentFileData) contains file path information used to access the filesystem: the method calls File.isDirectory(), File.toURI(), buildServiceDescription(), and setClassLoader(), all based on paths from this argument. User-controlled paths could lead to path traversal. | +| org.apache.axis2.deployment | ServiceDeployer | deploy | sink | CWE-918 | 4 | Argument 0 (DeploymentFileData) can contain a URL used to fetch remote service content. The method delegates to deployFromUrl which makes outbound requests to the URL, potentially enabling SSRF. | +| org.apache.axis2.deployment | ServiceDeployer | deployFromUrl | sink | CWE-918 | 4 | Argument 0 (DeploymentFileData) contains a URL extracted via getUrl() and used to fetch remote service definitions via populateService, enabling SSRF if URL is user-controlled. | +| org.apache.axis2.deployment | ServiceDeployer | deployFromUrl | sink | CWE-918 | 3 | Argument 1 (servicesURL) specifies a remote URL from which to deploy a service. If user-controlled, this enables SSRF attacks. | +| org.apache.axis2.deployment | ServiceDeployer | populateService | sink | CWE-918 | 3 | Argument 1 (servicesURL) specifies the URL from which service content is fetched and populated. If user-controlled, this enables SSRF attacks. | +| org.apache.axis2.deployment | TransportDeployer | deploy | sink | CWE-22 | 4 | Argument 0 (DeploymentFileData) provides a file path that is used to access the filesystem. The method calls getFile(), File.isDirectory(), getResourceAsStream(), and setClassLoader() based on the file path contained in the DeploymentFileData object. An attacker who controls this file path could traverse the filesystem to deploy arbitrary files. | +| org.apache.axis2.deployment | URLBasedAxisConfigurator | getAxisConfiguration | sink | CWE-918 | 4 | The method uses URLs stored in the object state (set via constructor) to make network requests via URL.openStream() and loadRepositoryFromURL(). If the URLs are attacker-controlled, this enables Server-Side Request Forgery. | +| org.apache.axis2.deployment | WSDLServiceBuilderExtension | buildAxisServices | sink | CWE-611 | 4 | Argument 0 (DeploymentFileData) is passed to ArchiveReader.processWSDLs() which parses WSDL (XML) documents. If the WSDL content is untrusted, this can lead to XML External Entity (XXE) attacks during XML parsing. | +| org.apache.axis2.deployment.util | ExcludeInfo | getBeanExcludeInfoForClass | sink | CWE-1333 | 4 | The method iterates over stored regex patterns (from the object's map keys, set via putBeanInfo) and uses them in String.matches(), which compiles and executes the regex. If an attacker can influence the regex patterns stored in this object, they can craft a malicious regex causing ReDoS. The object state (`this`) contains the regex patterns used in the matching operation. | +| org.apache.axis2.deployment.util | PhasesInfo | makePhase | sink | CWE-470 | 4 | Argument 0 (phaseElement) is an XML element from which attribute values (e.g., handler class names) are extracted via getAttributeValue and used to create handlers via makeHandler. This follows the Axis2 pattern of instantiating handler classes from deployment XML, which constitutes unsafe reflection if the XML content is attacker-controlled. | +| org.apache.axis2.deployment.util | TempFileManager | createTempFile | sink | CWE-22 | 4 | Arguments 0 (prefix) and 1 (suffix) are passed directly to File.createTempFile(String, String, File) to construct the filename of a newly created temporary file. If an attacker controls these values and includes path separator characters or '..' sequences, files could be created outside the intended temporary directory, leading to path traversal. | +| org.apache.axis2.deployment.util | Utils | loadHandler | sink | CWE-470 | 4 | Argument 1 (desc) provides the class name via getClassName(), which is used with Loader.loadClass() to dynamically load and instantiate an arbitrary class. If the class name is attacker-controlled, this allows unsafe reflection / arbitrary class instantiation. | +| org.apache.axis2.deployment.util | Utils | addFlowHandlers | sink | CWE-470 | 4 | Argument 0 (flow) provides handler descriptions whose class names are used to dynamically load and instantiate handler classes via getHandlerClass(). If the flow configuration contains attacker-controlled class names, arbitrary classes could be instantiated. | +| org.apache.axis2.deployment.util | Utils | getClassLoader | sink | CWE-22 | 4 | Argument 1 (file) specifies a filesystem directory from which classes and JARs are loaded. If this path is attacker-controlled, it allows path traversal to load code from arbitrary directories. | +| org.apache.axis2.deployment.util | Utils | getClassLoader | sink | CWE-22 | 4 | Argument 1 (path) is a string path that is used to access a filesystem directory to load classes and JARs. Delegates to the File-based overload. If attacker-controlled, allows path traversal. | +| org.apache.axis2.deployment.util | Utils | createClassLoader | sink | CWE-22 | 4 | Argument 0 (serviceFile) specifies a filesystem location from which classes are loaded. If attacker-controlled, allows path traversal to load from arbitrary directories. | +| org.apache.axis2.deployment.util | Utils | createClassLoader | sink | CWE-918 | 4 | Argument 0 (archiveUrl) is used to open a stream via getURLsForAllJars, which calls url.openStream(). If attacker-controlled, this enables SSRF by making requests to arbitrary URLs. | +| org.apache.axis2.deployment.util | Utils | getURLsForAllJars | sink | CWE-918 | 4 | Argument 0 (url) is opened with url.openStream() to read its content as a ZIP stream. If the URL is attacker-controlled, this enables SSRF attacks. | +| org.apache.axis2.deployment.util | Utils | createTempFile | sink | CWE-22 | 4 | Argument 0 (suffix) is used in temp file name creation via TempFileManager.createTempFile(). If the suffix contains path separators or traversal characters, it could cause file creation outside the intended temp directory. | +| org.apache.axis2.addressing | EndpointReference | readExternal | sink | CWE-502 | 5 | Argument 0 (ObjectInput inObject) is deserialized using SafeObjectInputStream.readObject(), readUTF(), readInt(), and OMXMLBuilderFactory.createOMBuilder(InputStream). Deserializing untrusted data from this stream can lead to arbitrary code execution. | +| org.apache.axis2.addressing | EndpointReferenceHelper | fromString | sink | CWE-611 | 4 | Argument 0 (eprString) is parsed as XML via AXIOMUtil.stringToOM(String), which performs XML parsing. If the underlying parser is not configured to disable external entities/DTDs, this can lead to XXE attacks. | +| org.apache.axis2.addressing | RelatesTo | readExternal | sink | CWE-502 | 5 | Argument 0 is an ObjectInput stream from which the method deserializes objects via SafeObjectInputStream.readObject(). Deserializing untrusted data can lead to arbitrary code execution. | +| org.apache.axis2.description.java2wsdl | DefaultSchemaGenerator | DefaultSchemaGenerator | sink | CWE-470 | 5 | Argument 1 (className) is passed to Class.forName(String, boolean, ClassLoader) to dynamically load a class. If className is externally controlled, this allows arbitrary class loading (CWE-470). | +| org.apache.axis2.description.java2wsdl | DefaultSchemaGenerator | generateSchema | sink | CWE-470 | 4 | The method loads classes via Class.forName using extra class names stored in the object state (set via setExtraClasses). If those class names are externally controlled, this enables arbitrary class loading (CWE-470). | +| org.apache.axis2.description.java2wsdl | DefaultSchemaGenerator | generateSchema | sink | CWE-22 | 3 | The method calls loadCustomSchemaFile() and loadMappingFile(), which likely read files from paths stored in object state (customSchemaLocation and mappingFileLocation set via setters). If those paths are externally controlled, this enables path traversal (CWE-22). | +| org.apache.axis2.description.java2wsdl | DocLitBareSchemaGenerator | DocLitBareSchemaGenerator | sink | CWE-470 | 5 | The constructor passes the `className` argument (arg 1) to the parent class DefaultSchemaGenerator, which calls `Class.forName(className, ..., loader)` to dynamically load the class. If `className` is attacker-controlled, arbitrary classes can be loaded, constituting an unsafe reflection vulnerability. | +| org.apache.axis2.description.java2wsdl | Java2WSDLUtils | getPackageName | sink | CWE-470 | 5 | Argument 0 (className) is passed to Class.forName(String, boolean, ClassLoader) for dynamic class loading, which can allow an attacker to load arbitrary classes. | +| org.apache.axis2.description.java2wsdl | Java2WSDLUtils | namespaceFromClassName | sink | CWE-470 | 5 | Argument 0 (className) is passed to Class.forName(String, boolean, ClassLoader) for dynamic class loading, which can allow an attacker to load arbitrary classes. | +| org.apache.axis2.description.java2wsdl | Java2WSDLUtils | namespaceFromClassName | sink | CWE-470 | 5 | Argument 0 (className) is delegated to the 3-arg namespaceFromClassName which calls Class.forName for dynamic class loading. | +| org.apache.axis2.description.java2wsdl | Java2WSDLUtils | targetNamespaceFromClassName | sink | CWE-470 | 4 | Argument 0 (packageName) is passed to namespaceFromClassName which calls Class.forName for dynamic class loading. | +| org.apache.axis2.description.java2wsdl | Java2WSDLUtils | schemaNamespaceFromClassName | sink | CWE-470 | 4 | Argument 0 (packageName) is delegated through to namespaceFromClassName which calls Class.forName for dynamic class loading. | +| org.apache.axis2.description.java2wsdl | Java2WSDLUtils | schemaNamespaceFromClassName | sink | CWE-470 | 4 | Argument 0 (packageName) is delegated to namespaceFromClassName which calls Class.forName for dynamic class loading. | +| org.apache.axis2.description | AxisService | loadDataLocator | sink | CWE-470 | 5 | Argument 0 (className) is used in Class.forName() followed by newInstance(), allowing arbitrary class instantiation via unsafe reflection. | +| org.apache.axis2.description | AxisService | createService | sink | CWE-470 | 5 | Argument 0 (implClass) is used in Loader.loadClass() to dynamically load and instantiate a class, allowing unsafe reflection. | +| org.apache.axis2.description | AxisService | createService | sink | CWE-470 | 4 | Argument 0 (implClass) is used to create a SchemaGenerator which loads the class, enabling unsafe