From e6dbd525c318e5ac55edfbafc283fd3ef59e3330 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Mon, 9 Feb 2026 16:12:43 +0000 Subject: [PATCH 01/10] Add `RegexExecution` in `Concepts.qll` --- java/ql/lib/java.qll | 1 + java/ql/lib/semmle/code/java/Concepts.qll | 88 +++++++++++++++++++++++ 2 files changed, 89 insertions(+) create mode 100644 java/ql/lib/semmle/code/java/Concepts.qll diff --git a/java/ql/lib/java.qll b/java/ql/lib/java.qll index 9644343e93b6..7d0f0b7546db 100644 --- a/java/ql/lib/java.qll +++ b/java/ql/lib/java.qll @@ -9,6 +9,7 @@ import semmle.code.Unit import semmle.code.java.Annotation import semmle.code.java.Compilation import semmle.code.java.CompilationUnit +import semmle.code.java.Concepts import semmle.code.java.ControlFlowGraph import semmle.code.java.Dependency import semmle.code.java.Element diff --git a/java/ql/lib/semmle/code/java/Concepts.qll b/java/ql/lib/semmle/code/java/Concepts.qll new file mode 100644 index 000000000000..3024455792c8 --- /dev/null +++ b/java/ql/lib/semmle/code/java/Concepts.qll @@ -0,0 +1,88 @@ +/** + * Provides abstract classes representing generic concepts such as file system + * access or system command execution, for which individual framework libraries + * provide concrete subclasses. + */ +overlay[local?] +module; + +import java +private import semmle.code.java.dataflow.DataFlow + +/** + * A data-flow node that executes a regular expression. + * + * Extend this class to refine existing API models. If you want to model new APIs, + * extend `RegexExecution::Range` instead. + */ +class RegexExecution extends DataFlow::Node instanceof RegexExecution::Range { + /** Gets the data flow node for the regex being executed by this node. */ + DataFlow::Node getRegex() { result = super.getRegex() } + + /** Gets a dataflow node for the string to be searched or matched against. */ + DataFlow::Node getString() { result = super.getString() } + + /** + * Gets the name of this regex execution, typically the name of an executing method. + * This is used for nice alert messages and should include the module if possible. + */ + string getName() { result = super.getName() } +} + +/** Provides classes for modeling new regular-expression execution APIs. */ +module RegexExecution { + /** + * A data flow node that executes a regular expression. + * + * Extend this class to model new APIs. If you want to refine existing API models, + * extend `RegexExecution` instead. + */ + abstract class Range extends DataFlow::Node { + /** Gets the data flow node for the regex being executed by this node. */ + abstract DataFlow::Node getRegex(); + + /** Gets a data flow node for the string to be searched or matched against. */ + abstract DataFlow::Node getString(); + + /** + * Gets the name of this regex execution, typically the name of an executing method. + * This is used for nice alert messages and should include the module if possible. + */ + abstract string getName(); + } + + private class RangeFromExpr extends Range { + private RegexExecutionExpr::Range ree; + + RangeFromExpr() { this.asExpr() = ree } + + override DataFlow::Node getRegex() { result.asExpr() = ree.getRegex() } + + override DataFlow::Node getString() { result.asExpr() = ree.getString() } + + override string getName() { result = ree.getName() } + } +} + +/** Provides classes for modeling new regular-expression execution APIs. */ +module RegexExecutionExpr { + /** + * An expression that executes a regular expression. + * + * Extend this class to model new APIs. If you want to refine existing API models, + * extend `RegexExecution` instead. + */ + abstract class Range extends Expr { + /** Gets the expression for the regex being executed by this node. */ + abstract Expr getRegex(); + + /** Gets a expression for the string to be searched or matched against. */ + abstract Expr getString(); + + /** + * Gets the name of this regex execution, typically the name of an executing method. + * This is used for nice alert messages and should include the module if possible. + */ + abstract string getName(); + } +} From 44eeee57570e6fd960defb342ec13bd65ad3aa51 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 10 Feb 2026 14:49:53 +0000 Subject: [PATCH 02/10] Add and improve classes for regex-related methods --- java/ql/lib/semmle/code/java/JDK.qll | 8 ++- .../lib/semmle/code/java/frameworks/Regex.qll | 51 +++++++++++++++++++ 2 files changed, 58 insertions(+), 1 deletion(-) diff --git a/java/ql/lib/semmle/code/java/JDK.qll b/java/ql/lib/semmle/code/java/JDK.qll index f965fbfe6ba6..fcb1980a33b6 100644 --- a/java/ql/lib/semmle/code/java/JDK.qll +++ b/java/ql/lib/semmle/code/java/JDK.qll @@ -48,13 +48,19 @@ class StringContainsMethod extends Method { } /** A call to the `java.lang.String.matches` method. */ -class StringMatchesCall extends MethodCall { +class StringMatchesCall extends MethodCall, RegexExecutionExpr::Range { StringMatchesCall() { exists(Method m | m = this.getMethod() | m.getDeclaringType() instanceof TypeString and m.hasName("matches") ) } + + override Expr getRegex() { result = this.getArgument(0) } + + override Expr getString() { result = this.getQualifier() } + + override string getName() { result = "String.matches" } } /** A call to the `java.lang.String.replaceAll` method. */ diff --git a/java/ql/lib/semmle/code/java/frameworks/Regex.qll b/java/ql/lib/semmle/code/java/frameworks/Regex.qll index 56be77eae825..e1a89e3239dc 100644 --- a/java/ql/lib/semmle/code/java/frameworks/Regex.qll +++ b/java/ql/lib/semmle/code/java/frameworks/Regex.qll @@ -3,6 +3,7 @@ overlay[local?] module; import java +private import semmle.code.java.dataflow.DataFlow /** The class `java.util.regex.Matcher`. */ class TypeRegexMatcher extends Class { @@ -24,6 +25,16 @@ class TypeRegexPattern extends Class { TypeRegexPattern() { this.hasQualifiedName("java.util.regex", "Pattern") } } +/** + * The `compile` method of `java.util.regex.Pattern`. + */ +class PatternCompileMethod extends Method { + PatternCompileMethod() { + this.getDeclaringType() instanceof TypeRegexPattern and + this.hasName("compile") + } +} + /** * The `matches` method of `java.util.regex.Pattern`. */ @@ -59,3 +70,43 @@ class PatternLiteralField extends Field { this.hasName("LITERAL") } } + +/** A call to the `compile` method of `java.util.regex.Pattern` */ +class PatternCompileCall extends MethodCall { + PatternCompileCall() { this.getMethod() instanceof PatternCompileMethod } +} + +/** A call to the `matcher` method of `java.util.regex.Pattern` */ +class PatternMatcherCall extends MethodCall { + PatternMatcherCall() { this.getMethod() instanceof PatternMatcherMethod } +} + +/** A call to the `matches` method of `java.util.regex.Pattern` */ +class PatternMatchesCall extends MethodCall, RegexExecutionExpr::Range { + PatternMatchesCall() { this.getMethod() instanceof PatternMatchesMethod } + + override Expr getRegex() { result = this.getArgument(0) } + + override Expr getString() { result = this.getArgument(1) } + + override string getName() { result = "Pattern.matches" } +} + +/** A call to the `matches` method of `java.util.regex.Matcher` */ +class MatcherMatchesCall extends MethodCall, RegexExecutionExpr::Range { + MatcherMatchesCall() { this.getMethod() instanceof MatcherMatchesMethod } + + PatternMatcherCall