[NEW DATA EXTENSION] Kotlin HTTP4k (core, format-jackson, format-moshi, format-gson, multipart)

languages/java/custom/src/http4k-core.model.yml

@@ -0,0 +1,46 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      # Request query parameter accessors
+      - ["org.http4k.core", "Request", True, "query", "(String)", "", "ReturnValue", "remote", "manual"]
+      - ["org.http4k.core", "Request", True, "queries", "(String)", "", "ReturnValue", "remote", "manual"]
+      # Request header accessors
+      - ["org.http4k.core", "Request", True, "header", "(String)", "", "ReturnValue", "remote", "manual"]
+      - ["org.http4k.core", "Request", True, "headerValues", "(String)", "", "ReturnValue", "remote", "manual"]
+      # Request body accessors
+      - ["org.http4k.core", "Request", True, "bodyString", "()", "", "ReturnValue", "remote", "manual"]
+      # Request URI
+      - ["org.http4k.core", "Request", True, "getUri", "()", "", "ReturnValue", "remote", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      # Response body sinks (XSS)
+      - ["org.http4k.core", "Response", True, "body", "(String)", "", "Argument[0]", "html-injection", "manual"]
+      - ["org.http4k.core", "Response", True, "body", "(String)", "", "Argument[0]", "js-injection", "manual"]
+      # Response header sinks (response splitting, request forgery)
+      - ["org.http4k.core", "Response", True, "header", "(String,String)", "", "Argument[0..1]", "response-splitting", "manual"]
+      - ["org.http4k.core", "Response", True, "header", "(String,String)", "", "Argument[1]", "request-forgery", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      # Request immutable builder pattern: this flows through to return value
+      - ["org.http4k.core", "Request", True, "header", "(String,String)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["org.http4k.core", "Request", True, "body", "(String)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["org.http4k.core", "Request", True, "query", "(String,String)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      # Response immutable builder pattern: this flows through to return value
+      - ["org.http4k.core", "Response", True, "header", "(String,String)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["org.http4k.core", "Response", True, "body", "(String)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      # Taint propagation: arguments taint the builder result
+      - ["org.http4k.core", "Request", True, "header", "(String,String)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
+      - ["org.http4k.core", "Request", True, "body", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["org.http4k.core", "Request", True, "query", "(String,String)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
+      - ["org.http4k.core", "Response", True, "header", "(String,String)", "", "Argument[1]", "ReturnValue", "taint", "manual"]
+      - ["org.http4k.core", "Response", True, "body", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data: []

languages/java/custom/src/http4k-format-gson.model.yml

@@ -0,0 +1,21 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      # Gson deserialization sinks (untrusted data parsed into objects)
+      - ["org.http4k.format", "ConfigurableGson", True, "asA", "(String,Class)", "", "Argument[0]", "unsafe-deserialization", "manual"]
+      - ["org.http4k.format", "ConfigurableGson", True, "asA", "(InputStream,Class)", "", "Argument[0]", "unsafe-deserialization", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      # Gson: taint propagation through deserialization (input taints output)
+      - ["org.http4k.format", "ConfigurableGson", True, "asA", "(String,Class)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["org.http4k.format", "ConfigurableGson", True, "asA", "(InputStream,Class)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      # Gson: JSON string parsing
+      - ["org.http4k.format", "ConfigurableGson", True, "asJsonObject", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data: []

languages/java/custom/src/http4k-format-jackson.model.yml

@@ -0,0 +1,21 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      # Jackson deserialization sinks (untrusted data parsed into objects)
+      - ["org.http4k.format", "ConfigurableJackson", True, "asA", "(String,Class)", "", "Argument[0]", "unsafe-deserialization", "manual"]
+      - ["org.http4k.format", "ConfigurableJackson", True, "asA", "(InputStream,Class)", "", "Argument[0]", "unsafe-deserialization", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      # Jackson: taint propagation through deserialization (input taints output)
+      - ["org.http4k.format", "ConfigurableJackson", True, "asA", "(String,Class)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["org.http4k.format", "ConfigurableJackson", True, "asA", "(InputStream,Class)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      # Jackson: JSON string parsing
+      - ["org.http4k.format", "ConfigurableJackson", True, "asJsonObject", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data: []

languages/java/custom/src/http4k-format-moshi.model.yml

@@ -0,0 +1,21 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      # Moshi deserialization sinks (untrusted data parsed into objects)
+      - ["org.http4k.format", "ConfigurableMoshi", True, "asA", "(String,Class)", "", "Argument[0]", "unsafe-deserialization", "manual"]
+      - ["org.http4k.format", "ConfigurableMoshi", True, "asA", "(InputStream,Class)", "", "Argument[0]", "unsafe-deserialization", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      # Moshi: taint propagation through deserialization (input taints output)
+      - ["org.http4k.format", "ConfigurableMoshi", True, "asA", "(String,Class)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["org.http4k.format", "ConfigurableMoshi", True, "asA", "(InputStream,Class)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      # Moshi: JSON string parsing
+      - ["org.http4k.format", "ConfigurableMoshi", True, "asJsonObject", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data: []

languages/java/custom/src/http4k-multipart.model.yml

@@ -0,0 +1,32 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      # MultipartFormBody field accessors (form field values from multipart requests)
+      - ["org.http4k.core", "MultipartFormBody", True, "fieldValue", "(String)", "", "ReturnValue", "remote", "manual"]
+      - ["org.http4k.core", "MultipartFormBody", True, "fieldValues", "(String)", "", "ReturnValue", "remote", "manual"]
+      - ["org.http4k.core", "MultipartFormBody", True, "field", "(String)", "", "ReturnValue", "remote", "manual"]
+      - ["org.http4k.core", "MultipartFormBody", True, "fields", "(String)", "", "ReturnValue", "remote", "manual"]
+      # MultipartFormBody file accessors (uploaded files from multipart requests)
+      - ["org.http4k.core", "MultipartFormBody", True, "file", "(String)", "", "ReturnValue", "remote", "manual"]
+      - ["org.http4k.core", "MultipartFormBody", True, "files", "(String)", "", "ReturnValue", "remote", "manual"]
+      # MultipartFormFile properties (attacker-controlled file metadata and content)
+      - ["org.http4k.lens", "MultipartFormFile", True, "getFilename", "()", "", "ReturnValue", "remote", "manual"]
+      - ["org.http4k.lens", "MultipartFormFile", True, "getContent", "()", "", "ReturnValue", "remote", "manual"]
+      # MultipartFormField value (attacker-controlled form field value)
+      - ["org.http4k.lens", "MultipartFormField", True, "getValue", "()", "", "ReturnValue", "remote", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data: []
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      # MultipartFormBody.from() parses multipart request, taint flows through
+      - ["org.http4k.core", "MultipartFormBody", False, "from", "(HttpMessage,int,DiskLocation)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data: []

languages/java/custom/src/qlpack.yml

@@ -3,3 +3,5 @@ version: 0.0.1
 library: false
 dependencies:
   codeql/java-all: "*"
+dataExtensions:
+  - "*.model.yml"