reflection via dynamic class instantiation. | +| org.apache.axis2.description | AxisService | createClientSideAxisService | sink | CWE-918 | 5 | Argument 0 (wsdlURL) is used to open a network connection via URL.openConnection() and URLConnection.getInputStream(), enabling server-side request forgery. | +| org.apache.axis2.description | AxisService | createClientSideAxisService | sink | CWE-611 | 4 | Argument 0 (wsdlURL) provides XML content that is fetched and parsed via XMLUtils.newDocument and WSDLReader.readWSDL. Attacker-controlled XML parsed with a potentially misconfigured parser could lead to XXE. | +| org.apache.axis2.description | Flow | getHandler | sink | CWE-129 | 4 | Argument 0 (index) is used directly in a List.get(int) call without validation, which can lead to an IndexOutOfBoundsException if the index is attacker-controlled. | +| org.apache.axis2.description | Parameter | readExternal | sink | CWE-502 | 5 | The method readExternal deserializes objects from the provided ObjectInput stream. It delegates to SafeObjectInputStream.readObject(), which performs Java deserialization. If the input stream contains untrusted data, this can lead to arbitrary code execution via deserialization gadget chains (CWE-502). Argument 0 (inObject) is the sink. | +| org.apache.axis2.description | ParameterIncludeImpl | readExternal | sink | CWE-502 | 4 | readExternal deserializes data from the ObjectInput parameter (arg 0), using SafeObjectInputStream to call readMap, readInt, readLong. This is a deserialization sink where untrusted data from the stream is used to reconstruct object state. | +| org.apache.axis2.description | WSDL11ToAllAxisServicesBuilder | WSDL11ToAllAxisServicesBuilder | sink | CWE-611 | 4 | Argument 0 is an InputStream containing WSDL XML data. This data is stored and later parsed as XML when populateAllServices() or populateService() is called, which can lead to XXE if the XML parser is not securely configured. | +| org.apache.axis2.description | WSDL11ToAllAxisServicesBuilder | populateAllServices | sink | CWE-611 | 4 | The object state (this) contains WSDL XML data (stored via the constructor). This method triggers XML parsing via setup() and populateService(), which can lead to XXE vulnerabilities if the underlying XML parser is not securely configured. | +| org.apache.axis2.description | WSDL11ToAxisServiceBuilder | populateService | sink | CWE-611 | 4 | populateService() parses WSDL XML content from the InputStream stored in `this` (set by constructors). It calls setup(), processTypes(), getXMLSchema(), and generateWrapperSchema() — all XML processing operations. Parsing untrusted WSDL/XML without secure parser configuration can lead to XXE attacks. | +| org.apache.axis2.description | WSDL11ToAxisServiceBuilder | populateService | sink | CWE-918 | 3 | populateService() processes WSDL which may contain import/include statements with external URLs. The WSDL content and document base URI are stored in `this`. During WSDL parsing and import resolution (via setup(), getParentDefinition(), Definition.getImports()), the server may fetch attacker-controlled URLs, leading to SSRF. | +| org.apache.axis2.description | WSDLToAxisServiceBuilder | getXMLSchema | sink | CWE-918 | 4 | Argument 1 (baseUri) is passed to XmlSchemaCollection.setBaseUri() which controls where XML schemas are resolved from when XmlSchemaCollection.read() is subsequently called. An attacker-controlled baseUri could lead to server-side request forgery by causing the server to make requests to arbitrary URLs during schema resolution. | +| org.apache.axis2.kernel | OutTransportInfo | setContentType | sink | CWE-113 | 4 | Argument 0 (contentType) is used to set the Content-Type HTTP response header. If user-controlled data containing CRLF characters is passed, it can lead to HTTP response splitting. | +| org.apache.axis2.kernel | SimpleAxis2Server | main | source | commandargs | 5 | The args parameter (index 0) receives command-line arguments, which are an external source of data entering the program. Callees confirm these are parsed via CommandLineOptionParser. | +| org.apache.axis2.kernel | SimpleAxis2Server | SimpleAxis2Server | sink | CWE-22 | 4 | Arguments 0 (repoLocation) and 1 (confLocation) are file system paths passed directly to ConfigurationContextFactory.createConfigurationContextFromFileSystem, which accesses files/directories at the specified paths. Untrusted input could lead to path traversal. | +| org.apache.axis2.kernel | TransportUtils | createDocumentElement | sink | CWE-611 | 5 | Argument 2 (inStream) is parsed as XML via Builder.processDocument, which can lead to XXE if the parser is not configured to disable external entity processing. | +| org.apache.axis2.kernel | TransportUtils | createDocumentElement | sink | CWE-611 | 5 | Argument 3 (inStream) is parsed as XML via Builder.processDocument, which can lead to XXE if the parser is not configured to disable external entity processing. | +| org.apache.axis2.kernel | TransportUtils | createSOAPMessage | sink | CWE-611 | 5 | Argument 1 (inStream) flows into createDocumentElement which parses XML via Builder.processDocument, potentially leading to XXE. | +| org.apache.axis2.kernel | TransportUtils | createSOAPMessage | sink | CWE-611 | 5 | Argument 1 (inStream) flows into createDocumentElement which parses XML via Builder.processDocument, potentially leading to XXE. | +| org.apache.axis2.kernel | TransportUtils | createSOAPMessage | sink | CWE-611 | 4 | Argument 0 (msgContext) carries an InputStream that is extracted and parsed as XML, which may lead to XXE. | +| org.apache.axis2.kernel | TransportUtils | createSOAPMessage | sink | CWE-611 | 4 | Argument 0 (msgContext) carries an InputStream that is extracted and parsed as XML, potentially leading to XXE. | +| org.apache.axis2.util | CallbackReceiver | receive | source | remote | 4 | The receive() method is a framework callback (MessageReceiver) invoked by the Axis2 framework when a SOAP response message arrives from a remote service. The msgContext parameter (arg 0) carries data received from the network, including remote message contents, headers, etc. Callees confirm it dispatches to onMessage/onFault with this context. | +| org.apache.axis2.util | FileWriter | createClassFile | sink | CWE-22 | 4 | Arguments 0-3 are used to construct a filesystem path: rootLocation is the base, packageName is split to create subdirectories, fileName and extension form the file name. No path traversal validation is performed, allowing an attacker to escape the intended directory via '..' sequences in packageName, fileName, or extension. | +| org.apache.axis2.util | Loader | loadClass | sink | CWE-470 | 5 | Argument 0 specifies the class name to load dynamically via Class.forName() and ClassLoader.loadClass(). If attacker-controlled, this allows instantiation of arbitrary classes, leading to unsafe reflection. | +| org.apache.axis2.util | Loader | loadClass | sink | CWE-470 | 5 | Argument 1 (clazz) specifies the class name to load dynamically via ClassLoader.loadClass() and falls back to the other loadClass(String) which uses Class.forName(). If attacker-controlled, this allows instantiation of arbitrary classes, leading to unsafe reflection. | +| org.apache.axis2.util | LogWriter | write | sink | CWE-117 | 4 | Argument 0 (cbuf) is character data that gets appended to a buffer and then written to a Log instance via flushLineBuffer(). Unsanitized user input passed here can result in log injection (forged log entries via newline characters, etc.). | +| org.apache.axis2.util | MessageContextBuilder | createFaultMessageContext | sink | CWE-209 | 4 | Argument 1 (Throwable e) is used to create a SOAP fault envelope via createFaultEnvelope(), which packages the exception's error message and stack trace information into a response message context that will be sent back to the client. This exposes potentially sensitive error details (server paths, SQL queries, internal class names) to remote users. | +| org.apache.axis2.util | MetaDataEntry | readExternal | sink | CWE-502 | 5 | The readExternal method deserializes objects from the ObjectInput stream (argument 0). Callees show it calls SafeObjectInputStream.readObject() and readArrayList(), which perform object deserialization. If the ObjectInput contains untrusted data, this can lead to arbitrary code execution via deserialization attacks. | +| org.apache.axis2.util | ObjectStateUtils | readObject | sink | CWE-502 | 5 | Argument 0 (ObjectInput) is deserialized via SafeObjectInputStream.readObject(), which performs Java object deserialization. Untrusted data in the stream could lead to arbitrary code execution. | +| org.apache.axis2.util | ObjectStateUtils | readLinkedList | sink | CWE-502 | 5 | Argument 0 (ObjectInput) is deserialized via SafeObjectInputStream.readLinkedList(). Untrusted data in the stream could lead to deserialization attacks. | +| org.apache.axis2.util | ObjectStateUtils | readArrayList | sink | CWE-502 | 5 | Argument 0 (ObjectInput) is deserialized via SafeObjectInputStream.readArrayList(). Untrusted data in the stream could lead to deserialization attacks. | +| org.apache.axis2.util | ObjectStateUtils | readHashMap | sink | CWE-502 | 5 | Argument 0 (ObjectInput) is deserialized via SafeObjectInputStream.readHashMap(). Untrusted data in the stream could lead to deserialization attacks. | +| org.apache.axis2.util | ObjectStateUtils | readString | sink | CWE-502 | 5 | Argument 0 (ObjectInput) is deserialized via SafeObjectInputStream.readObject(). Even though the method returns a String, the underlying deserialization uses readObject() which can trigger gadget chains on untrusted data. | +| org.apache.axis2.util | OnDemandLogger | info | sink | CWE-117 | 5 | Argument 0 is the log message passed to org.apache.commons.logging.Log.info(). Unsanitized user input in this argument can lead to log injection. | +| org.apache.axis2.util | OnDemandLogger | info | sink | CWE-117 | 5 | Argument 0 is the log message passed to org.apache.commons.logging.Log.info(). Unsanitized user input in this argument can lead to log injection. | +| org.apache.axis2.util | OnDemandLogger | debug | sink | CWE-117 | 4 | Argument 0 is the log message passed to the underlying logging framework. Unsanitized user input can lead to log injection. | +| org.apache.axis2.util | OnDemandLogger | debug | sink | CWE-117 | 4 | Argument 0 is the log message passed to the underlying