getPatternMatcherCall() { + DataFlow::localExprFlow(result, this.getQualifier()) + } + + PatternCompileCall getPatternCompileCall() { + DataFlow::localExprFlow(result, this.getPatternMatcherCall()) + } + + override Expr getRegex() { result = this.getPatternCompileCall().getArgument(0) } + + override Expr getString() { result = this.getPatternMatcherCall().getArgument(0) } + + override string getName() { result = "Matcher.matches" } +} From fa3fba4a00a86bc047a2fd3384748b27555fcb09 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 10 Feb 2026 14:51:08 +0000 Subject: [PATCH 03/10] Use new regex-related classes (no functional change) --- .../java/security/regexp/RegexInjection.qll | 8 ++- .../CWE/CWE-625/PermissiveDotRegexQuery.qll | 34 ++++--------- .../Security/CWE/CWE-625/Regex.qll | 51 ------------------- 3 files changed, 13 insertions(+), 80 deletions(-) delete mode 100644 java/ql/src/experimental/Security/CWE/CWE-625/Regex.qll diff --git a/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll b/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll index 944ffca803ae..a14a07e04463 100644 --- a/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll +++ b/java/ql/lib/semmle/code/java/security/regexp/RegexInjection.qll @@ -31,11 +31,9 @@ private class ExternalRegexInjectionSanitizer extends RegexInjectionSanitizer { */ private class PatternLiteralFlag extends RegexInjectionSanitizer { PatternLiteralFlag() { - exists(MethodCall ma, Method m, PatternLiteralField field | m = ma.getMethod() | - ma.getArgument(0) = this.asExpr() and - m.getDeclaringType() instanceof TypeRegexPattern and - m.hasName("compile") and - ma.getArgument(1) = field.getAnAccess() + exists(PatternCompileCall pcc, PatternLiteralField field | + pcc.getArgument(0) = this.asExpr() and + pcc.getArgument(1) = field.getAnAccess() ) } } diff --git a/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll b/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll index f8e328902504..027e4f931cbd 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegexQuery.qll @@ -7,7 +7,7 @@ private import semmle.code.java.dataflow.FlowSources import experimental.semmle.code.java.security.SpringUrlRedirect import semmle.code.java.controlflow.Guards import semmle.code.java.security.UrlRedirect -import Regex +private import semmle.code.java.frameworks.Regex overlay[local?] private class ActivateModels extends ActiveExperimentalModels { @@ -81,11 +81,11 @@ private class CompileRegexSink extends DataFlow::ExprNode { ( ma.getArgument(0) = this.asExpr() and ( - m instanceof StringMatchMethod // input.matches(regexPattern) + ma instanceof StringMatchesCall // input.matches(regexPattern) or - m instanceof PatternCompileMethod // p = Pattern.compile(regexPattern) + ma instanceof PatternCompileCall // p = Pattern.compile(regexPattern) or - m instanceof PatternMatchMethod // p = Pattern.matches(regexPattern, input) + ma instanceof PatternMatchesCall // p = Pattern.matches(regexPattern, input) ) ) ) @@ -107,7 +107,7 @@ private module PermissiveDotRegexConfig implements DataFlow::ConfigSig { ma.getMethod() instanceof PatternCompileMethod and ma.getArgument(1) = f.getAnAccess() and f.hasName("DOTALL") and - f.getDeclaringType() instanceof Pattern and + f.getDeclaringType() instanceof TypeRegexPattern and node.asExpr() = ma.getArgument(0) ) } @@ -147,11 +147,11 @@ module MatchRegexConfig implements DataFlow::ConfigSig { ) and exists(MethodCall ma | PermissiveDotRegexFlow::flowToExpr(ma.getArgument(0)) | // input.matches(regexPattern) - ma.getMethod() instanceof StringMatchMethod and + ma instanceof StringMatchesCall and ma.getQualifier() = sink.asExpr() or // p = Pattern.compile(regexPattern); p.matcher(input) - ma.getMethod() instanceof PatternCompileMethod and + ma instanceof PatternCompileCall and exists(MethodCall pma | pma.getMethod() instanceof PatternMatcherMethod and sink.asExpr() = pma.getArgument(0) and @@ -159,7 +159,7 @@ module MatchRegexConfig implements DataFlow::ConfigSig { ) or // p = Pattern.matches(regexPattern, input) - ma.getMethod() instanceof PatternMatchMethod and + ma instanceof PatternMatchesCall and sink.asExpr() = ma.getArgument(1) ) } @@ -176,28 +176,14 @@ abstract class MatchRegexSink extends DataFlow::ExprNode { } * A string being matched against a regular expression. */ private class StringMatchRegexSink extends MatchRegexSink { - StringMatchRegexSink() { - exists(MethodCall ma, Method m | m = ma.getMethod() | - ( - m instanceof StringMatchMethod and - ma.getQualifier() = this.asExpr() - ) - ) - } + StringMatchRegexSink() { any(StringMatchesCall mc).getQualifier() = this.asExpr() } } /** * A string being matched against a regular expression using a pattern. */ private class PatternMatchRegexSink extends MatchRegexSink { - PatternMatchRegexSink() { - exists(MethodCall ma, Method m | m = ma.getMethod() | - ( - m instanceof PatternMatchMethod and - ma.getArgument(1) = this.asExpr() - ) - ) - } + PatternMatchRegexSink() { any(PatternMatchesCall mc).getArgument(1) = this.asExpr() } } /** diff --git a/java/ql/src/experimental/Security/CWE/CWE-625/Regex.qll b/java/ql/src/experimental/Security/CWE/CWE-625/Regex.qll deleted file mode 100644 index e605f31a0b35..000000000000 --- a/java/ql/src/experimental/Security/CWE/CWE-625/Regex.qll +++ /dev/null @@ -1,51 +0,0 @@ -/** Provides methods related to regular expression matching. */ -deprecated module; - -import java - -/** - * The class `java.util.regex.Pattern`. - */ -class Pattern extends RefType { - Pattern() { this.hasQualifiedName("java.util.regex", "Pattern") } -} - -/** - * The method `compile` of `java.util.regex.Pattern`. - */ -class PatternCompileMethod extends Method { - PatternCompileMethod() { - this.getDeclaringType().getASupertype*() instanceof Pattern and - this.hasName("compile") - } -} - -/** - * The method `matches` of `java.util.regex.Pattern`. - */ -class PatternMatchMethod extends Method { - PatternMatchMethod() { - this.getDeclaringType().getASupertype*() instanceof Pattern and - this.hasName("matches") - } -} - -/** - * The method `matcher` of `java.util.regex.Pattern`. - */ -class PatternMatcherMethod extends Method { - PatternMatcherMethod() { - this.getDeclaringType().getASupertype*() instanceof Pattern and - this.hasName("matcher") - } -} - -/** - * The method `matches` of `java.lang.String`. - */ -class StringMatchMethod extends Method { - StringMatchMethod() { - this.getDeclaringType().getASupertype*() instanceof TypeString and - this.hasName("matches") - } -} From a22fd39230ddd590a01d5a505fd194ce1c87033e Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 10 Feb 2026 14:54:54 +0000 Subject: [PATCH 04/10] Use RegexExecution in sanitizer definitions (expands scope) --- .../semmle/code/java/security/PathSanitizer.qll | 13 +++++-------- .../lib/semmle/code/java/security/Sanitizers.qll | 14 +++----------- 2 files changed, 8 insertions(+), 19 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll index 4685f5e48f71..ffd506550016 100644 --- a/java/ql/lib/semmle/code/java/security/PathSanitizer.qll +++ b/java/ql/lib/semmle/code/java/security/PathSanitizer.qll @@ -427,20 +427,17 @@ private class ReplaceDirectoryCharactersSanitizer extends StringReplaceOrReplace } } -/** Holds if `target` is the first argument of `matchesCall`. */ -private predicate isMatchesTarget(StringMatchesCall matchesCall, CompileTimeConstantExpr target) { - target = matchesCall.getArgument(0) -} - /** * Holds if `matchesCall` confirms that `checkedExpr` does not contain any directory characters * on the given `branch`. */ -private predicate isMatchesCall(StringMatchesCall matchesCall, Expr checkedExpr, boolean branch) { +private predicate isMatchesCall( + RegexExecutionExpr::Range regexMatch, Expr checkedExpr, boolean branch +) { exists(CompileTimeConstantExpr target, string targetValue | - isMatchesTarget(matchesCall, target) and + target = regexMatch.getRegex() and target.getStringValue() = targetValue and - checkedExpr = matchesCall.getQualifier() + checkedExpr = regexMatch.getString() | ( // Allow anything except `.