jf205 / codeql-starter

Starter workspace to use with the CodeQL extension for Visual Studio Code.
MIT License
0 stars 0 forks source link

Query run by jf205 against 35 `java` repositories #5

Open github-actions[bot] opened 2 years ago

github-actions[bot] commented 2 years ago

Query

Click to expand ```ql /** * @name Cross-site scripting * @description Writing user input directly to a web page * allows for a cross-site scripting vulnerability. * @kind path-problem * @problem.severity error * @security-severity 6.1 * @precision high * @id java/xss * @tags security * external/cwe/cwe-079 */ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.XSS import DataFlow::PathGraph class XSSConfig extends TaintTracking::Configuration { XSSConfig() { this = "XSSConfig" } override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } override predicate isSink(DataFlow::Node sink) { sink instanceof XssSink } override predicate isSanitizer(DataFlow::Node node) { node instanceof XssSanitizer } override predicate isSanitizerOut(DataFlow::Node node) { node instanceof XssSinkBarrier } override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { any(XssAdditionalTaintStep s).step(node1, node2) } } from DataFlow::PathNode source, DataFlow::PathNode sink, XSSConfig conf where conf.hasFlowPath(source, sink) select sink.getNode(), source, sink, "Cross-site scripting vulnerability due to $@.", source.getNode(), "user-provided value" ```

Results

Repository Results
apache/cxf 15 result(s)
reactor/reactor-netty 3 result(s)
hapifhir/hapi-fhir 2 result(s)
apache/myfaces-tobago No results
nextcloud/news-android No results
B3Partners/tailormap No results
netty/netty No results
oracle/weblogic-kubernetes-operator No results
spockframework/spock No results
Yubico/java-webauthn-server No results
webauthn4j/webauthn4j No results
odpi/egeria No results
apache/incubator-shenyu No results
apple/servicetalk No results
redisson/redisson No results
Hongbo-Miao/hongbomiao.com No results
alfio-event/alf.io No results
salesforce/carbonj No results
zxing/zxing No results
gradle/gradle No results
zeroc-ice/ice No results
diffplug/spotless No results
qiniu/java-sdk No results
Hack23/cia No results
MegaMek/mekhq No results
stefan-niedermann/nextcloud-notes No results
jnidzwetzki/bboxdb No results
strimzi/strimzi-kafka-operator No results
bndtools/bnd No results
killbill/killbill No results
redis/jedis No results
assertj/assertj-core No results
kubernetes-client/java No results
NCI-Agency/anet No results
crate/crate No results
github-actions[bot] commented 2 years ago

apache/cxf

- source sink - - -
buffer getInputStream(...) : InputStream buffer Cross-site scripting vulnerability due to $@. getInputStream(...) user-provided value
buffer getEntityStream(...) : InputStream buffer Cross-site scripting vulnerability due to $@. getEntityStream(...) user-provided value
buffer getEntityStream(...) : InputStream buffer Cross-site scripting vulnerability due to $@. getEntityStream(...) user-provided value
buffer getEntityStream(...) : InputStream buffer Cross-site scripting vulnerability due to $@. getEntityStream(...) user-provided value
buffer getEntityStream(...) : InputStream buffer Cross-site scripting vulnerability due to $@. getEntityStream(...) user-provided value
buffer getEntityStream(...) : InputStream buffer Cross-site scripting vulnerability due to $@. getEntityStream(...) user-provided value
buffer getEntityStream(...) : InputStream buffer Cross-site scripting vulnerability due to $@. getEntityStream(...) user-provided value
buffer is : InputStream buffer Cross-site scripting vulnerability due to $@. is user-provided value
buffer is : InputStream buffer Cross-site scripting vulnerability due to $@. is user-provided value
buffer is : InputStream buffer Cross-site scripting vulnerability due to $@. is user-provided value
buffer is : InputStream buffer Cross-site scripting vulnerability due to $@. is user-provided value
buffer is : InputStream buffer Cross-site scripting vulnerability due to $@. is user-provided value
buffer is : InputStream buffer Cross-site scripting vulnerability due to $@. is user-provided value
completeAuthentication(...) oidcContext : OidcClientTokenContext completeAuthentication(...) Cross-site scripting vulnerability due to $@. oidcContext user-provided value
build(...) oidcContext : OidcClientTokenContext build(...) Cross-site scripting vulnerability due to $@. oidcContext user-provided value
github-actions[bot] commented 2 years ago

reactor/reactor-netty

- source sink - - -
url getRequestURL(...) : StringBuffer url Cross-site scripting vulnerability due to $@. getRequestURL(...) user-provided value
url getQueryString(...) : String url Cross-site scripting vulnerability due to $@. getQueryString(...) user-provided value
path getPathInfo(...) : String path Cross-site scripting vulnerability due to $@. getPathInfo(...) user-provided value
github-actions[bot] commented 2 years ago

hapifhir/hapi-fhir

- source sink - - -
outputBuffer getHeaderNames(...) : Enumeration outputBuffer Cross-site scripting vulnerability due to $@. getHeaderNames(...) user-provided value
outputBuffer getHeaders(...) : Enumeration outputBuffer Cross-site scripting vulnerability due to $@. getHeaders(...) user-provided value