logging framework. Unsanitized user input can lead to log injection. | +| org.apache.axis2.util | OnDemandLogger | error | sink | CWE-117 | 4 | Argument 0 is the log message passed to the underlying logging framework. Unsanitized user input can lead to log injection. | +| org.apache.axis2.util | OnDemandLogger | error | sink | CWE-117 | 4 | Argument 0 is the log message passed to the underlying logging framework. Unsanitized user input can lead to log injection. | +| org.apache.axis2.util | OnDemandLogger | trace | sink | CWE-117 | 4 | Argument 0 is the log message passed to the underlying logging framework. Unsanitized user input can lead to log injection. | +| org.apache.axis2.util | OnDemandLogger | trace | sink | CWE-117 | 4 | Argument 0 is the log message passed to the underlying logging framework. Unsanitized user input can lead to log injection. | +| org.apache.axis2.util | OnDemandLogger | warn | sink | CWE-117 | 5 | Argument 0 is the log message passed to org.apache.commons.logging.Log.warn(). Unsanitized user input can lead to log injection. | +| org.apache.axis2.util | OnDemandLogger | warn | sink | CWE-117 | 5 | Argument 0 is the log message passed to org.apache.commons.logging.Log.warn(). Unsanitized user input can lead to log injection. | +| org.apache.axis2.util | OnDemandLogger | fatal | sink | CWE-117 | 4 | Argument 0 is the log message passed to the underlying logging framework. Unsanitized user input can lead to log injection. | +| org.apache.axis2.util | OnDemandLogger | fatal | sink | CWE-117 | 4 | Argument 0 is the log message passed to the underlying logging framework. Unsanitized user input can lead to log injection. | +| org.apache.axis2.util | OptionsParser | getUser | source | commandargs | 4 | Returns the user value parsed from command-line arguments. Delegates to isValueSet() which extracts the value from the stored args array. | +| org.apache.axis2.util | OptionsParser | getPassword | source | commandargs | 4 | Returns the password value parsed from command-line arguments. Delegates to isValueSet() which extracts the value from the stored args array. | +| org.apache.axis2.util | OptionsParser | isValueSet | source | commandargs | 4 | Returns the value of a command-line option flag, parsed from the stored args array. This is direct access to command-line argument data. | +| org.apache.axis2.util | OptionsParser | getRemainingArgs | source | commandargs | 4 | Returns an array of non-option arguments from the command line. These are unused args that were not parsed as flags. | +| org.apache.axis2.util | OptionsParser | getRemainingFlags | source | commandargs | 3 | Returns a string of unprocessed command-line flags. These are derived from command-line arguments passed to the constructor. | +| org.apache.axis2.util | SecureWSDLLocator | getImportInputSource | sink | CWE-918 | 4 | Arguments 0 (parentLocation) and 1 (importLocation) are used together to resolve a URI via resolveURI(), then the resolved URI is fetched via createSecureInputSource(). An attacker controlling importLocation (e.g., from a malicious WSDL import statement) can cause the server to make requests to arbitrary URLs, enabling SSRF. | +| org.apache.axis2.util | SecureWSDLLocator | getBaseInputSource | sink | CWE-918 | 4 | The method uses the base URI stored in the object state (this) to fetch content via createSecureInputSource(). If the base URI was set from user-controlled input in the constructor, this enables SSRF by making the server fetch content from an attacker-controlled URL. | +| org.apache.axis2.util | Utils | getNewConfigurationContext | sink | CWE-22 | 4 | Argument 0 (repositry) is used as a filesystem path. Callees show it creates a File from this string and passes it to ConfigurationContextFactory.createConfigurationContextFromFileSystem, which reads from the filesystem based on this path. An attacker-controlled path could lead to path traversal. | +| org.apache.axis2.util | Utils | createServiceObject | sink | CWE-470 | 4 | Argument 0 (service) carries configuration parameters (SERVICE_CLASS, SERVICE_OBJECT_SUPPLIER) that are used to reflectively load and instantiate classes via Loader.loadClass. If the service configuration contains attacker-controlled class names, this allows instantiation of arbitrary classes. | +| org.apache.axis2.util | Utils | getServiceClass | sink | CWE-470 | 3 | Argument 0 (service) carries configuration parameters (SERVICE_CLASS, SERVICE_OBJECT_SUPPLIER) used to reflectively load a class. Documentation states the method loads a class based on these parameters, which could allow loading of arbitrary classes if configuration is attacker-controlled. | +| org.apache.axis2.util | WrappedDataHandler | getBean | sink | CWE-470 | 4 | Argument 0 (cmdinfo) determines which class is instantiated by DataHandler.getBean(). If the CommandInfo is attacker-controlled, arbitrary classes could be instantiated, leading to unsafe reflection. | +| org.apache.axis2.util | XMLPrettyPrinter | prettify | sink | CWE-22 | 4 | Argument 0 (File) is used to construct FileInputStream and FileOutputStream, reading from and writing to the specified file path. If the file path is attacker-controlled, this enables path traversal to read or modify arbitrary files. | +| org.apache.axis2.util | XMLPrettyPrinter | prettify | sink | CWE-611 | 4 | Argument 0 (File) provides XML content that is read and processed through javax.xml.transform.TransformerFactory without apparent DTD disabling configuration. This can lead to XXE attacks if the file contains malicious XML with external entity references. | +| org.apache.axis2.util | XMLUtils | newDocument | sink | CWE-918 | 4 | Argument 0 (uri) is used to fetch a remote or local resource and the fetched content is then parsed as XML via DocumentBuilder.parse(). This makes arg 0 a sink for SSRF. | +| org.apache.axis2.util | XMLUtils | newDocument | sink | CWE-611 | 4 | Argument 0 (uri) determines the XML content parsed by DocumentBuilder. If the URI is attacker-controlled, malicious XML with external entities could be parsed, leading to XXE. | +| org.apache.axis2.util | XMLUtils | newDocument | sink | CWE-611 | 5 | Argument 0 (inp) is an InputStream whose content is parsed as XML via DocumentBuilder.parse(). If the InputStream contains untrusted XML, this is an XXE sink. | +| org.apache.axis2.util | XMLUtils | newDocument | sink | CWE-918 | 4 | Argument 0 (uri) is used to fetch a remote or local resource. If the URI is attacker-controlled, this enables SSRF attacks. | +| org.apache.axis2.util | XMLUtils | newDocument | sink | CWE-611 | 4 | Argument 0 (uri) determines the XML content that gets parsed by DocumentBuilder. If the URI is attacker-controlled, malicious XML could exploit XXE. | +| org.apache.axis2.util | XMLUtils | newDocument | sink | CWE-611 | 5 | Argument 0 (inp) is the InputSource parsed by DocumentBuilder.parse(InputSource). If it contains untrusted XML, this is an XXE sink. | +| org.apache.axis2.util | XMLUtils | toOM | sink | CWE-611 | 4 | Argument 0 (inputStream) is parsed as XML via OMXMLBuilderFactory.createOMBuilder(). If the InputStream contains untrusted XML, XXE attacks are possible. | +| org.apache.axis2.util | XMLUtils | toOM | sink | CWE-611 | 4 | Argument 0 (reader) is parsed as XML via OMXMLBuilderFactory.createOMBuilder(). If the Reader provides untrusted XML, XXE attacks are possible. | +| org.apache.axis2.util | XMLUtils | toOM | sink | CWE-611 | 5 | Argument 0 (reader) is parsed as XML via OMXMLBuilderFactory.createOMBuilder(Reader). If the Reader provides untrusted XML, XXE attacks are possible. | +| org.apache.axis2.util | XMLUtils | toOM | sink | CWE-611 | 5 | Argument 0 (inputStream) is parsed as XML via OMXMLBuilderFactory.createOMBuilder(InputStream). If the InputStream contains untrusted XML, XXE attacks are possible. | +| org.apache.axis2.util | XMLUtils | getInputSourceFromURI | sink | CWE-918 | 4 | Argument 0 (uri) is used to fetch a resource. If the URI is attacker-controlled, this enables SSRF attacks. | +| org.apache.axis2.util | XMLUtils | initSAXFactory | sink | CWE-470 | 5 | Argument 0 (factoryClassName) is used to dynamically load and instantiate a class via Loader.loadClass() and Class.newInstance(). If attacker-controlled, this enables arbitrary class instantiation. | +| org.apache.axis2.builder | ApplicationXMLBuilder | processDocument | sink | CWE-611 | 4 | Argument 0 (inputStream) is parsed as XML via BuilderUtil.createPOXBuilder. If the XML parser is not configured to disable DTD/external entity processing, this leads to XXE vulnerabilities. | +| org.apache.axis2.builder | ApplicationXMLBuilder | processDocument | sink | CWE-776 | 4 | Argument 0 (inputStream) is parsed as XML via BuilderUtil.createPOXBuilder. Without proper entity expansion limits, this is vulnerable to XML entity expansion (billion laughs) denial-of-service attacks. | +| org.apache.axis2.builder | Builder | processDocument | sink | CWE-611 | 4 | Argument 0 is an InputStream containing raw XML/SOAP message data that will be parsed by an XML parser. If the parser is not safely configured, this can lead to XML External Entity (XXE) attacks. | +| org.apache.axis2.builder | Builder | processDocument | sink | CWE-776 | 4 | Argument 0 is an InputStream containing raw XML/SOAP message data that will be parsed. If the parser does not limit entity expansion, this can lead to XML Entity Expansion (billion laughs) denial-of-service attacks. | +| org.apache.axis2.builder | BuilderUtil | createSOAPModelBuilder | sink | CWE-611 | 4 | Argument 0 (InputStream) contains SOAP XML data that is parsed by delegating to OMXMLBuilderFactory.createSOAPModelBuilder. Unlike createPOXBuilder, the documentation does not mention any DTD/XXE protections, making the input stream a sink for XXE attacks. | +| org.apache.axis2.builder | DataSourceBuilder$ByteArrayDataSourceEx | getReader | sink | CWE-611 | 3 | The getReader() method creates an XMLStreamReader from the internal byte array stored in the object. XMLStreamReader is explicitly identified as a vulnerable XML parser type for XXE attacks. The byte array data (from `this`) is the untrusted input being parsed as XML. | +| org.apache.axis2.builder | DiskFileDataSource | getInputStream | source | remote | 3 | Returns an InputStream reading the content of an uploaded file (DiskFileItem). The file content originates from a remote HTTP multipart upload and is user-controlled. | +| org.apache.axis2.builder | DiskFileDataSource | getContentType | source | remote | 3 | Returns the content type of an uploaded file (DiskFileItem). The content type is user-controlled, supplied via the HTTP multipart Content-Type header. | +| org.apache.axis2.builder | DiskFileDataSource | getName | source | remote | 3 | Returns the name/filename of an uploaded file (DiskFileItem). The filename is user-controlled, originating from the HTTP multipart Content-Disposition header, and can lead to path traversal vulnerabilities if used unsanitized. | +| org.apache.axis2.builder | MIMEBuilder | processDocument | sink | CWE-611 | 4 | Argument 0 (inputStream) provides raw message content that is parsed as MIME and then delegated to XML/SOAP processing via Builder.processDocument or MIMEAwareBuilder.processMIMEMessage. This XML parsing can be vulnerable to XXE if the underlying parser is not securely configured. | +| org.apache.axis2.builder | MTOMBuilder | processDocument | sink | CWE-611 | 4 | Argument 0 (inputStream) contains raw XML/SOAP message content that is parsed by the method. Parsing untrusted XML without proper configuration can lead to XXE attacks. | +| org.apache.axis2.builder | MTOMBuilder | processMIMEMessage | sink | CWE-611 | 5 | Argument 0 (attachments) is a MIME message whose content is parsed as XML/SOAP via OMXMLBuilderFactory.createSOAPModelBuilder. Parsing untrusted XML without proper configuration can lead to XXE attacks. | +| org.apache.axis2.builder | MultipartFormDataBuilder | processDocument | source | remote | 4 | The method processes multipart form data from an HTTP request (via HttpServletRequest obtained from MessageContext) and returns an OMElement containing the parsed request data. The return value originates from remote user input. | +| org.apache.axis2.builder | SOAPBuilder | processDocument | sink | CWE-611 | 4 | Argument 0 (inputStream) is parsed as SOAP/XML via OMXMLBuilderFactory.createSOAPModelBuilder(InputStream, String). Parsing untrusted XML without disabling external entities can lead to XXE attacks. | +| org.apache.axis2.builder | SOAPBuilder | processMIMEMessage | sink | CWE-611 | 4 | Argument 0 (attachments) contains MIME data whose root part is extracted and parsed as SOAP/XML via delegation to processDocument. Parsing untrusted XML without disabling external entities can lead to XXE attacks. | +| org.apache.axis2.builder | XFormURLEncodedBuilder | processDocument | source | remote | 4 | This is an Apache Axis2 Builder interface method that processes HTTP request body data (x-www-form-urlencoded). It reads from the InputStream (HTTP request body), extracts form parameters, and returns an OMElement containing the parsed remote user input. | +| org.apache.axis2.engine | AxisConfiguration | deployModule | sink | CWE-22 | 4 | Argument 0 (moduleFileName) is used as a file path — the method calls File.exists() with this value and then DeploymentFileData.deploy() to deploy a module from the specified file. An attacker controlling this filename could traverse the filesystem to deploy modules from arbitrary locations. | +| org.apache.axis2.engine | AxisEngine | send | sink | CWE-918 | 4 | The send() method sends an outbound SOAP message over the network. It calls TransportOutDescription.getSender() and Handler.invoke(MessageContext) to transmit the message. The MessageContext (arg 0) determines the remote endpoint URL, making this a potential SSRF sink. | +| org.apache.axis2.engine | AxisEngine | sendFault | sink | CWE-918 | 4 | The sendFault() method sends a SOAP fault message to another SOAP node. It calls TransportOutDescription.getSender() and Handler.invoke(MessageContext) to transmit the message. The MessageContext (arg 0) determines the remote endpoint URL, making this a potential SSRF sink. | +| org.apache.axis2.engine | AxisEngine | resumeSend | sink | CWE-918 | 4 | The resumeSend() method resumes the send path and calls the TransportSender. It calls TransportOutDescription.getSender() and Handler.invoke(MessageContext). The MessageContext (arg 0) determines the remote endpoint URL, making this a potential SSRF sink. | +| org.apache.axis2.engine | AxisEngine | resumeSendFault | sink | CWE-918 | 4 | The resumeSendFault() method resumes the outbound fault flow. It calls TransportOutDescription.getSender() and Handler.invoke(MessageContext). The MessageContext (arg 0) determines the remote endpoint URL, making this a potential SSRF sink. | +| org.apache.axis2.engine | AxisEngine | resume | sink | CWE-918 | 4 | The resume() method delegates to resumeSend(MessageContext) when the flow is outbound, which sends a network request. The MessageContext (arg 0) determines the remote endpoint URL, making this a potential SSRF sink. | +| org.apache.axis2.engine | AxisServer | deployService | sink | CWE-470 | 5 | Argument 0 (serviceClassName) is a class name string passed to AxisService.createService which loads/instantiates the class reflectively. If attacker-controlled, this allows arbitrary class loading and instantiation (CWE-470: Use of Externally-Controlled Input to Select Classes or Code). | +| org.apache.axis2.engine | DefaultObjectSupplier | getObject | sink | CWE-470 | 5 | Argument 0 (clazz) is used to instantiate an object via Class.newInstance() and Constructor.newInstance(). If the Class parameter is derived from externally-controlled input, an attacker can instantiate arbitrary classes, leading to unsafe reflection / class instantiation vulnerabilities. | +| org.apache.axis2.engine | DependencyManager | makeNewServiceObject | sink | CWE-470 | 4 | Argument 0 (AxisService) contains configuration (e.g., class name) that is used by Utils.createServiceObject to instantiate a class. If the AxisService is influenced by attacker-controlled data, arbitrary classes could be instantiated. | +| org.apache.axis2.engine | DependencyManager | initService | sink | CWE-470 | 4 | Argument 0 (ServiceGroupContext) provides services whose class names are loaded via Loader.loadClass and instantiated via makeNewServiceObject. If the ServiceGroupContext is influenced by attacker-controlled data, arbitrary classes could be loaded and instantiated. | +| org.apache.axis2.engine | Handler | invoke | source | remote | 4 | The invoke() method is a framework callback in Apache Axis2's handler chain. It is called by the Axis2 engine when processing incoming SOAP/HTTP messages. The MessageContext parameter (argument 0) contains data from a remote client request, making it a source of remote data, analogous to HttpServlet.doGet/doPost. | +| org.apache.axis2.engine | Handler | flowComplete | source | remote | 4 | The flowComplete() method is a post-processing framework callback in Axis2's handler chain, called after message processing completes. The MessageContext parameter (argument 0) contains data from a remote client request, making it a source of remote data. | +| org.apache.axis2.engine | MessageReceiver | receive | source | remote | 4 | MessageReceiver.receive() is a framework callback invoked by the Apache Axis2 engine when a SOAP/HTTP message arrives over the network. The MessageContext parameter (argument 0) carries the incoming remote request data into the application, making it a source of remote data. | +| org.apache.axis2.engine | ObjectSupplier | getObject | sink | CWE-470 | 4 | Argument 0 (clazz) determines which class gets instantiated and returned. If attacker-controlled, this allows arbitrary class instantiation. The documentation confirms this method is used during deserialization to provide implementation classes for interfaces. | + +## Ignored (low certainty) (2) + +| Package | Class | Method | Type | Kind | Certainty | Reason | Why Ignored | +|---------|-------|--------|------|------|-----------|--------|-------------| +| org.apache.axis2.dataretrieval.client | MexClient | MexClient | sink | CWE-918 | 2 | Argument 1 (wsdlURL) specifies a URL from which the MexClient (Metadata Exchange client) fetches a WSDL, potentially initiating a server-side HTTP request. This can lead to SSRF if the URL is attacker-controlled. | No callees were found so I cannot confirm the constructor fetches the WSDL at construction time, but this matches the well-known Axis2 ServiceClient(configContext, wsdlURL, serviceName, portName) pattern which fetches the WSDL during initialization. Certainty is 2 because there's no direct tool evidence confirming the network call. | +| org.apache.axis2.description.java2wsdl | SchemaGenerator | generateSchema | sink | CWE-22 | 2 | generateSchema() uses stored file paths (mappingFileLocation, customSchemaLocation) from object state to read files during schema generation, which could lead to path traversal if the paths are user-controlled. | Based on naming conventions (mappingFileLocation, customSchemaLocation stored in object state) and domain knowledge of Apache Axis2's java2wsdl schema generation. No callee evidence available to confirm file I/O operations. | + diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-http/org.apache.axis2.transport.http.impl.httpclient5.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-http/org.apache.axis2.transport.http.impl.httpclient5.model.yml new file mode 100644 index 000000000000..d4aeed441d99 --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-http/org.apache.axis2.transport.http.impl.httpclient5.model.yml @@ -0,0 +1,8 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.apache.axis2.transport.http.impl.httpclient5", "HTTPSenderImpl", True, "createRequest", "(MessageContext,String,URL,AxisRequestEntity)", "", "Argument[2]", "request-forgery", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-http/org.apache.axis2.transport.http.