diff --git a/languages/java/custom/src/http4k-core.model.yml b/languages/java/custom/src/http4k-core.model.yml new file mode 100644 index 0000000..19c3828 --- /dev/null +++ b/languages/java/custom/src/http4k-core.model.yml @@ -0,0 +1,46 @@ +extensions: + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + # Request query parameter accessors + - ["org.http4k.core", "Request", True, "query", "(String)", "", "ReturnValue", "remote", "manual"] + - ["org.http4k.core", "Request", True, "queries", "(String)", "", "ReturnValue", "remote", "manual"] + # Request header accessors + - ["org.http4k.core", "Request", True, "header", "(String)", "", "ReturnValue", "remote", "manual"] + - ["org.http4k.core", "Request", True, "headerValues", "(String)", "", "ReturnValue", "remote", "manual"] + # Request body accessors + - ["org.http4k.core", "Request", True, "bodyString", "()", "", "ReturnValue", "remote", "manual"] + # Request URI + - ["org.http4k.core", "Request", True, "getUri", "()", "", "ReturnValue", "remote", "manual"] + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + # Response body sinks (XSS) + - ["org.http4k.core", "Response", True, "body", "(String)", "", "Argument[0]", "html-injection", "manual"] + - ["org.http4k.core", "Response", True, "body", "(String)", "", "Argument[0]", "js-injection", "manual"] + # Response header sinks (response splitting, request forgery) + - ["org.http4k.core", "Response", True, "header", "(String,String)", "", "Argument[0..1]", "response-splitting", "manual"] + - ["org.http4k.core", "Response", True, "header", "(String,String)", "", "Argument[1]", "request-forgery", "manual"] + - addsTo: + pack: codeql/java-all + extensible: summaryModel + data: + # Request immutable builder pattern: this flows through to return value + - ["org.http4k.core", "Request", True, "header", "(String,String)", "", "Argument[this]", "ReturnValue", "value", "manual"] + - ["org.http4k.core", "Request", True, "body", "(String)", "", "Argument[this]", "ReturnValue", "value", "manual"] + - ["org.http4k.core", "Request", True, "query", "(String,String)", "", "Argument[this]", "ReturnValue", "value", "manual"] + # Response immutable builder pattern: this flows through to return value + - ["org.http4k.core", "Response", True, "header", "(String,String)", "", "Argument[this]", "ReturnValue", "value", "manual"] + - ["org.http4k.core", "Response", True, "body", "(String)", "", "Argument[this]", "ReturnValue", "value", "manual"] + # Taint propagation: arguments taint the builder result + - ["org.http4k.core", "Request", True, "header", "(String,String)", "", "Argument[1]", "ReturnValue", "taint", "manual"] + - ["org.http4k.core", "Request", True, "body", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - ["org.http4k.core", "Request", True, "query", "(String,String)", "", "Argument[1]", "ReturnValue", "taint", "manual"] + - ["org.http4k.core", "Response", True, "header", "(String,String)", "", "Argument[1]", "ReturnValue", "taint", "manual"] + - ["org.http4k.core", "Response", True, "body", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - addsTo: + pack: codeql/java-all + extensible: neutralModel + data: [] diff --git a/languages/java/custom/src/http4k-format-gson.model.yml b/languages/java/custom/src/http4k-format-gson.model.yml new file mode 100644 index 0000000..cb87109 --- /dev/null +++ b/languages/java/custom/src/http4k-format-gson.model.yml @@ -0,0 +1,21 @@ +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + # Gson deserialization sinks (untrusted data parsed into objects) + - ["org.http4k.format", "ConfigurableGson", True, "asA", "(String,Class)", "", "Argument[0]", "unsafe-deserialization", "manual"] + - ["org.http4k.format", "ConfigurableGson", True, "asA", "(InputStream,Class)", "", "Argument[0]", "unsafe-deserialization", "manual"] + - addsTo: + pack: codeql/java-all + extensible: summaryModel + data: + # Gson: taint propagation through deserialization (input taints output) + - ["org.http4k.format", "ConfigurableGson", True, "asA", "(String,Class)", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - ["org.http4k.format", "ConfigurableGson", True, "asA", "(InputStream,Class)", "", "Argument[0]", "ReturnValue", "taint", "manual"] + # Gson: JSON string parsing + - ["org.http4k.format", "ConfigurableGson", True, "asJsonObject", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - addsTo: + pack: codeql/java-all + extensible: neutralModel + data: [] diff --git a/languages/java/custom/src/http4k-format-jackson.model.yml b/languages/java/custom/src/http4k-format-jackson.model.yml new file mode 100644 index 0000000..2fa82f3 --- /dev/null +++ b/languages/java/custom/src/http4k-format-jackson.model.yml @@ -0,0 +1,21 @@ +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + # Jackson deserialization sinks (untrusted data parsed into objects) + - ["org.http4k.format", "ConfigurableJackson", True, "asA", "(String,Class)", "", "Argument[0]", "unsafe-deserialization", "manual"] + - ["org.http4k.format", "ConfigurableJackson", True, "asA", "(InputStream,Class)", "", "Argument[0]", "unsafe-deserialization", "manual"] + - addsTo: + pack: codeql/java-all + extensible: summaryModel + data: + # Jackson: taint propagation through deserialization (input taints output) + - ["org.http4k.format", "ConfigurableJackson", True, "asA", "(String,Class)", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - ["org.http4k.format", "ConfigurableJackson", True, "asA", "(InputStream,Class)", "", "Argument[0]", "ReturnValue", "taint", "manual"] + # Jackson: JSON string parsing + - ["org.http4k.format", "ConfigurableJackson", True, "asJsonObject", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - addsTo: + pack: codeql/java-all + extensible: neutralModel + data: [] diff --git a/languages/java/custom/src/http4k-format-moshi.model.yml b/languages/java/custom/src/http4k-format-moshi.model.yml new file mode 100644 index 0000000..a2ccc3e --- /dev/null +++ b/languages/java/custom/src/http4k-format-moshi.model.yml @@ -0,0 +1,21 @@ +extensions: + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: + # Moshi deserialization sinks (untrusted data parsed into objects) + - ["org.http4k.format", "ConfigurableMoshi", True, "asA", "(String,Class)", "", "Argument[0]", "unsafe-deserialization", "manual"] + - ["org.http4k.format", "ConfigurableMoshi", True, "asA", "(InputStream,Class)", "", "Argument[0]", "unsafe-deserialization", "manual"] + - addsTo: + pack: codeql/java-all + extensible: summaryModel + data: + # Moshi: taint propagation through deserialization (input taints output) + - ["org.http4k.format", "ConfigurableMoshi", True, "asA", "(String,Class)", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - ["org.http4k.format", "ConfigurableMoshi", True, "asA", "(InputStream,Class)", "", "Argument[0]", "ReturnValue", "taint", "manual"] + # Moshi: JSON string parsing + - ["org.http4k.format", "ConfigurableMoshi", True, "asJsonObject", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - addsTo: + pack: codeql/java-all + extensible: neutralModel + data: [] diff --git a/languages/java/custom/src/http4k-multipart.model.yml b/languages/java/custom/src/http4k-multipart.model.yml new file mode 100644 index 0000000..cbaf852 --- /dev/null +++ b/languages/java/custom/src/http4k-multipart.model.yml @@ -0,0 +1,32 @@ +extensions: + - addsTo: + pack: codeql/java-all + extensible: sourceModel + data: + # MultipartFormBody field accessors (form field values from multipart requests) + - ["org.http4k.core", "MultipartFormBody", True, "fieldValue", "(String)", "", "ReturnValue", "remote", "manual"] + - ["org.http4k.core", "MultipartFormBody", True, "fieldValues", "(String)", "", "ReturnValue", "remote", "manual"] + - ["org.http4k.core", "MultipartFormBody", True, "field", "(String)", "", "ReturnValue", "remote", "manual"] + - ["org.http4k.core", "MultipartFormBody", True, "fields", "(String)", "", "ReturnValue", "remote", "manual"] + # MultipartFormBody file accessors (uploaded files from multipart requests) + - ["org.http4k.core", "MultipartFormBody", True, "file", "(String)", "", "ReturnValue", "remote", "manual"] + - ["org.http4k.core", "MultipartFormBody", True, "files", "(String)", "", "ReturnValue", "remote", "manual"] + # MultipartFormFile properties (attacker-controlled file metadata and content) + - ["org.http4k.lens", "MultipartFormFile", True, "getFilename", "()", "", "ReturnValue", "remote", "manual"] + - ["org.http4k.lens", "MultipartFormFile", True, "getContent", "()", "", "ReturnValue", "remote", "manual"] + # MultipartFormField value (attacker-controlled form field value) + - ["org.http4k.lens", "MultipartFormField", True, "getValue", "()", "", "ReturnValue", "remote", "manual"] + - addsTo: + pack: codeql/java-all + extensible: sinkModel + data: [] + - addsTo: + pack: codeql/java-all + extensible: summaryModel + data: + # MultipartFormBody.from() parses multipart request, taint flows through + - ["org.http4k.core", "MultipartFormBody", False, "from", "(HttpMessage,int,DiskLocation)", "", "Argument[0]", "ReturnValue", "taint", "manual"] + - addsTo: + pack: codeql/java-all + extensible: neutralModel + data: [] diff --git a/languages/java/custom/src/qlpack.yml b/languages/java/custom/src/qlpack.yml index 04a1481..c307b54 100644 --- a/languages/java/custom/src/qlpack.yml +++ b/languages/java/custom/src/qlpack.yml @@ -3,3 +3,5 @@ version: 0.0.1 library: false dependencies: codeql/java-all: "*" +dataExtensions: + - "*.model.yml"