Closed ebickle closed 1 year ago
Hi @ebickle,
Thanks for the question. This has certainly come up in the past, and we have an internal issue for tracking such requests.
I'll add your issue to our internal tracking, and will let you know once we improve in this area 🙂.
I just merged support for extracting .jsp
files: https://github.com/github/codeql/pull/14497
And yes, it has limitations, as it just assumes that .jsp
files are HTML, so e.g. <script><%=something_dubious_here%></script>
won't be flagged as bad.
It might still take a few weeks before the feature lands in a stable release.
Thank you! Really appreciate the help!
Description of the issue
The CodeQL JavaScript extractor doesn't support JSP files yet, although it does support other HTML template engines such as Vue.js, Handlebars, EJS, Nunjucks, and Embedded Ruby files.
The CodeQL Java extractor has limited (alpha?) support for JSP files when configured to precompile them as part of a Java build process, but this process still skips any embedded JavaScript within the JSP files' HTML
<script>
markup.How difficult would it be to add limited JSP support to the JavaScript extractor? Obviously this would have some limitations, as JSP markup could exist within the JavaScript (
<script><%=something_dubious_here%></script>
), but those issues are likely to be the same as the other existing supported template file formats. Classic Microsoft Active Server Pages (.asp) is very similar syntactically to JSP, so this might be a two-for-one sale.We have an existing application with a lot of JSP files and some old embedded JavaScript that needs some TLC. It's currently a blind spot in our CodeQL coverage.