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-http/org.apache.axis2.transport.http.model.yml new file mode 100644 index 000000000000..8de739c75676 --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-http/org.apache.axis2.transport.http.model.yml @@ -0,0 +1,42 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.apache.axis2.transport.http", "AbstractAgent", True, "renderView", "(String,HttpServletRequest,HttpServletResponse)", "", "Argument[0]", "path-injection", "ai-generated"] + #- ["org.apache.axis2.transport.http", "AbstractAgent", True, "renderView", "(String,HttpServletRequest,HttpServletResponse)", "", "Argument[0]", "path-injection", "ai-generated"] # INVALID: Duplicate entry + - ["org.apache.axis2.transport.http", "AbstractHTTPTransportSender", True, "invoke", "(MessageContext)", "", "Argument[0]", "request-forgery", "ai-generated"] + - ["org.apache.axis2.transport.http", "HTTPSender", True, "send", "(MessageContext,URL,String)", "", "Argument[1]", "request-forgery", "ai-generated"] + #- ["org.apache.axis2.transport.http", "Request", True, "addHeader", "(String,String)", "", "Argument[0..1]", "response-splitting", "ai-generated"] # INVALID: Outbound request header setter, not response splitting + #- ["org.apache.axis2.transport.http", "Request", True, "setHeader", "(String,String)", "", "Argument[0..1]", "response-splitting", "ai-generated"] # INVALID: Outbound request header setter, not response splitting + - ["org.apache.axis2.transport.http", "ServletBasedOutTransportInfo", True, "addHeader", "(String,String)", "", "Argument[0..1]", "response-splitting", "ai-generated"] + - ["org.apache.axis2.transport.http", "ServletBasedOutTransportInfo", True, "setContentType", "(String)", "", "Argument[0]", "response-splitting", "ai-generated"] + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + - ["org.apache.axis2.transport.http", "AxisServlet", True, "createMessageContext", "(HttpServletRequest,HttpServletResponse)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http", "AxisServlet", True, "createMessageContext", "(HttpServletRequest,HttpServletResponse,boolean)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http", "AxisServlet", True, "getTransportHeaders", "(HttpServletRequest)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http", "CommonsTransportHeaders", True, "entrySet", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http", "CommonsTransportHeaders", True, "get", "(Object)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http", "CommonsTransportHeaders", True, "keySet", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http", "CommonsTransportHeaders", True, "remove", "(Object)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http", "CommonsTransportHeaders", True, "values", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http", "HTTPWorker", True, "getHost", "(AxisHttpRequest)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http", "HTTPWorker", True, "service", "(AxisHttpRequest,AxisHttpResponse,MessageContext)", "", "Argument[0]", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http", "ListingAgent", True, "getParamtereIgnoreCase", "(HttpServletRequest,String)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http", "Request", True, "getCookies", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http", "Request", True, "getResponseContent", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http", "Request", True, "getResponseContentEncoding", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http", "Request", True, "getResponseHeader", "(String)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http", "Request", True, "getResponseHeaders", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http", "Request", True, "getStatusText", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http", "SimpleHTTPServer", True, "main", "(String[])", "", "Argument[0]", "commandargs", "ai-generated"] + - ["org.apache.axis2.transport.http", "TransportHeaders", True, "entrySet", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http", "TransportHeaders", True, "get", "(Object)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http", "TransportHeaders", True, "keySet", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http", "TransportHeaders", True, "remove", "(Object)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http", "TransportHeaders", True, "values", "()", "", "ReturnValue", "remote", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-http/org.apache.axis2.transport.http.server.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-http/org.apache.axis2.transport.http.server.model.yml new file mode 100644 index 000000000000..860eaddbfb04 --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-http/org.apache.axis2.transport.http.server.model.yml @@ -0,0 +1,43 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.apache.axis2.transport.http.server", "AxisHttpResponse", True, "sendError", "(int,String)", "", "Argument[1]", "response-splitting", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpResponse", True, "setContentType", "(String)", "", "Argument[0]", "response-splitting", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpResponseImpl", True, "addHeader", "(Header)", "", "Argument[0]", "response-splitting", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpResponseImpl", True, "addHeader", "(String,Object)", "", "Argument[0..1]", "response-splitting", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpResponseImpl", True, "sendError", "(int,String)", "", "Argument[1]", "response-splitting", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpResponseImpl", True, "setHeader", "(Header)", "", "Argument[0]", "response-splitting", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpResponseImpl", True, "setHeader", "(String,Object)", "", "Argument[0..1]", "response-splitting", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpResponseImpl", True, "setHeaders", "(Header[])", "", "Argument[0]", "response-splitting", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "DefaultConnectionListenerFailureHandler", True, "failed", "(IOProcessor,Throwable)", "", "Argument[1]", "log-injection", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "DefaultConnectionListenerFailureHandler", True, "notifyAbnormalTermination", "(IOProcessor,String,Throwable)", "", "Argument[1..2]", "log-injection", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "ResponseSessionCookie", True, "process", "(HttpResponse,EntityDetails,HttpContext)", "", "Argument[2]", "response-splitting", "ai-generated"] + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + - ["org.apache.axis2.transport.http.server", "AxisHttpConnection", True, "getInputStream", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpConnection", True, "receiveRequest", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpConnectionImpl", True, "receiveRequest", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpRequest", True, "getContentType", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpRequest", True, "getInputStream", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpRequest", True, "getMethod", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpRequest", True, "getRequestURI", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpRequestImpl", True, "getAllHeaders", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpRequestImpl", True, "getContentType", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpRequestImpl", True, "getFirstHeader", "(String)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpRequestImpl", True, "getHeader", "(String)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpRequestImpl", True, "getHeaders", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpRequestImpl", True, "getHeaders", "(String)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpRequestImpl", True, "getInputStream", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpRequestImpl", True, "getLastHeader", "(String)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpRequestImpl", True, "getMethod", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpRequestImpl", True, "getRequestURI", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpRequestImpl", True, "headerIterator", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "AxisHttpRequestImpl", True, "headerIterator", "(String)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "HttpUtils", True, "getSoapAction", "(AxisHttpRequest)", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.http.server", "Worker", True, "service", "(AxisHttpRequest,AxisHttpResponse,MessageContext)", "", "Argument[0]", "remote", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-http/report.md b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-http/report.md new file mode 100644 index 000000000000..ba742b84064f --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-http/report.md @@ -0,0 +1,84 @@ +# MaD Generation Report + +## Included (71) + +| Package | Class | Method | Type | Kind | Certainty | Reason | +|---------|-------|--------|------|------|-----------|--------| +| org.apache.axis2.transport.http.util | RESTUtil | processXMLRequest | sink | CWE-611 | 4 | Argument 1 (InputStream in) is parsed as XML via TransportUtils.createSOAPMessage, which can lead to XXE if the underlying XML parser is not safely configured (e.g., DTD parsing enabled). | +| org.apache.axis2.transport.http.util | RESTUtil | processXMLRequest | sink | CWE-611 | 4 | Argument 1 (InputStream in) is parsed as XML via TransportUtils.createSOAPMessage, which can lead to XXE if the underlying XML parser is not safely configured (e.g., DTD parsing enabled). | +| org.apache.axis2.transport.http.impl.httpclient5 | HTTPSenderImpl | createRequest | sink | CWE-918 | 4 | Argument 2 (url) is used to form the target of an HTTP request (confirmed by callee URL.toURI()). If user-controlled, this can lead to Server-Side Request Forgery (SSRF). | +| org.apache.axis2.transport.http | AbstractAgent | renderView | sink | CWE-22 | 5 | Argument 0 (jspName) is passed to getRequestDispatcher(String) and then included via RequestDispatcher.include(), allowing an attacker to control which server-side resource is included, leading to path traversal. | +| org.apache.axis2.transport.http | AbstractAgent | renderView | sink | CWE-73 | 5 | Argument 0 (jspName) externally controls which file/resource is dispatched via getRequestDispatcher(String).include(), allowing external control of file name or path. | +| org.apache.axis2.transport.http | AbstractHTTPTransportSender | invoke | sink | CWE-918 | 4 | The invoke method extracts the target endpoint from msgContext via getTo() and sends an HTTP request to it via writeMessageWithCommons. If the endpoint URL in the MessageContext is attacker-controlled, this can lead to SSRF. | +| org.apache.axis2.transport.http | AxisServlet | getTransportHeaders | source | remote | 4 | The method reads HTTP transport headers from an HttpServletRequest (via methods like getHeader/getHeaderNames which are outside this library) and returns them as a Map. The return value contains user-controlled remote data (HTTP headers). | +| org.apache.axis2.transport.http | AxisServlet | createMessageContext | source | remote | 4 | The method creates and returns a MessageContext populated with remote data extracted from HttpServletRequest (query strings, request URIs, URLs, remote address, transport headers). The return value contains user-controlled remote data. | +| org.apache.axis2.transport.http | AxisServlet | createMessageContext | source | remote | 5 | The method directly reads remote data from HttpServletRequest (query strings, request URIs, URLs, remote addresses, transport headers) and populates the returned MessageContext with this data. The return value contains user-controlled remote data. | +| org.apache.axis2.transport.http | CommonsTransportHeaders | get | source | remote | 4 | Returns an HTTP header value by key. HTTP headers are user-controlled remote data from incoming HTTP requests in Apache Axis2's transport layer. | +| org.apache.axis2.transport.http | CommonsTransportHeaders | values | source | remote | 4 | Returns all HTTP header values. HTTP headers are user-controlled remote data from incoming HTTP requests. | +| org.apache.axis2.transport.http | CommonsTransportHeaders | entrySet | source | remote | 4 | Returns all HTTP header entries (key-value pairs). HTTP headers are user-controlled remote data from incoming HTTP requests. | +| org.apache.axis2.transport.http | CommonsTransportHeaders | keySet | source | remote | 4 | Returns all HTTP header keys. HTTP header names are user-controlled remote data from incoming HTTP requests. | +| org.apache.axis2.transport.http | CommonsTransportHeaders | remove | source | remote | 3 | Returns the removed HTTP header value. HTTP headers are user-controlled remote data from incoming HTTP requests. | +| org.apache.axis2.transport.http | HTTPSender | send | sink | CWE-918 | 5 | The URL argument (arg 1) is used to create and execute an HTTP request (via createRequest followed by Request.execute()). If an attacker controls this URL, it can lead to Server-Side Request Forgery. | +| org.apache.axis2.transport.http | HTTPTransportReceiver | printServiceHTML | sink | CWE-79 | 4 | Argument 0 (serviceName) is used to generate HTML output (the method returns an HTML string). The service name is likely embedded in the returned HTML without proper escaping, which can lead to reflected XSS if the serviceName originates from user input (e.g., an HTTP request parameter). | +| org.apache.axis2.transport.http | HTTPTransportUtils | processHTTPPostRequest | sink | CWE-611 | 4 | Argument 1 (InputStream `in`) is parsed as XML/SOAP via TransportUtils.createSOAPMessage. If the underlying XML parser is not configured to disable external entities, this leads to XXE attacks. | +| org.apache.axis2.transport.http | HTTPTransportUtils | processHTTPPostRequest | sink | CWE-611 | 4 | Argument 1 (InputStream `in`) is parsed as XML/SOAP via TransportUtils.createSOAPMessage. If the underlying XML parser is not configured to disable external entities, this leads to XXE attacks. | +| org.apache.axis2.transport.http | HTTPWorker | service | source | remote | 4 | The `request` parameter (arg 0) is an HTTP request object provided by the framework, carrying remote client data into the application. This is a framework entry point analogous to HttpServlet.doGet(HttpServletRequest, ...). | +| org.apache.axis2.transport.http | HTTPWorker | getHost | source | remote | 4 | The return value is derived from the HTTP Host header of a remote request, extracted via getFirstHeader/getValue. This is attacker-controllable remote data. | +| org.apache.axis2.transport.http | ListingAgent | getParamtereIgnoreCase | source | remote | 5 | This method reads HTTP request parameters by calling ServletRequest.getParameter() and iterating through getParameterNames() to perform case-insensitive parameter lookup. The return value is user-controlled input from an HTTP request. | +| org.apache.axis2.transport.http | Request | getResponseContent | source | remote | 4 | Returns the HTTP response body as an InputStream. This data comes from a remote HTTP server and could contain attacker-controlled content. | +| org.apache.axis2.transport.http | Request | getResponseHeaders | source | remote | 4 | Returns all HTTP response headers. These come from a remote HTTP server and could contain attacker-controlled content. | +| org.apache.axis2.transport.http | Request | getResponseHeader | source | remote | 4 | Returns the value of a specific HTTP response header. This data comes from a remote HTTP server and could contain attacker-controlled content. | +| org.apache.axis2.transport.http | Request | getStatusText | source | remote | 4 | Returns the HTTP response status text. This data comes from a remote HTTP server and could contain attacker-controlled content. | +| org.apache.axis2.transport.http | Request | getResponseContentEncoding | source | remote | 4 | Returns the content encoding of the HTTP response. This data comes from a remote HTTP server and could contain attacker-controlled content. | +| org.apache.axis2.transport.http | Request | getCookies | source | remote | 3 | Returns cookies which may come from a remote HTTP server's Set-Cookie response headers, making them attacker-controllable. | +| org.apache.axis2.transport.http | Request | addHeader | sink | CWE-113 | 4 | Arguments 0 (name) and 1 (value) are written directly to an HTTP request header. If attacker-controlled input is used, it can lead to HTTP request splitting. | +| org.apache.axis2.transport.http | Request | setHeader | sink | CWE-113 | 4 | Arguments 0 (name) and 1 (value) are written directly to an HTTP request header. If attacker-controlled input is used, it can lead to HTTP request splitting. | +| org.apache.axis2.transport.http | ServletBasedOutTransportInfo | setContentType | sink | CWE-113 | 5 | Argument 0 (contentType) is passed directly to jakarta.servlet.ServletResponse.setContentType, writing it into the HTTP response Content-Type header. Attacker-controlled data here can cause HTTP response splitting / header injection. | +| org.apache.axis2.transport.http | ServletBasedOutTransportInfo | addHeader | sink | CWE-113 | 5 | Arguments 0 (headerName) and 1 (headerValue) are passed directly to jakarta.servlet.http.HttpServletResponse.addHeader, writing them into the HTTP response headers. Attacker-controlled data in either argument can cause HTTP response splitting / header injection. | +| org.apache.axis2.transport.http | SimpleHTTPServer | main | source | commandargs | 5 | The args parameter of main() receives command-line arguments from outside the program, making it a source of user-controlled input. Callees show these args are used to construct file system paths (createConfigurationContextFromFileSystem), parse integers, etc. | +| org.apache.axis2.transport.http | TransportHeaders | get | source | remote | 5 | The return value is an HTTP header value read from HttpServletRequest.getHeader(), which is remote user-controlled input. | +| org.apache.axis2.transport.http | TransportHeaders | values | source | remote | 5 | Returns all HTTP header values from the wrapped HttpServletRequest, which are remote user-controlled input. | +| org.apache.axis2.transport.http | TransportHeaders | entrySet | source | remote | 5 | Returns all HTTP header key-value entries from the wrapped HttpServletRequest, which are remote user-controlled input. | +| org.apache.axis2.transport.http | TransportHeaders | keySet | source | remote | 5 | Returns all HTTP header names from the wrapped HttpServletRequest, which are remote user-controlled input. | +| org.apache.axis2.transport.http | TransportHeaders | remove | source | remote | 5 | Returns the removed HTTP header value from the wrapped HttpServletRequest, which is remote user-controlled input. | +| org.apache.axis2.transport.http.server | AxisHttpConnection | getInputStream | source | remote | 4 | Returns an InputStream that reads data from a remote HTTP client connection. The data originates from outside the program boundary (a remote network client). | +| org.apache.axis2.transport.http.server | AxisHttpConnection | receiveRequest | source | remote | 4 | Returns a ClassicHttpRequest parsed from the remote HTTP client connection. The entire request object (URL, headers, body) originates from a remote client and is attacker-controllable. | +| org.apache.axis2.transport.http.server | AxisHttpConnectionImpl | receiveRequest | source | remote | 5 | receiveRequest() reads an HTTP request from the underlying socket connection by parsing the request line (method, URI), headers, and body from the socket's input stream. The returned ClassicHttpRequest contains attacker-controlled remote data. | +| org.apache.axis2.transport.http.server | AxisHttpRequest | getInputStream | source | remote | 4 | Returns the input stream of an incoming HTTP request body, which contains data sent by a remote client. | +| org.apache.axis2.transport.http.server | AxisHttpRequest | getContentType | source | remote | 4 | Returns the Content-Type header from an incoming HTTP request, which is controlled by the remote client. | +| org.apache.axis2.transport.http.server | AxisHttpRequest | getRequestURI | source | remote | 5 | Returns the request URI from an incoming HTTP request, which is fully controlled by the remote client and is a classic source of user-controlled input. | +| org.apache.axis2.transport.http.server | AxisHttpRequest | getMethod | source | remote | 3 | Returns the HTTP method from an incoming HTTP request, which is specified by the remote client. | +| org.apache.axis2.transport.http.server | AxisHttpRequestImpl | getInputStream | source | remote | 5 | Returns the input stream of the HTTP request body from the remote client, delegating to AxisHttpConnection.getInputStream(). | +| org.apache.axis2.transport.http.server | AxisHttpRequestImpl | getRequestURI | source | remote | 5 | Returns the request URI from a remote HTTP request, delegating to HttpRequest.getRequestUri(). | +| org.apache.axis2.transport.http.server | AxisHttpRequestImpl | getContentType | source | remote | 5 | Returns the Content-Type header value from the remote HTTP request. | +| org.apache.axis2.transport.http.server | AxisHttpRequestImpl | getMethod | source | remote | 5 | Returns the HTTP method from the remote HTTP request. | +| org.apache.axis2.transport.http.server | AxisHttpRequestImpl | getHeaders | source | remote | 5 | Returns all HTTP headers from the remote HTTP request. | +| org.apache.axis2.transport.http.server | AxisHttpRequestImpl | getHeaders | source | remote | 5 | Returns HTTP headers matching a given name from the remote HTTP request. | +| org.apache.axis2.transport.http.server | AxisHttpRequestImpl | getHeader | source | remote | 5 | Returns an HTTP header by name from the remote HTTP request. | +| org.apache.axis2.transport.http.server | AxisHttpRequestImpl | getFirstHeader | source | remote | 5 | Returns the first HTTP header with the given name from the remote HTTP request. | +| org.apache.axis2.transport.http.server | AxisHttpRequestImpl | getLastHeader | source | remote | 5 | Returns the last HTTP header with the given name from the remote HTTP request. | +| org.apache.axis2.transport.http.server | AxisHttpRequestImpl | getAllHeaders | source | remote | 5 | Returns all HTTP headers from the remote HTTP request. | +| org.apache.axis2.transport.http.server | AxisHttpRequestImpl | headerIterator | source | remote | 5 | Returns an iterator over all HTTP headers from the remote HTTP request. | +| org.apache.axis2.transport.http.server | AxisHttpRequestImpl | headerIterator | source | remote | 5 | Returns an iterator over HTTP headers matching a given name from the remote HTTP request. | +| org.apache.axis2.transport.http.server | AxisHttpResponse | setContentType | sink | CWE-113 | 4 | Argument 0 (contentType) is written directly as the Content-Type HTTP response header value. If user-controlled, CRLF characters could cause HTTP response splitting. | +| org.apache.axis2.transport.http.server | AxisHttpResponse | sendError | sink | CWE-79 | 4 | Argument 1 (msg) is included in the HTTP error response body. If user-controlled, unsanitized content could lead to cross-site scripting. | +| org.apache.axis2.transport.http.server | AxisHttpResponse | sendError | sink | CWE-113 | 3 | Argument 1 (msg) may be included in HTTP response headers (e.g., as a status reason phrase). If user-controlled, CRLF characters could cause HTTP response splitting. | +| org.apache.axis2.transport.http.server | AxisHttpResponseImpl | addHeader | sink | CWE-113 | 5 | Arguments 0 (name) and 1 (value) are directly passed to HttpMessage.addHeader(String, Object), setting an HTTP response header. Tainted data in either could lead to HTTP response splitting. | +| org.apache.axis2.transport.http.server | AxisHttpResponseImpl | addHeader | sink | CWE-113 | 5 | Argument 0 (Header object) is directly passed to HttpMessage.addHeader(Header), setting an HTTP response header. Tainted data in the Header object could lead to HTTP response splitting. | +| org.apache.axis2.transport.http.server | AxisHttpResponseImpl | setHeader | sink | CWE-113 | 5 | Arguments 0 (name) and 1 (value) are directly passed to HttpMessage.setHeader(String, Object), setting an HTTP response header. Tainted data could lead to HTTP response splitting. | +| org.apache.axis2.transport.http.server | AxisHttpResponseImpl | setHeader | sink | CWE-113 | 5 | Argument 0 (Header object) is directly passed to HttpMessage.setHeader(Header), setting an HTTP response header. Tainted data could lead to HTTP response splitting. | +| org.apache.axis2.transport.http.server | AxisHttpResponseImpl | setHeaders | sink | CWE-113 | 5 | Argument 0 (Header[] array) is directly passed to HttpMessage.setHeaders(Header[]), setting HTTP response headers. Tainted data in any header could lead to HTTP response splitting. | +| org.apache.axis2.transport.http.server | AxisHttpResponseImpl | sendError | sink | CWE-113 | 4 | Argument 1 (msg) is passed to HttpResponse.setReasonPhrase(String), which sets the reason phrase in the HTTP response status line. Tainted data with CRLF characters could lead to HTTP response splitting. | +| org.apache.axis2.transport.http.server | AxisHttpService | handleException | sink | CWE-209 | 4 | Argument 0 (HttpException ex) is converted to an error message via ServerSupport.toErrorMessage(ex) and sent to the remote client by setting it as the HTTP response entity. This exposes potentially sensitive exception details (stack traces, internal class names, error messages) to the end user. | +| org.apache.axis2.transport.http.server | DefaultConnectionListenerFailureHandler | notifyAbnormalTermination | sink | CWE-117 | 4 | The 'message' (arg 1) String and 'cause' (arg 2) Throwable are passed directly to Log.error() without sanitization, which could lead to log injection if they contain attacker-controlled data. | +| org.apache.axis2.transport.http.server | DefaultConnectionListenerFailureHandler | failed | sink | CWE-117 | 4 | The 'cause' (arg 1) Throwable is passed directly to Log.warn() without sanitization. If the Throwable's message contains attacker-controlled data, this could lead to log injection. | +| org.apache.axis2.transport.http.server | HttpUtils | getSoapAction | source | remote | 5 | The method extracts the SOAPAction HTTP header from an incoming AxisHttpRequest via getFirstHeader/getValue. This is user-controlled remote input entering the program. | +| org.apache.axis2.transport.http.server | ResponseSessionCookie | process | sink | CWE-113 | 4 | Data from the HttpContext (arg 2) is retrieved via getAttribute, used to build a session cookie value (via CharArrayBuffer.append), and added as an HTTP response header via HttpMessage.addHeader. If the context contains attacker-controlled data (e.g., a session ID), this could lead to HTTP response header injection/splitting. | +| org.apache.axis2.transport.http.server | Worker | service | source | remote | 4 | The `request` parameter (arg 0) represents an incoming HTTP request in this framework callback method, analogous to HttpServlet.service(). It brings externally-controlled data (HTTP headers, parameters, body) into the program. | + +## Ignored (low certainty) (1) + +| Package | Class | Method | Type | Kind | Certainty | Reason | Why Ignored | +|---------|-------|--------|------|------|-----------|--------|-------------| +| org.apache.axis2.transport.http.server | AxisHttpConnectionImpl | getInputStream | source | remote | 2 | getInputStream() returns the input stream from the underlying HTTP socket connection, which carries attacker-controlled remote data. | No callees were found, but the class is an HTTP connection implementation wrapping a Socket, and getInputStream() follows the standard pattern of exposing the socket's input stream which carries remote data. However, without callee confirmation, certainty is lower. | + diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-jms/org.apache.axis2.transport.jms.ctype.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-jms/org.apache.axis2.transport.jms.ctype.model.yml new file mode 100644 index 000000000000..8c296c7d4a37 --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-jms/org.apache.axis2.transport.jms.ctype.model.yml @@ -0,0 +1,8 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + - ["org.apache.axis2.transport.jms.ctype", "PropertyRule", True, "getContentType", "(Message)", "", "ReturnValue", "remote", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-jms/org.apache.axis2.transport.jms.iowrappers.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-jms/org.apache.axis2.transport.jms.iowrappers.model.yml new file mode 100644 index 000000000000..e88981bfe892 --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-jms/org.apache.axis2.transport.jms.iowrappers.model.yml @@ -0,0 +1,10 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + - ["org.apache.axis2.transport.jms.iowrappers", "BytesMessageDataSource", True, "getInputStream", "()", "", "ReturnValue", "remote", "ai-generated"] + - ["org.apache.axis2.transport.jms.iowrappers", "BytesMessageInputStream", True, "read", "(byte[])", "", "Argument[0]", "remote", "ai-generated"] + - ["org.apache.axis2.transport.jms.iowrappers", "BytesMessageInputStream", True, "read", "(byte[],int,int)", "", "Argument[0]", "remote", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-jms/org.apache.axis2.transport.jms.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-jms/org.apache.axis2.transport.jms.model.yml new file mode 100644 index 000000000000..1f3bf2b79c0f --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-jms/org.apache.axis2.transport.jms.model.yml @@ -0,0 +1,17 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.apache.axis2.transport.jms", "JMSConnectionFactoryManager", True, "handleException", "(String,Exception)", "", "Argument[0]", "log-injection", "ai-generated"] + - ["org.apache.axis2.transport.jms", "JMSMessageSender", True, "JMSMessageSender", "(JMSConnectionFactory,String)", "", "Argument[1]", "request-forgery", "ai-generated"] + - ["org.apache.axis2.transport.jms", "JMSSender", True, "sendMessage", "(MessageContext,String,OutTransportInfo)", "", "Argument[1]", "request-forgery", "ai-generated"] + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + - ["org.apache.axis2.transport.jms", "JMSMessageReceiver", True, "onMessage", "(Message,UserTransaction)", "", "Argument[0]", "remote", "ai-generated"] + - ["org.apache.axis2.transport.jms", "JMSUtils", True, "getProperty", "(Message,String)", "", "ReturnValue", "remote", "ai-generated"] + #- ["org.apache.axis2.transport.jms", "JMSUtils", True, "getTransportHeaders", "(Message)", "", "ReturnValue", "remote", "ai-generated"] # INVALID: Method does not exist in repo diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-jms/report.md b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-jms/report.md new file mode 100644 index 000000000000..893b7a9656b1 --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-jms/report.md @@ -0,0 +1,25 @@ +# MaD Generation Report + +## Included (14) + +| Package | Class | Method | Type | Kind | Certainty | Reason | +|---------|-------|--------|------|------|-----------|--------| +| org.apache.axis2.transport.jms.ctype | PropertyRule | getContentType | source | remote | 4 | The method reads a string property from a JMS Message (via Message.getStringProperty) received from an external message broker. The return value encapsulates content type information extracted from the external message, making it a remote data source. | +| org.apache.axis2.transport.jms.iowrappers | BytesMessageDataSource | getInputStream | source | remote | 4 | Returns an InputStream that reads data from a JMS BytesMessage. JMS messages originate from external message queues (remote systems), so the returned stream carries externally-sourced data that did not exist in the process before the message was