Extract JavaScript from <script> tags within JSP files

[ebickle]

Description of the issue

The CodeQL JavaScript extractor doesn't support JSP files yet, although it does support other HTML template engines such as Vue.js, Handlebars, EJS, Nunjucks, and Embedded Ruby files.

The CodeQL Java extractor has limited (alpha?) support for JSP files when configured to precompile them as part of a Java build process, but this process still skips any embedded JavaScript within the JSP files' HTML <script> markup.

How difficult would it be to add limited JSP support to the JavaScript extractor? Obviously this would have some limitations, as JSP markup could exist within the JavaScript (<script><%=something_dubious_here%></script>), but those issues are likely to be the same as the other existing supported template file formats. Classic Microsoft Active Server Pages (.asp) is very similar syntactically to JSP, so this might be a two-for-one sale.

We have an existing application with a lot of JSP files and some old embedded JavaScript that needs some TLC. It's currently a blind spot in our CodeQL coverage.

[MathiasVP]

Hi @ebickle,

Thanks for the question. This has certainly come up in the past, and we have an internal issue for tracking such requests.

I'll add your issue to our internal tracking, and will let you know once we improve in this area 🙂.

[erik-krogh]

I just merged support for extracting .jsp files: https://github.com/github/codeql/pull/14497

And yes, it has limitations, as it just assumes that .jsp files are HTML, so e.g. <script><%=something_dubious_here%></script> won't be flagged as bad.

It might still take a few weeks before the feature lands in a stable release.

[ebickle]

Thank you! Really appreciate the help!