Skip to content

Commit 56647d5

Browse files
knewbury01knewbury01
committed
Add java data extensions for sql injection sinks, sources, and a taint flow summary
1 parent d86ec1a commit 56647d5

5 files changed

Lines changed: 98 additions & 0 deletions

File tree

java/ql/lib/change-notes/2026-06-22-various-mad-additions.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
---
2+
category: majorAnalysis
3+
---
4+
* Added sink model for `sql-injection` for: `com.google.cloud.bigquery` and `org.apache.commons.dbutils`.
5+
* Added a source model for: `spark` and `io.javalin.http`.
6+
* Added a taint summary model for: `spark`.

java/ql/lib/ext/com.google.cloud.bigquery.model.yml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/java-all
4+
extensible: sinkModel
5+
data:
6+
- ["com.google.cloud.bigquery", "QueryJobConfiguration", true, "newBuilder", "", "", "Argument[0]", "sql-injection", "manual"]
7+

java/ql/lib/ext/io.javalin.http.model.yml

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/java-all
4+
extensible: sourceModel
5+
data:
6+
- ["io.javalin.http", "Context", true, "basicAuthCredentials", "", "", "ReturnValue", "remote", "manual"]
7+
- ["io.javalin.http", "Context", true, "body", "", "", "ReturnValue", "remote", "manual"]
8+
- ["io.javalin.http", "Context", true, "bodyAsClass", "", "", "ReturnValue", "remote", "manual"]
9+
- ["io.javalin.http", "Context", true, "cookie", "", "", "ReturnValue", "remote", "manual"]
10+
- ["io.javalin.http", "Context", true, "header", "", "", "ReturnValue", "remote", "manual"]
11+
- ["io.javalin.http", "Context", true, "formParam", "", "", "ReturnValue", "remote", "manual"]
12+
- ["io.javalin.http", "Context", true, "formParams", "", "", "ReturnValue", "remote", "manual"]
13+
- ["io.javalin.http", "Context", true, "formParamMap", "", "", "ReturnValue", "remote", "manual"]
14+
- ["io.javalin.http", "Context", true, "formParamAsClass", "", "", "ReturnValue", "remote", "manual"]
15+
- ["io.javalin.http", "Context", true, "formParamsAsClass", "", "", "ReturnValue", "remote", "manual"]
16+
- ["io.javalin.http", "Context", true, "pathParam", "", "", "ReturnValue", "remote", "manual"]
17+
- ["io.javalin.http", "Context", true, "pathParamAsClass", "", "", "ReturnValue", "remote", "manual"]
18+
- ["io.javalin.http", "Context", true, "pathParamMap", "", "", "ReturnValue", "remote", "manual"]
19+
- ["io.javalin.http", "Context", true, "queryParam", "", "", "ReturnValue", "remote", "manual"]
20+
- ["io.javalin.http", "Context", true, "queryParams", "", "", "ReturnValue", "remote", "manual"]
21+
- ["io.javalin.http", "Context", true, "queryParamAsClass", "", "", "ReturnValue", "remote", "manual"]
22+
- ["io.javalin.http", "Context", true, "queryParamsAsClass", "", "", "ReturnValue", "remote", "manual"]
23+
- ["io.javalin.http", "Context", true, "queryParamMap", "", "", "ReturnValue", "remote", "manual"]
24+
- ["io.javalin.http", "Context", true, "queryString", "", "", "ReturnValue", "remote", "manual"]
25+
- ["io.javalin.http", "Context", true, "sessionAttribute", "", "", "ReturnValue", "remote", "manual"]