received. | +| org.apache.axis2.transport.jms.iowrappers | BytesMessageInputStream | read | source | remote | 4 | Reads bytes from a JMS BytesMessage (via BytesMessage.readBytes) into the byte array parameter (arg 0). JMS messages originate from external message brokers, making this a remote data source. | +| org.apache.axis2.transport.jms.iowrappers | BytesMessageInputStream | read | source | remote | 4 | Reads bytes from a JMS BytesMessage (via BytesMessage.readBytes) into the byte array parameter (arg 0). JMS messages originate from external message brokers, making this a remote data source. | +| org.apache.axis2.transport.jms | JMSConnectionFactory | getDestination | sink | CWE-074 | 4 | Argument 0 (destinationName) is used as a JNDI lookup name via JMSUtils.lookupDestination(Context, String, String). If this name is attacker-controlled, it can point to a malicious JNDI server, potentially leading to remote code execution (JNDI injection). | +| org.apache.axis2.transport.jms | JMSConnectionFactoryManager | handleException | sink | CWE-117 | 4 | Argument 0 (msg) is passed directly to Log.error(), which writes it to the log. If msg contains unsanitized user input, this enables log injection (e.g., forged log entries via newline characters). | +| org.apache.axis2.transport.jms | JMSMessageReceiver | onMessage | source | remote | 4 | The Message parameter (arg 0) is data received from an external JMS message queue. This method is a well-known JMS framework callback invoked when a message arrives. The callees confirm it reads message content (getText, getJMSMessageID, getJMSCorrelationID, etc.) and processes it through the engine, making this the entry point where external data enters the application. | +| org.apache.axis2.transport.jms | JMSMessageSender | JMSMessageSender | sink | CWE-918 | 4 | Argument 1 (targetAddress) is a target EPR (endpoint reference) used to resolve the JMS destination. Callees show it flows into JMSUtils.getDestination(String) and JMSConnectionFactory.getDestination(String,String), setting up a server-side connection to a potentially attacker-controlled destination, enabling request forgery. | +| org.apache.axis2.transport.jms | JMSOutTransportInfo | getReplyDestination | sink | CWE-074 | 5 | Argument 0 (replyDest) is used as a JNDI name in a lookup via JMSUtils.lookupDestination(). If this name is attacker-controlled, it can point to a malicious LDAP/RMI server and lead to remote code execution through JNDI injection. | +| org.apache.axis2.transport.jms | JMSSender | sendMessage | sink | CWE-918 | 4 | Argument 1 (targetAddress) specifies the JMS endpoint/broker address where the message is sent. If attacker-controlled, the server could be made to connect to an arbitrary JMS broker, enabling SSRF. Callees confirm the address is used to create JMSOutTransportInfo and send the message via sendOverJMS. | +| org.apache.axis2.transport.jms | JMSUtils | getProperty | source | remote | 5 | The return value is a string property read from a JMS Message, which originates from an external/remote messaging system. Callees confirm delegation to jakarta.jms.Message.getStringProperty(). | +| org.apache.axis2.transport.jms | JMSUtils | getTransportHeaders | source | remote | 5 | The return value is a Map containing transport headers extracted from a JMS Message. Callees confirm it reads multiple properties (getStringProperty, getJMSCorrelationID, getJMSMessageID, getJMSType, etc.) from the external message. | +| org.apache.axis2.transport.jms | JMSUtils | lookup | sink | CWE-074 | 5 | Argument 2 (name) is used in a JNDI lookup via javax.naming.Context.lookup(String). If attacker-controlled, this can lead to JNDI injection allowing remote code execution. | +| org.apache.axis2.transport.jms | JMSUtils | lookupDestination | sink | CWE-074 | 5 | Argument 1 (destinationName) is passed to JMSUtils.lookup() which performs a JNDI lookup via javax.naming.Context.lookup(String). If attacker-controlled, this can lead to JNDI injection. | + +## Ignored (low certainty) (0) + +None. + diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-mail/org.apache.axis2.transport.mail.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-mail/org.apache.axis2.transport.mail.model.yml new file mode 100644 index 000000000000..743d842e9503 --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-mail/org.apache.axis2.transport.mail.model.yml @@ -0,0 +1,9 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.apache.axis2.transport.mail", "MailTransportListener", True, "poll", "(PollTableEntry)", "", "Argument[0]", "request-forgery", "ai-generated"] + - ["org.apache.axis2.transport.mail", "MailTransportSender", True, "sendMessage", "(MessageContext,String,OutTransportInfo)", "", "Argument[1]", "request-forgery", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-mail/report.md b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-mail/report.md new file mode 100644 index 000000000000..c28fde9455c2 --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-mail/report.md @@ -0,0 +1,13 @@ +# MaD Generation Report + +## Included (2) + +| Package | Class | Method | Type | Kind | Certainty | Reason | +|---------|-------|--------|------|------|-----------|--------| +| org.apache.axis2.transport.mail | MailTransportListener | poll | sink | CWE-918 | 3 | Argument 0 (PollTableEntry) specifies the mail server configuration (host, protocol, credentials) used to establish a network connection to a mail server. If attacker-controlled, this enables SSRF by directing the server to connect to an arbitrary mail host. | +| org.apache.axis2.transport.mail | MailTransportSender | sendMessage | sink | CWE-918 | 3 | Argument 1 (targetAddress) is parsed via InternetAddress.parse() and used to set the target addresses for sending mail via SMTP. This allows the server to be directed to send email (a server-side request) to a user-controlled destination, which is a form of server-side request forgery. | + +## Ignored (low certainty) (0) + +None. + diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-tcp/org.apache.axis2.transport.tcp.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-tcp/org.apache.axis2.transport.tcp.model.yml new file mode 100644 index 000000000000..68e1f55b9d7a --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-tcp/org.apache.axis2.transport.tcp.model.yml @@ -0,0 +1,8 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.apache.axis2.transport.tcp", "TCPTransportSender", True, "sendMessage", "(MessageContext,String,OutTransportInfo)", "", "Argument[1]", "request-forgery", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-tcp/report.md b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-tcp/report.md new file mode 100644 index 000000000000..db0ef165e491 --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-tcp/report.md @@ -0,0 +1,12 @@ +# MaD Generation Report + +## Included (1) + +| Package | Class | Method | Type | Kind | Certainty | Reason | +|---------|-------|--------|------|------|-----------|--------| +| org.apache.axis2.transport.tcp | TCPTransportSender | sendMessage | sink | CWE-918 | 5 | Argument 1 (targetEPR) is parsed and used to open a TCP connection via openTCPConnection(String, int). An attacker-controlled endpoint reference could lead to server-side request forgery. | + +## Ignored (low certainty) (0) + +None. + diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-udp/org.apache.axis2.transport.udp.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-udp/org.apache.axis2.transport.udp.model.yml new file mode 100644 index 000000000000..a9e342664f7f --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-udp/org.apache.axis2.transport.udp.model.yml @@ -0,0 +1,8 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.apache.axis2.transport.udp", "UDPSender", True, "sendMessage", "(MessageContext,String,OutTransportInfo)", "", "Argument[1]", "request-forgery", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-udp/report.md b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-udp/report.md new file mode 100644 index 000000000000..033238fbad9e --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/transport-udp/report.md @@ -0,0 +1,12 @@ +# MaD Generation Report + +## Included (1) + +| Package | Class | Method | Type | Kind | Certainty | Reason | +|---------|-------|--------|------|------|-----------|--------| +| org.apache.axis2.transport.udp | UDPSender | sendMessage | sink | CWE-918 | 4 | Argument 1 (`targetEPR`) specifies the target endpoint for a UDP network request. The method directly calls `DatagramSocket.send()`, meaning user-controlled input in `targetEPR` can lead to server-side request forgery. | + +## Ignored (low certainty) (0) + +None. + diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/webapp/org.apache.axis2.webapp.model.yml b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/webapp/org.apache.axis2.webapp.model.yml new file mode 100644 index 000000000000..0ef0f526ec33 --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/webapp/org.apache.axis2.webapp.model.yml @@ -0,0 +1,8 @@ +# THIS FILE IS AN AUTO-GENERATED MODELS AS DATA FILE. DO NOT EDIT. +# Generated from https://github.com/apache/axis-axis2-java-core.git#b7e6711279d38b7f0db3e648888de5154729e9a8 by codeql-mads-via-llm +extensions: + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + - ["org.apache.axis2.webapp", "AxisAdminServlet", True, "service", "(HttpServletRequest,HttpServletResponse)", "", "Argument[0]", "remote", "ai-generated"] diff --git a/java/ql/lib/ext/generated/llmgenerator/axis2-mads/webapp/report.md b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/webapp/report.md new file mode 100644 index 000000000000..5e6acbe6fa79 --- /dev/null +++ b/java/ql/lib/ext/generated/llmgenerator/axis2-mads/webapp/report.md @@ -0,0 +1,12 @@ +# MaD Generation Report + +## Included (1) + +| Package | Class | Method | Type | Kind | Certainty | Reason | +|---------|-------|--------|------|------|-----------|--------| +| org.apache.axis2.webapp | AxisAdminServlet | service | source | remote | 5 | The `request` parameter (arg 0) is an HttpServletRequest provided by the servlet container, carrying user-supplied HTTP data (query parameters, headers, path info, etc.). The `service` method is a well-known servlet entry point where remote data enters the application. Callees confirm usage of getParameter, getPathInfo, getMethod on the request. | + +## Ignored (low certainty) (0) + +None. +