Skip to content

Add data extensions for remote tainted sources #20228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add data extensions for remote tainted sources #20228

wants to merge 3 commits into from

Conversation

5idg5
Copy link
Contributor

@5idg5 5idg5 commented Aug 14, 2025

Add relevant APIs that are modeled as remote tainted sources under javax.servlet.ServletRequest and javax.servlet.http.HttpServletRequest for jakarta.servlet.ServletRequest and jakarta.servlet.http.HttpServletRequest as well.

@5idg5 5idg5 requested a review from a team as a code owner August 14, 2025 20:16
@Copilot Copilot AI review requested due to automatic review settings August 14, 2025 20:16
Copilot
Copilot AI reviewed Aug 14, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds data extensions for remote tainted sources by modeling Jakarta Servlet APIs that correspond to existing javax.servlet APIs. The change ensures that security analysis coverage is consistent between the legacy javax.servlet and modern jakarta.servlet APIs.

  • Adds remote source models for basic ServletRequest methods in jakarta.servlet
  • Adds remote source models for HTTP-specific methods in jakarta.servlet.http.HttpServletRequest
  • Maintains consistency with existing javax.servlet security modeling

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
java/ql/lib/ext/jakarta.servlet.model.yml Adds remote tainted source models for basic ServletRequest methods like getParameter, getInputStream, and getReader
java/ql/lib/ext/jakarta.servlet.http.model.yml Adds remote tainted source models for HTTP-specific methods like getHeader, getPathInfo, getQueryString, and getRequestURI

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

@github-actions github-actions bot added the Java label Aug 14, 2025
@github-actions GitHub Actions
Copy link
Contributor

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    Java extensions,"``javax.*``, ``jakarta.*``",69,4159,90,10,4,2,1,1,4
+    Java extensions,"``javax.*``, ``jakarta.*``",87,4159,90,10,4,2,1,1,4
-    Totals,,312,26328,2656,404,16,128,33,1,409
+    Totals,,330,26328,2656,404,16,128,33,1,409
  • Changes to framework-coverage-java.csv:
- jakarta.servlet,2,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,1,,
+ jakarta.servlet,2,19,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2,,,,,,,,,19,,

@aschackmull
Copy link
Contributor

LGTM. If you could please also add a change note in java/ql/lib/change-notes (see e.g. existing change notes and/or the change note documentation https://github.com/github/codeql/blob/main/docs/change-notes.md)

@5idg5
Copy link
Contributor Author

5idg5 commented Aug 15, 2025

@aschackmull Looks like all checks have passed now!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@5idg5 @aschackmull