java/ql/lib/ext/org.apache.commons.dbutils.model.yml

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/java-all
4+
extensible: sinkModel
5+
data:
6+
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "insert", "(Connection,String,ResultSetHandler)", "", "Argument[1]", "sql-injection", "manual"]
7+
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "insert", "(Connection,String,ResultSetHandler,Object[])", "", "Argument[1]", "sql-injection", "manual"]
8+
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "insert", "(String,ResultSetHandler)", "", "Argument[0]", "sql-injection", "manual"]
9+
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "insert", "(String,ResultSetHandler,Object[])", "", "Argument[0]", "sql-injection", "manual"]
10+
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "query", "(Connection,String,ResultSetHandler)", "", "Argument[1]", "sql-injection", "manual"]
11+
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "query", "(Connection,String,ResultSetHandler,Object[])", "", "Argument[1]", "sql-injection", "manual"]
12+
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "query", "(String,ResultSetHandler)", "", "Argument[0]", "sql-injection", "manual"]
13+
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "query", "(String,ResultSetHandler,Object[])", "", "Argument[0]", "sql-injection", "manual"]
14+
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "update", "(Connection,String)", "", "Argument[1]", "sql-injection", "manual"]
15+
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "update", "(Connection,String,Object[])", "", "Argument[1]", "sql-injection", "manual"]
16+
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "update", "(Connection,String,Object)", "", "Argument[1]", "sql-injection", "manual"]
17+
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "update", "(String)", "", "Argument[0]", "sql-injection", "manual"]
18+
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "update", "(String,Object[])", "", "Argument[0]", "sql-injection", "manual"]
19+
- ["org.apache.commons.dbutils", "AsyncQueryRunner", true, "update", "(String,Object)", "", "Argument[0]", "sql-injection", "manual"]
20+
- ["org.apache.commons.dbutils", "QueryRunner", true, "insert", "(Connection,String,ResultSetHandler)", "", "Argument[1]", "sql-injection", "manual"]
21+
- ["org.apache.commons.dbutils", "QueryRunner", true, "insert", "(Connection,String,ResultSetHandler,Object[])", "", "Argument[1]", "sql-injection", "manual"]
22+
- ["org.apache.commons.dbutils", "QueryRunner", true, "insert", "(String,ResultSetHandler)", "", "Argument[0]", "sql-injection", "manual"]
23+
- ["org.apache.commons.dbutils", "QueryRunner", true, "insert", "(String,ResultSetHandler,Object[])", "", "Argument[0]", "sql-injection", "manual"]
24+
- ["org.apache.commons.dbutils", "QueryRunner", true, "query", "(Connection,String,ResultSetHandler)", "", "Argument[1]", "sql-injection", "manual"]
25+
- ["org.apache.commons.dbutils", "QueryRunner", true, "query", "(Connection,String,ResultSetHandler,Object[])", "", "Argument[1]", "sql-injection", "manual"]
26+
- ["org.apache.commons.dbutils", "QueryRunner", true, "query", "(String,ResultSetHandler)", "", "Argument[0]", "sql-injection", "manual"]
27+
- ["org.apache.commons.dbutils", "QueryRunner", true, "query", "(String,ResultSetHandler,Object[])", "", "Argument[0]", "sql-injection", "manual"]
28+
- ["org.apache.commons.dbutils", "QueryRunner", true, "update", "(Connection,String)", "", "Argument[1]", "sql-injection", "manual"]
29+
- ["org.apache.commons.dbutils", "QueryRunner", true, "update", "(Connection,String,Object[])", "", "Argument[1]", "sql-injection", "manual"]
30+
- ["org.apache.commons.dbutils", "QueryRunner", true, "update", "(Connection,String,Object)", "", "Argument[1]", "sql-injection", "manual"]
31+
- ["org.apache.commons.dbutils", "QueryRunner", true, "update", "(String)", "", "Argument[0]", "sql-injection", "manual"]
32+
- ["org.apache.commons.dbutils", "QueryRunner", true, "update", "(String,Object[])", "", "Argument[0]", "sql-injection", "manual"]
33+
- ["org.apache.commons.dbutils", "QueryRunner", true, "update", "(String,Object)", "", "Argument[0]", "sql-injection", "manual"]

java/ql/lib/ext/spark.model.yml

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/java-all
4+
extensible: sourceModel
5+
data:
6+
- ["spark", "Request", true, "body", "", "", "ReturnValue", "remote", "manual"]
7+
- ["spark", "Request", true, "bodyAsBytes", "", "", "ReturnValue", "remote", "manual"]
8+
- ["spark", "Request", true, "cookie", "", "", "ReturnValue", "remote", "manual"]
9+
- ["spark", "Request", true, "cookies", "", "", "ReturnValue", "remote", "manual"]
10+
- ["spark", "Request", true, "headers", "", "", "ReturnValue", "remote", "manual"]
11+
- ["spark", "Request", true, "params", "", "", "ReturnValue", "remote", "manual"]
12+
- ["spark", "Request", true, "queryMap", "", "", "ReturnValue", "remote", "manual"]
13+
- ["spark", "Request", true, "queryParams", "", "", "ReturnValue", "remote", "manual"]
14+
- ["spark", "Request", true, "queryParamsSafe", "", "", "ReturnValue", "remote", "manual"]
15+
- ["spark", "Request", true, "queryParamOrDefault", "", "", "ReturnValue", "remote", "manual"]
16+
- ["spark", "Request", true, "queryParamsValues", "", "", "ReturnValue", "remote", "manual"]
17+
- ["spark", "Request", true, "queryString", "", "", "ReturnValue", "remote", "manual"]
18+
- ["spark", "Request", true, "uri", "", "", "ReturnValue", "remote", "manual"]
19+
- ["spark", "Request", true, "url", "", "", "ReturnValue", "remote", "manual"]
20+
- addsTo:
21+
pack: codeql/java-all
22+
extensible: summaryModel
23+
data:
24+
- ["spark", "QueryParamsMap", True, "get", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
25+
- ["spark", "QueryParamsMap", True, "toMap", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
26+
- ["spark", "QueryParamsMap", True, "value", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
27+
- ["spark", "QueryParamsMap", True, "values", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]

0 commit comments

Comments
 (0)