From 2fe74a855479c02e0db385d779b940cd5d95bb6a Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 8 Aug 2024 10:11:25 +0100 Subject: [PATCH] Update model validation --- shared/mad/codeql/mad/ModelValidation.qll | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/shared/mad/codeql/mad/ModelValidation.qll b/shared/mad/codeql/mad/ModelValidation.qll index 7bfdc69b5692..c28fc421d972 100644 --- a/shared/mad/codeql/mad/ModelValidation.qll +++ b/shared/mad/codeql/mad/ModelValidation.qll @@ -28,13 +28,13 @@ module KindValidation { // shared "code-injection", "command-injection", "environment-injection", "file-content-store", "html-injection", "js-injection", "ldap-injection", "log-injection", "path-injection", - "request-forgery", "sql-injection", "url-redirection", + "request-forgery", "sql-injection", "url-redirection", "xpath-injection", // Java-only currently, but may be shared in the future "bean-validation", "fragment-injection", "groovy-injection", "hostname-verification", "information-leak", "intent-redirection", "jexl-injection", "jndi-injection", "mvel-injection", "notification", "ognl-injection", "pending-intents", "response-splitting", "trust-boundary-violation", "template-injection", "url-forward", - "xpath-injection", "xslt-injection", + "xslt-injection", // JavaScript-only currently, but may be shared in the future "mongodb.sink", "nosql-injection", "unsafe-deserialization", // Swift-only currently, but may be shared in the future @@ -48,13 +48,11 @@ module KindValidation { or this.matches([ // shared - "credentials-%", "encryption-%", "qltest%", "test-%", - // Java-only currently, but may be shared in the future - "regex-use%", + "credentials-%", "encryption-%", "qltest%", "test-%", "regex-use%", // Swift-only currently, but may be shared in the future "%string-%length", "weak-hash-input-%", // Go-only currently, but may be shared in the future - "request-forgery%" + "request-forgery[%]", "url-redirection[%]" ]) } }