Your submission is now in status Test run.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

Your submission is now in status Results analysis.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

@luchua-bc Thank you for the submission, we've done an initial analysis of the query results. Overall the results are of good quality. However, we noticed that some results are FP due to the taint flow going into virtual methods like Map::get and Object::toString, which then resulted in the taint being propagated to every call of Map::get and Object::toString, many of which are from objects that are not tainted. While these are limitations of the standard CodeQL library that is known to us, it seems to affect this query in a disproportionate manner which results in a number of FPs. I'd suggest adding sanitizers to the query to either filter out taint steps that is inside the Object::toString and the Map::get method or to filter out steps that are the outputs of these methods. Please let us know if you think this is reasonable or if you have other suggestions. Thanks.

Thanks @m-y-mo for reviewing this PR. Could you share URLs of one or a few repositories with FPs mentioned above? This will help me to validate the query after making the changes.

For example, try running this query on Apache Struts and you should see that the results are going through the toString method. After you changed the query, we'll also do another run and check the results to see if it addresses the issue. Thanks.

Hi @m-y-mo,

I've added a sanitizer for those virtual method calls as per your suggestion. Now the toString call with Apache Struts doesn't appear in query results. Although the project still reports ten matches, it's expected since Struts is a framework service while applications developed on it are supposed to provide real invocation and input validation.

Please check again and let me know if more changes are required.

Thanks,
@luchua-bc

Hi @m-y-mo,

Have you got a chance to check again? Would you please provide an update? Thanks.

Your submission is now in status Query review.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

Thanks and sorry for the late reply. I had a look at the results and the problem with toString is fixed, although as you mentioned, there are some application specific FP that are hard to eliminate. I'm happy with the results and have moved the status to Query review, which will mostly be some feedback on the query and PR itself. Thanks.

Thanks @m-y-mo a lot for the prompt update.

Your submission is now in status Final decision.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

Created Hackerone report 1454582 for bounty 362499 : [495] [Java] CWE-552: Query to detect unsafe request dispatcher usage

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed

Thanks @xcorail for the bounty and the quick turn-around.