From 56647d5336b63f2289e7eee0bf66c131bc37b371 Mon Sep 17 00:00:00 2001 From: Kristen Newbury Date: Mon, 22 Jun 2026 17:10:44 -0400 Subject: [PATCH] Add java data extensions for sql injection sinks, sources, and a taint flow summary --- .../2026-06-22-various-mad-additions.md | 6 ++++ .../ext/com.google.cloud.bigquery.model.yml | 7 ++++ java/ql/lib/ext/io.javalin.http.model.yml | 25 ++++++++++++++ .../ext/org.apache.commons.dbutils.model.yml | 33 +++++++++++++++++++ java/ql/lib/ext/spark.model.yml | 27 +++++++++++++++ 5 files changed, 98 insertions(+) create mode 100644 java/ql/lib/change-notes/2026-06-22-various-mad-additions.md create mode 100644 java/ql/lib/ext/com.google.cloud.bigquery.model.yml create mode 100644 java/ql/lib/ext/io.javalin.http.model.yml create mode 100644 java/ql/lib/ext/org.apache.commons.dbutils.model.yml create mode 100644 java/ql/lib/ext/spark.model.yml diff --git a/java/ql/lib/change-notes/2026-06-22-various-mad-additions.md b/java/ql/lib/change-notes/2026-06-22-various-mad-additions.md new file mode 100644 index 000000000000..726102dc66f7 --- /dev/null +++ b/java/ql/lib/change-notes/2026-06-22-various-mad-additions.md @@ -0,0 +1,6 @@ +--- +category: majorAnalysis +--- +* Added sink model for `sql-injection` for: `com.google.cloud.bigquery` and `org.apache.commons.dbutils`. +* Added a source model for: `spark` and `io.javalin.http`. +* Added a taint summary model for: `spark`. \ No newline at end of file diff --git a/java/ql/lib/ext/com.google.cloud.bigquery.model.yml b/java/ql/lib/ext/com.google.cloud.bigquery.model.yml new file mode 100644 index 000000000000..276a59e176f3 --- /dev/null +++ b/java/ql/lib/ext/com.google.cloud.bigquery.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["com.google.cloud.bigquery", "QueryJobConfiguration", true, "newBuilder", "", "", "Argument[0]", "sql-injection", "manual"] + diff --git a/java/ql/lib/ext/io.javalin.http.model.yml b/java/ql/lib/ext/io.javalin.http.model.yml new file mode 100644 index 000000000000..1b5d5495201d --- /dev/null +++ b/java/ql/lib/ext/io.javalin.http.model.yml @@ -0,0 +1,25 @@ +extensions: + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + - ["io.javalin.http", "Context", true, "basicAuthCredentials", "", "", "ReturnValue", "remote", "manual"] + - ["io.javalin.http", "Context", true, "body", "", "", "ReturnValue", "remote", "manual"] + - ["io.javalin.http", "Context", true, "bodyAsClass", "", "", "ReturnValue", "remote", "manual"] + - ["io.javalin.http", "Context", true, "cookie", "", "", "ReturnValue", "remote", "manual"] + - ["io.javalin.http", "Context", true, "header", "", "", "ReturnValue", "remote", "manual"] + - ["io.javalin.http", "Context", true, "formParam", "", "", "ReturnValue", "remote", "manual"] + - ["io.javalin.http", "Context", true, "formParams", "", "", "ReturnValue", "remote", "manual"] + - ["io.javalin.http", "Context", true, "formParamMap", "", "", "ReturnValue", "remote", "manual"] + - ["io.javalin.http", "Context", true, "formParamAsClass", "", "", "ReturnValue", "remote", "manual"] + - ["io.javalin.http", "Context", true, "formParamsAsClass", "", "", "ReturnValue", "remote", "manual"] + - ["io.javalin.http", "Context", true, "pathParam", "", "", "ReturnValue", "remote", "manual"] + - ["io.javalin.http", "Context", true, "pathParamAsClass", "", "", "ReturnValue", "remote", "manual"] + - ["io.javalin.http", "Context", true, "pathParamMap", "", "", "ReturnValue", "remote", "manual"] + - ["io.javalin.http", "Context", true, "queryParam", "", "", "ReturnValue", "remote", "manual"] + - ["io.javalin.http", "Context", true, "queryParams", "", "", "ReturnValue", "remote", "manual"] + - ["io.javalin.http", "Context", true, "queryParamAsClass", "", "", "ReturnValue", "remote", "manual"] + - ["io.javalin.http", "Context", true, "queryParamsAsClass", "", "", "ReturnValue", "remote", "manual"] + - ["io.javalin.http", "Context", true, "queryParamMap", "", "", "ReturnValue", "remote", "manual"] + - ["io.javalin.http", "Context", true, "queryString", "", "", "ReturnValue", "remote", "manual"] + - ["io.javalin.http", "Context", true, "sessionAttribute", "", "", "ReturnValue", "remote", "manual"] diff --git a/java/ql/lib/ext/org.apache.commons.dbutils.model.yml b/java/ql/lib/ext/org.apache.commons.dbutils.model.yml new file mode 100644 index 000000000000..4b95bda7d8c0 --- /dev/null +++ b/java/ql/lib/ext/org.apache.commons.dbutils.model.yml @@ -0,0 +1,33 @@ +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + - ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "insert", "(Connection,String,ResultSetHandler)", "", "Argument[1]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "insert", "(Connection,String,ResultSetHandler,Object[])", "", "Argument[1]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "insert", "(String,ResultSetHandler)", "", "Argument[0]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "insert", "(String,ResultSetHandler,Object[])", "", "Argument[0]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "query", "(Connection,String,ResultSetHandler)", "", "Argument[1]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "query", "(Connection,String,ResultSetHandler,Object[])", "", "Argument[1]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "query", "(String,ResultSetHandler)", "", "Argument[0]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "query", "(String,ResultSetHandler,Object[])", "", "Argument[0]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "update", "(Connection,String)", "", "Argument[1]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "update", "(Connection,String,Object[])", "", "Argument[1]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "update", "(Connection,String,Object)", "", "Argument[1]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "update", "(String)", "", "Argument[0]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "update", "(String,Object[])", "", "Argument[0]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "update", "(String,Object)", "", "Argument[0]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "QueryRunner", true, "insert", "(Connection,String,ResultSetHandler)", "", "Argument[1]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "QueryRunner", true, "insert", "(Connection,String,ResultSetHandler,Object[])", "", "Argument[1]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "QueryRunner", true, "insert", "(String,ResultSetHandler)", "", "Argument[0]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "QueryRunner", true, "insert", "(String,ResultSetHandler,Object[])", "", "Argument[0]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "QueryRunner", true, "query", "(Connection,String,ResultSetHandler)", "", "Argument[1]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "QueryRunner", true, "query", "(Connection,String,ResultSetHandler,Object[])", "", "Argument[1]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "QueryRunner", true, "query", "(String,ResultSetHandler)", "", "Argument[0]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "QueryRunner", true, "query", "(String,ResultSetHandler,Object[])", "", "Argument[0]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "QueryRunner", true, "update", "(Connection,String)", "", "Argument[1]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "QueryRunner", true, "update", "(Connection,String,Object[])", "", "Argument[1]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "QueryRunner", true, "update", "(Connection,String,Object)", "", "Argument[1]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "QueryRunner", true, "update", "(String)", "", "Argument[0]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "QueryRunner", true, "update", "(String,Object[])", "", "Argument[0]", "sql-injection", "manual"] + - ["org.apache.commons.dbutils", "QueryRunner", true, "update", "(String,Object)", "", "Argument[0]", "sql-injection", "manual"] \ No newline at end of file diff --git a/java/ql/lib/ext/spark.model.yml b/java/ql/lib/ext/spark.model.yml new file mode 100644 index 000000000000..d015162e256b --- /dev/null +++ b/java/ql/lib/ext/spark.model.yml @@ -0,0 +1,27 @@ +extensions: + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + - ["spark", "Request", true, "body", "", "", "ReturnValue", "remote", "manual"] + - ["spark", "Request", true, "bodyAsBytes", "", "", "ReturnValue", "remote", "manual"] + - ["spark", "Request", true, "cookie", "", "", "ReturnValue", "remote", "manual"] + - ["spark", "Request", true, "cookies", "", "", "ReturnValue", "remote", "manual"] + - ["spark", "Request", true, "headers", "", "", "ReturnValue", "remote", "manual"] + - ["spark", "Request", true, "params", "", "", "ReturnValue", "remote", "manual"] + - ["spark", "Request", true, "queryMap", "", "", "ReturnValue", "remote", "manual"] + - ["spark", "Request", true, "queryParams", "", "", "ReturnValue", "remote", "manual"] + - ["spark", "Request", true, "queryParamsSafe", "", "", "ReturnValue", "remote", "manual"] + - ["spark", "Request", true, "queryParamOrDefault", "", "", "ReturnValue", "remote", "manual"] + - ["spark", "Request", true, "queryParamsValues", "", "", "ReturnValue", "remote", "manual"] + - ["spark", "Request", true, "queryString", "", "", "ReturnValue", "remote", "manual"] + - ["spark", "Request", true, "uri", "", "", "ReturnValue", "remote", "manual"] + - ["spark", "Request", true, "url", "", "", "ReturnValue", "remote", "manual"] + - addsTo: + pack: codeql/java-all + extensible: summaryModel + data: + - ["spark", "QueryParamsMap", True, "get", "", "", "Argument[0]", "Argument[this]", "taint", "manual"] + - ["spark", "QueryParamsMap", True, "toMap", "", "", "Argument[0]", "Argument[this]", "taint", "manual"] + - ["spark", "QueryParamsMap", True, "value", "", "", "Argument[0]", "Argument[this]", "taint", "manual"] + - ["spark", "QueryParamsMap", True, "values", "", "", "Argument[0]", "Argument[this]", "taint", "manual"] \ No newline at end of file