`, '/', '\' diff --git a/java/ql/lib/semmle/code/java/security/Sanitizers.qll b/java/ql/lib/semmle/code/java/security/Sanitizers.qll index 3f909864d2cd..ddac010391e9 100644 --- a/java/ql/lib/semmle/code/java/security/Sanitizers.qll +++ b/java/ql/lib/semmle/code/java/security/Sanitizers.qll @@ -46,19 +46,11 @@ predicate regexpMatchGuardChecks(Guard guard, Expr e, boolean branch) { guard = mc and branch = true | - // `String.matches` and other `matches` methods. + e = mc.(RegexExecutionExpr::Range).getString() + or + // Other `matches` methods. method.getName() = "matches" and e = mc.getQualifier() - or - method instanceof PatternMatchesMethod and - e = mc.getArgument(1) - or - method instanceof MatcherMatchesMethod and - exists(MethodCall matcherCall | - matcherCall.getMethod() instanceof PatternMatcherMethod and - e = matcherCall.getArgument(0) and - DataFlow::localExprFlow(matcherCall, mc.getQualifier()) - ) ) } From 1ee57283113b29ba569ada3167fe7cbf7b40589f Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 11 Feb 2026 13:40:20 +0000 Subject: [PATCH 05/10] Add missing QLDoc --- java/ql/lib/semmle/code/java/frameworks/Regex.qll | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/java/ql/lib/semmle/code/java/frameworks/Regex.qll b/java/ql/lib/semmle/code/java/frameworks/Regex.qll index e1a89e3239dc..28b7dd6a31a6 100644 --- a/java/ql/lib/semmle/code/java/frameworks/Regex.qll +++ b/java/ql/lib/semmle/code/java/frameworks/Regex.qll @@ -96,10 +96,20 @@ class PatternMatchesCall extends MethodCall, RegexExecutionExpr::Range { class MatcherMatchesCall extends MethodCall, RegexExecutionExpr::Range { MatcherMatchesCall() { this.getMethod() instanceof MatcherMatchesMethod } + /** + * Get the call to `java.util.regex.Pattern.matcher` which returned the + * qualifier of this call. This is needed to determine the string being + * matched. + */ PatternMatcherCall getPatternMatcherCall() { DataFlow::localExprFlow(result, this.getQualifier()) } + /** + * Get the call to `java.util.regex.Pattern.compile` which returned the + * `Pattern` used by this matcher. This is needed to determine the regular + * expression being used. + */ PatternCompileCall getPatternCompileCall() { DataFlow::localExprFlow(result, this.getPatternMatcherCall()) } From 6a8204d28c6199135753bac75d397eba88822841 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 11 Feb 2026 13:41:14 +0000 Subject: [PATCH 06/10] "dataflow" -> "data flow" in QLDoc --- java/ql/lib/semmle/code/java/Concepts.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/lib/semmle/code/java/Concepts.qll b/java/ql/lib/semmle/code/java/Concepts.qll index 3024455792c8..ebe37bc2bc4d 100644 --- a/java/ql/lib/semmle/code/java/Concepts.qll +++ b/java/ql/lib/semmle/code/java/Concepts.qll @@ -19,7 +19,7 @@ class RegexExecution extends DataFlow::Node instanceof RegexExecution::Range { /** Gets the data flow node for the regex being executed by this node. */ DataFlow::Node getRegex() { result = super.getRegex() } - /** Gets a dataflow node for the string to be searched or matched against. */ + /** Gets a data flow node for the string to be searched or matched against. */ DataFlow::Node getString() { result = super.getString() } /** From d0999e3abdbe162c2bbd4b46f5aa21712772cf2c Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 12 Feb 2026 16:57:04 +0000 Subject: [PATCH 07/10] Add failing test for @Pattern validation --- .../security/CWE-918/RequestForgery.expected | 747 +++++++++++------- .../security/CWE-918/SanitizationTests.java | 69 +- .../test/query-tests/security/CWE-918/options | 2 +- .../javax/validation/Constraint.java | 88 +++ .../javax/validation/Payload.java | 23 + .../javax/validation/constraints/Pattern.java | 148 ++++ 6 files changed, 802 insertions(+), 275 deletions(-) create mode 100644 java/ql/test/stubs/javax-validation-constraints/javax/validation/Constraint.java create mode 100644 java/ql/test/stubs/javax-validation-constraints/javax/validation/Payload.java create mode 100644 java/ql/test/stubs/javax-validation-constraints/javax/validation/constraints/Pattern.java diff --git a/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected b/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected index 3fdd2395fcb7..f1e7c9e2b86d 100644 --- a/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected +++ b/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected @@ -228,30 +228,44 @@ | JdbcUrlSSRF.java:88:19:88:25 | jdbcUrl | JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) : String | JdbcUrlSSRF.java:88:19:88:25 | jdbcUrl | Potential server-side request forgery due to a $@. | JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) | user-provided value | | ReactiveWebClientSSRF.java:16:52:16:54 | url | ReactiveWebClientSSRF.java:15:26:15:52 | getParameter(...) : String | ReactiveWebClientSSRF.java:16:52:16:54 | url | Potential server-side request forgery due to a $@. | ReactiveWebClientSSRF.java:15:26:15:52 | getParameter(...) | user-provided value | | ReactiveWebClientSSRF.java:35:30:35:32 | url | ReactiveWebClientSSRF.java:32:26:32:52 | getParameter(...) : String | ReactiveWebClientSSRF.java:35:30:35:32 | url | Potential server-side request forgery due to a $@. | ReactiveWebClientSSRF.java:32:26:32:52 | getParameter(...) | user-provided value | -| SanitizationTests.java:24:52:24:54 | uri | SanitizationTests.java:21:31:21:57 | getParameter(...) : String | SanitizationTests.java:24:52:24:54 | uri | Potential server-side request forgery due to a $@. | SanitizationTests.java:21:31:21:57 | getParameter(...) | user-provided value | -| SanitizationTests.java:25:25:25:25 | r | SanitizationTests.java:21:31:21:57 | getParameter(...) : String | SanitizationTests.java:25:25:25:25 | r | Potential server-side request forgery due to a $@. | SanitizationTests.java:21:31:21:57 | getParameter(...) | user-provided value | -| SanitizationTests.java:78:59:78:77 | new URI(...) | SanitizationTests.java:77:33:77:63 | getParameter(...) : String | SanitizationTests.java:78:59:78:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:77:33:77:63 | getParameter(...) | user-provided value | -| SanitizationTests.java:79:25:79:32 | unsafer3 | SanitizationTests.java:77:33:77:63 | getParameter(...) : String | SanitizationTests.java:79:25:79:32 | unsafer3 | Potential server-side request forgery due to a $@. | SanitizationTests.java:77:33:77:63 | getParameter(...) | user-provided value | -| SanitizationTests.java:82:59:82:77 | new URI(...) | SanitizationTests.java:81:49:81:79 | getParameter(...) : String | SanitizationTests.java:82:59:82:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:81:49:81:79 | getParameter(...) | user-provided value | -| SanitizationTests.java:83:25:83:32 | unsafer4 | SanitizationTests.java:81:49:81:79 | getParameter(...) : String | SanitizationTests.java:83:25:83:32 | unsafer4 | Potential server-side request forgery due to a $@. | SanitizationTests.java:81:49:81:79 | getParameter(...) | user-provided value | -| SanitizationTests.java:87:59:87:88 | new URI(...) | SanitizationTests.java:86:31:86:61 | getParameter(...) : String | SanitizationTests.java:87:59:87:88 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:86:31:86:61 | getParameter(...) | user-provided value | -| SanitizationTests.java:88:25:88:32 | unsafer5 | SanitizationTests.java:86:31:86:61 | getParameter(...) : String | SanitizationTests.java:88:25:88:32 | unsafer5 | Potential server-side request forgery due to a $@. | SanitizationTests.java:86:31:86:61 | getParameter(...) | user-provided value | -| SanitizationTests.java:92:60:92:89 | new URI(...) | SanitizationTests.java:90:58:90:86 | getParameter(...) : String | SanitizationTests.java:92:60:92:89 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:90:58:90:86 | getParameter(...) | user-provided value | -| SanitizationTests.java:93:25:93:33 | unsafer5a | SanitizationTests.java:90:58:90:86 | getParameter(...) : String | SanitizationTests.java:93:25:93:33 | unsafer5a | Potential server-side request forgery due to a $@. | SanitizationTests.java:90:58:90:86 | getParameter(...) | user-provided value | -| SanitizationTests.java:97:60:97:90 | new URI(...) | SanitizationTests.java:95:60:95:88 | getParameter(...) : String | SanitizationTests.java:97:60:97:90 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:95:60:95:88 | getParameter(...) | user-provided value | -| SanitizationTests.java:98:25:98:33 | unsafer5b | SanitizationTests.java:95:60:95:88 | getParameter(...) : String | SanitizationTests.java:98:25:98:33 | unsafer5b | Potential server-side request forgery due to a $@. | SanitizationTests.java:95:60:95:88 | getParameter(...) | user-provided value | -| SanitizationTests.java:102:60:102:90 | new URI(...) | SanitizationTests.java:100:77:100:105 | getParameter(...) : String | SanitizationTests.java:102:60:102:90 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:100:77:100:105 | getParameter(...) | user-provided value | -| SanitizationTests.java:103:25:103:33 | unsafer5c | SanitizationTests.java:100:77:100:105 | getParameter(...) : String | SanitizationTests.java:103:25:103:33 | unsafer5c | Potential server-side request forgery due to a $@. | SanitizationTests.java:100:77:100:105 | getParameter(...) | user-provided value | -| SanitizationTests.java:106:59:106:77 | new URI(...) | SanitizationTests.java:105:73:105:103 | getParameter(...) : String | SanitizationTests.java:106:59:106:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:105:73:105:103 | getParameter(...) | user-provided value | -| SanitizationTests.java:107:25:107:32 | unsafer6 | SanitizationTests.java:105:73:105:103 | getParameter(...) : String | SanitizationTests.java:107:25:107:32 | unsafer6 | Potential server-side request forgery due to a $@. | SanitizationTests.java:105:73:105:103 | getParameter(...) | user-provided value | -| SanitizationTests.java:110:59:110:77 | new URI(...) | SanitizationTests.java:109:56:109:86 | getParameter(...) : String | SanitizationTests.java:110:59:110:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:109:56:109:86 | getParameter(...) | user-provided value | -| SanitizationTests.java:111:25:111:32 | unsafer7 | SanitizationTests.java:109:56:109:86 | getParameter(...) : String | SanitizationTests.java:111:25:111:32 | unsafer7 | Potential server-side request forgery due to a $@. | SanitizationTests.java:109:56:109:86 | getParameter(...) | user-provided value | -| SanitizationTests.java:114:59:114:77 | new URI(...) | SanitizationTests.java:113:55:113:85 | getParameter(...) : String | SanitizationTests.java:114:59:114:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:113:55:113:85 | getParameter(...) | user-provided value | -| SanitizationTests.java:115:25:115:32 | unsafer8 | SanitizationTests.java:113:55:113:85 | getParameter(...) : String | SanitizationTests.java:115:25:115:32 | unsafer8 | Potential server-side request forgery due to a $@. | SanitizationTests.java:113:55:113:85 | getParameter(...) | user-provided value | -| SanitizationTests.java:118:59:118:77 | new URI(...) | SanitizationTests.java:117:33:117:63 | getParameter(...) : String | SanitizationTests.java:118:59:118:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:117:33:117:63 | getParameter(...) | user-provided value | -| SanitizationTests.java:119:25:119:32 | unsafer9 | SanitizationTests.java:117:33:117:63 | getParameter(...) : String | SanitizationTests.java:119:25:119:32 | unsafer9 | Potential server-side request forgery due to a $@. | SanitizationTests.java:117:33:117:63 | getParameter(...) | user-provided value | -| SanitizationTests.java:122:60:122:79 | new URI(...) | SanitizationTests.java:121:94:121:125 | getParameter(...) : String | SanitizationTests.java:122:60:122:79 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:121:94:121:125 | getParameter(...) | user-provided value | -| SanitizationTests.java:123:25:123:33 | unsafer10 | SanitizationTests.java:121:94:121:125 | getParameter(...) : String | SanitizationTests.java:123:25:123:33 | unsafer10 | Potential server-side request forgery due to a $@. | SanitizationTests.java:121:94:121:125 | getParameter(...) | user-provided value | +| SanitizationTests.java:25:52:25:54 | uri | SanitizationTests.java:22:31:22:57 | getParameter(...) : String | SanitizationTests.java:25:52:25:54 | uri | Potential server-side request forgery due to a $@. | SanitizationTests.java:22:31:22:57 | getParameter(...) | user-provided value | +| SanitizationTests.java:26:25:26:25 | r | SanitizationTests.java:22:31:22:57 | getParameter(...) : String | SanitizationTests.java:26:25:26:25 | r | Potential server-side request forgery due to a $@. | SanitizationTests.java:22:31:22:57 | getParameter(...) | user-provided value | +| SanitizationTests.java:79:59:79:77 | new URI(...) | SanitizationTests.java:78:33:78:63 | getParameter(...) : String | SanitizationTests.java:79:59:79:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:78:33:78:63 | getParameter(...) | user-provided value | +| SanitizationTests.java:80:25:80:32 | unsafer3 | SanitizationTests.java:78:33:78:63 | getParameter(...) : String | SanitizationTests.java:80:25:80:32 | unsafer3 | Potential server-side request forgery due to a $@. | SanitizationTests.java:78:33:78:63 | getParameter(...) | user-provided value | +| SanitizationTests.java:83:59:83:77 | new URI(...) | SanitizationTests.java:82:49:82:79 | getParameter(...) : String | SanitizationTests.java:83:59:83:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:82:49:82:79 | getParameter(...) | user-provided value | +| SanitizationTests.java:84:25:84:32 | unsafer4 | SanitizationTests.java:82:49:82:79 | getParameter(...) : String | SanitizationTests.java:84:25:84:32 | unsafer4 | Potential server-side request forgery due to a $@. | SanitizationTests.java:82:49:82:79 | getParameter(...) | user-provided value | +| SanitizationTests.java:88:59:88:88 | new URI(...) | SanitizationTests.java:87:31:87:61 | getParameter(...) : String | SanitizationTests.java:88:59:88:88 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:87:31:87:61 | getParameter(...) | user-provided value | +| SanitizationTests.java:89:25:89:32 | unsafer5 | SanitizationTests.java:87:31:87:61 | getParameter(...) : String | SanitizationTests.java:89:25:89:32 | unsafer5 | Potential server-side request forgery due to a $@. | SanitizationTests.java:87:31:87:61 | getParameter(...) | user-provided value | +| SanitizationTests.java:93:60:93:89 | new URI(...) | SanitizationTests.java:91:58:91:86 | getParameter(...) : String | SanitizationTests.java:93:60:93:89 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:91:58:91:86 | getParameter(...) | user-provided value | +| SanitizationTests.java:94:25:94:33 | unsafer5a | SanitizationTests.java:91:58:91:86 | getParameter(...) : String | SanitizationTests.java:94:25:94:33 | unsafer5a | Potential server-side request forgery due to a $@. | SanitizationTests.java:91:58:91:86 | getParameter(...) | user-provided value | +| SanitizationTests.java:98:60:98:90 | new URI(...) | SanitizationTests.java:96:60:96:88 | getParameter(...) : String | SanitizationTests.java:98:60:98:90 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:96:60:96:88 | getParameter(...) | user-provided value | +| SanitizationTests.java:99:25:99:33 | unsafer5b | SanitizationTests.java:96:60:96:88 | getParameter(...) : String | SanitizationTests.java:99:25:99:33 | unsafer5b | Potential server-side request forgery due to a $@. | SanitizationTests.java:96:60:96:88 | getParameter(...) | user-provided value | +| SanitizationTests.java:103:60:103:90 | new URI(...) | SanitizationTests.java:101:77:101:105 | getParameter(...) : String | SanitizationTests.java:103:60:103:90 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:101:77:101:105 | getParameter(...) | user-provided value | +| SanitizationTests.java:104:25:104:33 | unsafer5c | SanitizationTests.java:101:77:101:105 | getParameter(...) : String | SanitizationTests.java:104:25:104:33 | unsafer5c | Potential server-side request forgery due to a $@. | SanitizationTests.java:101:77:101:105 | getParameter(...) | user-provided value | +| SanitizationTests.java:107:59:107:77 | new URI(...) | SanitizationTests.java:106:73:106:103 | getParameter(...) : String | SanitizationTests.java:107:59:107:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:106:73:106:103 | getParameter(...) | user-provided value | +| SanitizationTests.java:108:25:108:32 | unsafer6 | SanitizationTests.java:106:73:106:103 | getParameter(...) : String | SanitizationTests.java:108:25:108:32 | unsafer6 | Potential server-side request forgery due to a $@. | SanitizationTests.java:106:73:106:103 | getParameter(...) | user-provided value | +| SanitizationTests.java:111:59:111:77 | new URI(...) | SanitizationTests.java:110:56:110:86 | getParameter(...) : String | SanitizationTests.java:111:59:111:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:110:56:110:86 | getParameter(...) | user-provided value | +| SanitizationTests.java:112:25:112:32 | unsafer7 | SanitizationTests.java:110:56:110:86 | getParameter(...) : String | SanitizationTests.java:112:25:112:32 | unsafer7 | Potential server-side request forgery due to a $@. | SanitizationTests.java:110:56:110:86 | getParameter(...) | user-provided value | +| SanitizationTests.java:115:59:115:77 | new URI(...) | SanitizationTests.java:114:55:114:85 | getParameter(...) : String | SanitizationTests.java:115:59:115:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:114:55:114:85 | getParameter(...) | user-provided value | +| SanitizationTests.java:116:25:116:32 | unsafer8 | SanitizationTests.java:114:55:114:85 | getParameter(...) : String | SanitizationTests.java:116:25:116:32 | unsafer8 | Potential server-side request forgery due to a $@. | SanitizationTests.java:114:55:114:85 | getParameter(...) | user-provided value | +| SanitizationTests.java:119:59:119:77 | new URI(...) | SanitizationTests.java:118:33:118:63 | getParameter(...) : String | SanitizationTests.java:119:59:119:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:118:33:118:63 | getParameter(...) | user-provided value | +| SanitizationTests.java:120:25:120:32 | unsafer9 | SanitizationTests.java:118:33:118:63 | getParameter(...) : String | SanitizationTests.java:120:25:120:32 | unsafer9 | Potential server-side request forgery due to a $@. | SanitizationTests.java:118:33:118:63 | getParameter(...) | user-provided value | +| SanitizationTests.java:123:60:123:79 | new URI(...) | SanitizationTests.java:122:94:122:125 | getParameter(...) : String | SanitizationTests.java:123:60:123:79 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:122:94:122:125 | getParameter(...) | user-provided value | +| SanitizationTests.java:124:25:124:33 | unsafer10 | SanitizationTests.java:122:94:122:125 | getParameter(...) : String | SanitizationTests.java:124:25:124:33 | unsafer10 | Potential server-side request forgery due to a $@. | SanitizationTests.java:122:94:122:125 | getParameter(...) | user-provided value | +| SanitizationTests.java:154:55:154:72 | new URI(...) | SanitizationTests.java:153:67:153:95 | getParameter(...) : String | SanitizationTests.java:154:55:154:72 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:153:67:153:95 | getParameter(...) | user-provided value | +| SanitizationTests.java:155:25:155:28 | r14a | SanitizationTests.java:153:67:153:95 | getParameter(...) : String | SanitizationTests.java:155:25:155:28 | r14a | Potential server-side request forgery due to a $@. | SanitizationTests.java:153:67:153:95 | getParameter(...) | user-provided value | +| SanitizationTests.java:156:55:156:77 | new URI(...) | SanitizationTests.java:153:67:153:95 | getParameter(...) : String | SanitizationTests.java:156:55:156:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:153:67:153:95 | getParameter(...) | user-provided value | +| SanitizationTests.java:157:25:157:28 | r14b | SanitizationTests.java:153:67:153:95 | getParameter(...) : String | SanitizationTests.java:157:25:157:28 | r14b | Potential server-side request forgery due to a $@. | SanitizationTests.java:153:67:153:95 | getParameter(...) | user-provided value | +| SanitizationTests.java:161:55:161:72 | new URI(...) | SanitizationTests.java:160:75:160:103 | getParameter(...) : String | SanitizationTests.java:161:55:161:72 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:160:75:160:103 | getParameter(...) | user-provided value | +| SanitizationTests.java:162:25:162:28 | r15a | SanitizationTests.java:160:75:160:103 | getParameter(...) : String | SanitizationTests.java:162:25:162:28 | r15a | Potential server-side request forgery due to a $@. | SanitizationTests.java:160:75:160:103 | getParameter(...) | user-provided value | +| SanitizationTests.java:163:55:163:77 | new URI(...) | SanitizationTests.java:160:75:160:103 | getParameter(...) : String | SanitizationTests.java:163:55:163:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:160:75:160:103 | getParameter(...) | user-provided value | +| SanitizationTests.java:164:25:164:28 | r15b | SanitizationTests.java:160:75:160:103 | getParameter(...) : String | SanitizationTests.java:164:25:164:28 | r15b | Potential server-side request forgery due to a $@. | SanitizationTests.java:160:75:160:103 | getParameter(...) | user-provided value | +| SanitizationTests.java:167:54:167:102 | new URI(...) | SanitizationTests.java:167:72:167:100 | getParameter(...) : String | SanitizationTests.java:167:54:167:102 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:167:72:167:100 | getParameter(...) | user-provided value | +| SanitizationTests.java:168:25:168:27 | r16 | SanitizationTests.java:167:72:167:100 | getParameter(...) : String | SanitizationTests.java:168:25:168:27 | r16 | Potential server-side request forgery due to a $@. | SanitizationTests.java:167:72:167:100 | getParameter(...) | user-provided value | +| SanitizationTests.java:171:54:171:102 | new URI(...) | SanitizationTests.java:171:72:171:100 | getParameter(...) : String | SanitizationTests.java:171:54:171:102 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:171:72:171:100 | getParameter(...) | user-provided value | +| SanitizationTests.java:172:25:172:27 | r17 | SanitizationTests.java:171:72:171:100 | getParameter(...) : String | SanitizationTests.java:172:25:172:27 | r17 | Potential server-side request forgery due to a $@. | SanitizationTests.java:171:72:171:100 | getParameter(...) | user-provided value | +| SanitizationTests.java:175:54:175:113 | new URI(...) | SanitizationTests.java:175:82:175:110 | getParameter(...) : String | SanitizationTests.java:175:54:175:113 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:175:82:175:110 | getParameter(...) | user-provided value | +| SanitizationTests.java:176:25:176:27 | r18 | SanitizationTests.java:175:82:175:110 | getParameter(...) : String | SanitizationTests.java:176:25:176:27 | r18 | Potential server-side request forgery due to a $@. | SanitizationTests.java:175:82:175:110 | getParameter(...) | user-provided value | | SpringSSRF.java:32:39:32:59 | ... + ... | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:32:39:32:59 | ... + ... | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | | SpringSSRF.java:33:69:33:82 | fooResourceUrl | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:33:69:33:82 | fooResourceUrl | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | | SpringSSRF.java:34:73:34:86 | fooResourceUrl | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:34:73:34:86 | fooResourceUrl | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | @@ -403,11 +417,11 @@ edges | ApacheHttpSSRF.java:28:31:28:34 | sink : String | ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | provenance | Config | | ApacheHttpSSRF.java:28:31:28:34 | sink : String | ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | provenance | MaD:285 | | ApacheHttpSSRF.java:42:62:42:64 | uri : URI | ApacheHttpSSRF.java:42:62:42:75 | toString(...) : String | provenance | MaD:286 | -| ApacheHttpSSRF.java:42:62:42:75 | toString(...) : String | ApacheHttpSSRF.java:42:34:42:82 | new BasicRequestLine(...) | provenance | MaD:293 Sink:MaD:231 | +| ApacheHttpSSRF.java:42:62:42:75 | toString(...) : String | ApacheHttpSSRF.java:42:34:42:82 | new BasicRequestLine(...) | provenance | MaD:295 Sink:MaD:231 | | ApacheHttpSSRF.java:43:41:43:43 | uri : URI | ApacheHttpSSRF.java:43:41:43:54 | toString(...) | provenance | MaD:286 Sink:MaD:232 | | ApacheHttpSSRF.java:44:41:44:43 | uri : URI | ApacheHttpSSRF.java:44:41:44:54 | toString(...) | provenance | MaD:286 Sink:MaD:233 | | ApacheHttpSSRF.java:46:77:46:79 | uri : URI | ApacheHttpSSRF.java:46:77:46:90 | toString(...) : String | provenance | MaD:286 | -| ApacheHttpSSRF.java:46:77:46:90 | toString(...) : String | ApacheHttpSSRF.java:46:49:46:97 | new BasicRequestLine(...) | provenance | MaD:293 Sink:MaD:228 | +| ApacheHttpSSRF.java:46:77:46:90 | toString(...) : String | ApacheHttpSSRF.java:46:49:46:97 | new BasicRequestLine(...) | provenance | MaD:295 Sink:MaD:228 | | ApacheHttpSSRF.java:47:56:47:58 | uri : URI | ApacheHttpSSRF.java:47:56:47:69 | toString(...) | provenance | MaD:286 Sink:MaD:229 | | ApacheHttpSSRF.java:48:56:48:58 | uri : URI | ApacheHttpSSRF.java:48:56:48:69 | toString(...) | provenance | MaD:286 Sink:MaD:230 | | ApacheHttpSSRFVersion5.java:41:30:41:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:42:31:42:37 | uriSink : String | provenance | Src:MaD:277 | @@ -501,7 +515,7 @@ edges | ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:132:36:132:39 | host | provenance | Sink:MaD:100 | | ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:136:38:136:41 | host | provenance | Sink:MaD:103 | | ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:162:52:162:55 | host | provenance | Sink:MaD:204 | -| ApacheHttpSSRFVersion5.java:45:42:45:49 | hostSink : String | ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | provenance | MaD:292 | +| ApacheHttpSSRFVersion5.java:45:42:45:49 | hostSink : String | ApacheHttpSSRFVersion5.java:45:29:45:50 | new HttpHost(...) : HttpHost | provenance | MaD:294 | | ApacheHttpSSRFVersion5.java:49:54:49:56 | uri : URI | ApacheHttpSSRFVersion5.java:49:54:49:67 | toString(...) | provenance | MaD:286 Sink:MaD:39 | | ApacheHttpSSRFVersion5.java:51:48:51:50 | uri : URI | ApacheHttpSSRFVersion5.java:51:48:51:61 | toString(...) | provenance | MaD:286 Sink:MaD:41 | | ApacheHttpSSRFVersion5.java:55:38:55:40 | uri : URI | ApacheHttpSSRFVersion5.java:55:38:55:51 | toString(...) | provenance | MaD:286 Sink:MaD:44 | @@ -631,7 +645,7 @@ edges | ApacheHttpSSRFVersion5.java:298:31:298:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:299:42:299:49 | hostSink : String | provenance | Src:MaD:277 | | ApacheHttpSSRFVersion5.java:299:29:299:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:303:34:303:37 | host | provenance | Sink:MaD:178 | | ApacheHttpSSRFVersion5.java:299:29:299:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:304:34:304:37 | host | provenance | Sink:MaD:179 | -| ApacheHttpSSRFVersion5.java:299:42:299:49 | hostSink : String | ApacheHttpSSRFVersion5.java:299:29:299:50 | new HttpHost(...) : HttpHost | provenance | MaD:292 | +| ApacheHttpSSRFVersion5.java:299:42:299:49 | hostSink : String | ApacheHttpSSRFVersion5.java:299:29:299:50 | new HttpHost(...) : HttpHost | provenance | MaD:294 | | ApacheHttpSSRFVersion5.java:308:60:308:62 | uri : URI | ApacheHttpSSRFVersion5.java:308:60:308:73 | toString(...) | provenance | MaD:286 Sink:MaD:208 | | ApacheHttpSSRFVersion5.java:313:53:313:55 | uri : URI | ApacheHttpSSRFVersion5.java:313:53:313:66 | toString(...) | provenance | MaD:286 Sink:MaD:208 | | ApacheHttpSSRFVersion5.java:326:30:326:56 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:327:31:327:37 | uriSink : String | provenance | Src:MaD:277 | @@ -657,7 +671,7 @@ edges | ApacheHttpSSRFVersion5.java:327:31:327:37 | uriSink : String | ApacheHttpSSRFVersion5.java:327:23:327:38 | new URI(...) : URI | provenance | MaD:285 | | ApacheHttpSSRFVersion5.java:329:31:329:58 | getParameter(...) : String | ApacheHttpSSRFVersion5.java:330:42:330:49 | hostSink : String | provenance | Src:MaD:277 | | ApacheHttpSSRFVersion5.java:330:29:330:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:354:53:354:56 | host | provenance | Sink:MaD:204 | -| ApacheHttpSSRFVersion5.java:330:42:330:49 | hostSink : String | ApacheHttpSSRFVersion5.java:330:29:330:50 | new HttpHost(...) : HttpHost | provenance | MaD:292 | +| ApacheHttpSSRFVersion5.java:330:42:330:49 | hostSink : String | ApacheHttpSSRFVersion5.java:330:29:330:50 | new HttpHost(...) : HttpHost | provenance | MaD:294 | | ApacheHttpSSRFVersion5.java:333:42:333:44 | uri : URI | ApacheHttpSSRFVersion5.java:333:42:333:55 | toString(...) | provenance | MaD:286 Sink:MaD:180 | | ApacheHttpSSRFVersion5.java:336:39:336:41 | uri : URI | ApacheHttpSSRFVersion5.java:336:39:336:52 | toString(...) | provenance | MaD:286 Sink:MaD:182 | | ApacheHttpSSRFVersion5.java:339:40:339:42 | uri : URI | ApacheHttpSSRFVersion5.java:339:40:339:53 | toString(...) | provenance | MaD:286 Sink:MaD:184 | @@ -681,7 +695,7 @@ edges | ApacheHttpSSRFVersion5.java:376:29:376:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:381:51:381:54 | host | provenance | Sink:MaD:198 | | ApacheHttpSSRFVersion5.java:376:29:376:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:385:50:385:53 | host | provenance | Sink:MaD:200 | | ApacheHttpSSRFVersion5.java:376:29:376:50 | new HttpHost(...) : HttpHost | ApacheHttpSSRFVersion5.java:387:44:387:47 | host | provenance | Sink:MaD:202 | -| ApacheHttpSSRFVersion5.java:376:42:376:49 | hostSink : String | ApacheHttpSSRFVersion5.java:376:29:376:50 | new HttpHost(...) : HttpHost | provenance | MaD:292 | +| ApacheHttpSSRFVersion5.java:376:42:376:49 | hostSink : String | ApacheHttpSSRFVersion5.java:376:29:376:50 | new HttpHost(...) : HttpHost | provenance | MaD:294 | | JakartaWsSSRF.java:14:22:14:48 | getParameter(...) : String | JakartaWsSSRF.java:15:23:15:25 | url | provenance | Src:MaD:277 Sink:MaD:3 | | JavaNetHttpSSRF.java:25:27:25:53 | getParameter(...) : String | JavaNetHttpSSRF.java:26:31:26:34 | sink : String | provenance | Src:MaD:277 | | JavaNetHttpSSRF.java:26:23:26:35 | new URI(...) : URI | JavaNetHttpSSRF.java:39:59:39:61 | uri | provenance | Sink:MaD:6 | @@ -708,7 +722,7 @@ edges | JdbcUrlSSRF.java:52:9:52:13 | props : Properties | JdbcUrlSSRF.java:54:49:54:53 | props | provenance | Sink:MaD:1 | | JdbcUrlSSRF.java:52:9:52:13 | props [post update] : Properties [] : String | JdbcUrlSSRF.java:54:49:54:53 | props | provenance | Sink:MaD:1 | | JdbcUrlSSRF.java:52:38:52:44 | jdbcUrl : String | JdbcUrlSSRF.java:52:9:52:13 | props : Properties | provenance | Config | -| JdbcUrlSSRF.java:52:38:52:44 | jdbcUrl : String | JdbcUrlSSRF.java:52:9:52:13 | props [post update] : Properties [] : String | provenance | MaD:291 | +| JdbcUrlSSRF.java:52:38:52:44 | jdbcUrl : String | JdbcUrlSSRF.java:52:9:52:13 | props [post update] : Properties [] : String | provenance | MaD:293 | | JdbcUrlSSRF.java:60:26:60:56 | getParameter(...) : String | JdbcUrlSSRF.java:65:27:65:33 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:257 | | JdbcUrlSSRF.java:60:26:60:56 | getParameter(...) : String | JdbcUrlSSRF.java:67:75:67:81 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:258 | | JdbcUrlSSRF.java:60:26:60:56 | getParameter(...) : String | JdbcUrlSSRF.java:70:75:70:81 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:260 | @@ -721,118 +735,202 @@ edges | JdbcUrlSSRF.java:80:26:80:56 | getParameter(...) : String | JdbcUrlSSRF.java:88:19:88:25 | jdbcUrl | provenance | Src:MaD:277 Sink:MaD:240 | | ReactiveWebClientSSRF.java:15:26:15:52 | getParameter(...) : String | ReactiveWebClientSSRF.java:16:52:16:54 | url | provenance | Src:MaD:277 Sink:MaD:274 | | ReactiveWebClientSSRF.java:32:26:32:52 | getParameter(...) : String | ReactiveWebClientSSRF.java:35:30:35:32 | url | provenance | Src:MaD:277 Sink:MaD:273 | -| SanitizationTests.java:21:23:21:58 | new URI(...) : URI | SanitizationTests.java:24:52:24:54 | uri | provenance | Sink:MaD:6 | -| SanitizationTests.java:21:23:21:58 | new URI(...) : URI | SanitizationTests.java:24:52:24:54 | uri : URI | provenance | | -| SanitizationTests.java:21:31:21:57 | getParameter(...) : String | SanitizationTests.java:21:23:21:58 | new URI(...) : URI | provenance | Src:MaD:277 Config | -| SanitizationTests.java:21:31:21:57 | getParameter(...) : String | SanitizationTests.java:21:23:21:58 | new URI(...) : URI | provenance | Src:MaD:277 MaD:285 | -| SanitizationTests.java:24:29:24:55 | newBuilder(...) : Builder | SanitizationTests.java:24:29:24:63 | build(...) : HttpRequest | provenance | MaD:283 | -| SanitizationTests.java:24:29:24:63 | build(...) : HttpRequest | SanitizationTests.java:25:25:25:25 | r | provenance | Sink:MaD:4 | -| SanitizationTests.java:24:52:24:54 | uri : URI | SanitizationTests.java:24:29:24:55 | newBuilder(...) : Builder | provenance | MaD:284 | -| SanitizationTests.java:77:33:77:63 | getParameter(...) : String | SanitizationTests.java:78:67:78:76 | unsafeUri3 : String | provenance | Src:MaD:277 | -| SanitizationTests.java:78:36:78:78 | newBuilder(...) : Builder | SanitizationTests.java:78:36:78:86 | build(...) : HttpRequest | provenance | MaD:283 | -| SanitizationTests.java:78:36:78:86 | build(...) : HttpRequest | SanitizationTests.java:79:25:79:32 | unsafer3 | provenance | Sink:MaD:4 | -| SanitizationTests.java:78:59:78:77 | new URI(...) : URI | SanitizationTests.java:78:36:78:78 | newBuilder(...) : Builder | provenance | MaD:284 | -| SanitizationTests.java:78:67:78:76 | unsafeUri3 : String | SanitizationTests.java:78:59:78:77 | new URI(...) | provenance | Config Sink:MaD:6 | -| SanitizationTests.java:78:67:78:76 | unsafeUri3 : String | SanitizationTests.java:78:59:78:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | -| SanitizationTests.java:78:67:78:76 | unsafeUri3 : String | SanitizationTests.java:78:59:78:77 | new URI(...) : URI | provenance | Config | -| SanitizationTests.java:78:67:78:76 | unsafeUri3 : String | SanitizationTests.java:78:59:78:77 | new URI(...) : URI | provenance | MaD:285 | -| SanitizationTests.java:81:49:81:79 | getParameter(...) : String | SanitizationTests.java:82:67:82:76 | unsafeUri4 : String | provenance | Src:MaD:277 | -| SanitizationTests.java:82:36:82:78 | newBuilder(...) : Builder | SanitizationTests.java:82:36:82:86 | build(...) : HttpRequest | provenance | MaD:283 | -| SanitizationTests.java:82:36:82:86 | build(...) : HttpRequest | SanitizationTests.java:83:25:83:32 | unsafer4 | provenance | Sink:MaD:4 | -| SanitizationTests.java:82:59:82:77 | new URI(...) : URI | SanitizationTests.java:82:36:82:78 | newBuilder(...) : Builder | provenance | MaD:284 | -| SanitizationTests.java:82:67:82:76 | unsafeUri4 : String | SanitizationTests.java:82:59:82:77 | new URI(...) | provenance | Config Sink:MaD:6 | -| SanitizationTests.java:82:67:82:76 | unsafeUri4 : String | SanitizationTests.java:82:59:82:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | -| SanitizationTests.java:82:67:82:76 | unsafeUri4 : String | SanitizationTests.java:82:59:82:77 | new URI(...) : URI | provenance | Config | -| SanitizationTests.java:82:67:82:76 | unsafeUri4 : String | SanitizationTests.java:82:59:82:77 | new URI(...) : URI | provenance | MaD:285 | -| SanitizationTests.java:86:13:86:22 | unsafeUri5 [post update] : StringBuilder | SanitizationTests.java:87:67:87:76 | unsafeUri5 : StringBuilder | provenance | | -| SanitizationTests.java:86:31:86:61 | getParameter(...) : String | SanitizationTests.java:86:13:86:22 | unsafeUri5 [post update] : StringBuilder | provenance | Src:MaD:277 MaD:278 | -| SanitizationTests.java:87:36:87:89 | newBuilder(...) : Builder | SanitizationTests.java:87:36:87:97 | build(...) : HttpRequest | provenance | MaD:283 | -| SanitizationTests.java:87:36:87:97 | build(...) : HttpRequest | SanitizationTests.java:88:25:88:32 | unsafer5 | provenance | Sink:MaD:4 | -| SanitizationTests.java:87:59:87:88 | new URI(...) : URI | SanitizationTests.java:87:36:87:89 | newBuilder(...) : Builder | provenance | MaD:284 | -| SanitizationTests.java:87:67:87:76 | unsafeUri5 : StringBuilder | SanitizationTests.java:87:67:87:87 | toString(...) : String | provenance | MaD:280 | -| SanitizationTests.java:87:67:87:87 | toString(...) : String | SanitizationTests.java:87:59:87:88 | new URI(...) | provenance | Config Sink:MaD:6 | -| SanitizationTests.java:87:67:87:87 | toString(...) : String | SanitizationTests.java:87:59:87:88 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | -| SanitizationTests.java:87:67:87:87 | toString(...) : String | SanitizationTests.java:87:59:87:88 | new URI(...) : URI | provenance | Config | -| SanitizationTests.java:87:67:87:87 | toString(...) : String | SanitizationTests.java:87:59:87:88 | new URI(...) : URI | provenance | MaD:285 | -| SanitizationTests.java:90:40:90:87 | new StringBuilder(...) : StringBuilder | SanitizationTests.java:92:68:92:77 | unafeUri5a : StringBuilder | provenance | | -| SanitizationTests.java:90:58:90:86 | getParameter(...) : String | SanitizationTests.java:90:40:90:87 | new StringBuilder(...) : StringBuilder | provenance | Src:MaD:277 MaD:282 | -| SanitizationTests.java:92:37:92:90 | newBuilder(...) : Builder | SanitizationTests.java:92:37:92:98 | build(...) : HttpRequest | provenance | MaD:283 | -| SanitizationTests.java:92:37:92:98 | build(...) : HttpRequest | SanitizationTests.java:93:25:93:33 | unsafer5a | provenance | Sink:MaD:4 | -| SanitizationTests.java:92:60:92:89 | new URI(...) : URI | SanitizationTests.java:92:37:92:90 | newBuilder(...) : Builder | provenance | MaD:284 | -| SanitizationTests.java:92:68:92:77 | unafeUri5a : StringBuilder | SanitizationTests.java:92:68:92:88 | toString(...) : String | provenance | MaD:280 | -| SanitizationTests.java:92:68:92:88 | toString(...) : String | SanitizationTests.java:92:60:92:89 | new URI(...) | provenance | Config Sink:MaD:6 | -| SanitizationTests.java:92:68:92:88 | toString(...) : String | SanitizationTests.java:92:60:92:89 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | -| SanitizationTests.java:92:68:92:88 | toString(...) : String | SanitizationTests.java:92:60:92:89 | new URI(...) : URI | provenance | Config | -| SanitizationTests.java:92:68:92:88 | toString(...) : String | SanitizationTests.java:92:60:92:89 | new URI(...) : URI | provenance | MaD:285 | -| SanitizationTests.java:95:41:95:105 | append(...) : StringBuilder | SanitizationTests.java:97:68:97:78 | unsafeUri5b : StringBuilder | provenance | | -| SanitizationTests.java:95:42:95:89 | new StringBuilder(...) : StringBuilder | SanitizationTests.java:95:41:95:105 | append(...) : StringBuilder | provenance | MaD:279 | -| SanitizationTests.java:95:60:95:88 | getParameter(...) : String | SanitizationTests.java:95:42:95:89 | new StringBuilder(...) : StringBuilder | provenance | Src:MaD:277 MaD:282 | -| SanitizationTests.java:97:37:97:91 | newBuilder(...) : Builder | SanitizationTests.java:97:37:97:99 | build(...) : HttpRequest | provenance | MaD:283 | -| SanitizationTests.java:97:37:97:99 | build(...) : HttpRequest | SanitizationTests.java:98:25:98:33 | unsafer5b | provenance | Sink:MaD:4 | -| SanitizationTests.java:97:60:97:90 | new URI(...) : URI | SanitizationTests.java:97:37:97:91 | newBuilder(...) : Builder | provenance | MaD:284 | -| SanitizationTests.java:97:68:97:78 | unsafeUri5b : StringBuilder | SanitizationTests.java:97:68:97:89 | toString(...) : String | provenance | MaD:280 | -| SanitizationTests.java:97:68:97:89 | toString(...) : String | SanitizationTests.java:97:60:97:90 | new URI(...) | provenance | Config Sink:MaD:6 | -| SanitizationTests.java:97:68:97:89 | toString(...) : String | SanitizationTests.java:97:60:97:90 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | -| SanitizationTests.java:97:68:97:89 | toString(...) : String | SanitizationTests.java:97:60:97:90 | new URI(...) : URI | provenance | Config | -| SanitizationTests.java:97:68:97:89 | toString(...) : String | SanitizationTests.java:97:60:97:90 | new URI(...) : URI | provenance | MaD:285 | -| SanitizationTests.java:100:41:100:106 | append(...) : StringBuilder | SanitizationTests.java:102:68:102:78 | unsafeUri5c : StringBuilder | provenance | | -| SanitizationTests.java:100:77:100:105 | getParameter(...) : String | SanitizationTests.java:100:41:100:106 | append(...) : StringBuilder | provenance | Src:MaD:277 MaD:278+MaD:279 | -| SanitizationTests.java:102:37:102:91 | newBuilder(...) : Builder | SanitizationTests.java:102:37:102:99 | build(...) : HttpRequest | provenance | MaD:283 | -| SanitizationTests.java:102:37:102:99 | build(...) : HttpRequest | SanitizationTests.java:103:25:103:33 | unsafer5c | provenance | Sink:MaD:4 | -| SanitizationTests.java:102:60:102:90 | new URI(...) : URI | SanitizationTests.java:102:37:102:91 | newBuilder(...) : Builder | provenance | MaD:284 | -| SanitizationTests.java:102:68:102:78 | unsafeUri5c : StringBuilder | SanitizationTests.java:102:68:102:89 | toString(...) : String | provenance | MaD:280 | -| SanitizationTests.java:102:68:102:89 | toString(...) : String | SanitizationTests.java:102:60:102:90 | new URI(...) | provenance | Config Sink:MaD:6 | -| SanitizationTests.java:102:68:102:89 | toString(...) : String | SanitizationTests.java:102:60:102:90 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | -| SanitizationTests.java:102:68:102:89 | toString(...) : String | SanitizationTests.java:102:60:102:90 | new URI(...) : URI | provenance | Config | -| SanitizationTests.java:102:68:102:89 | toString(...) : String | SanitizationTests.java:102:60:102:90 | new URI(...) : URI | provenance | MaD:285 | -| SanitizationTests.java:105:33:105:104 | format(...) : String | SanitizationTests.java:106:67:106:76 | unsafeUri6 : String | provenance | | -| SanitizationTests.java:105:33:105:104 | new ..[] { .. } : Object[] [[]] : String | SanitizationTests.java:105:33:105:104 | format(...) : String | provenance | MaD:281 | -| SanitizationTests.java:105:73:105:103 | getParameter(...) : String | SanitizationTests.java:105:33:105:104 | new ..[] { .. } : Object[] [[]] : String | provenance | Src:MaD:277 | -| SanitizationTests.java:106:36:106:78 | newBuilder(...) : Builder | SanitizationTests.java:106:36:106:86 | build(...) : HttpRequest | provenance | MaD:283 | -| SanitizationTests.java:106:36:106:86 | build(...) : HttpRequest | SanitizationTests.java:107:25:107:32 | unsafer6 | provenance | Sink:MaD:4 | -| SanitizationTests.java:106:59:106:77 | new URI(...) : URI | SanitizationTests.java:106:36:106:78 | newBuilder(...) : Builder | provenance | MaD:284 | -| SanitizationTests.java:106:67:106:76 | unsafeUri6 : String | SanitizationTests.java:106:59:106:77 | new URI(...) | provenance | Config Sink:MaD:6 | -| SanitizationTests.java:106:67:106:76 | unsafeUri6 : String | SanitizationTests.java:106:59:106:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | -| SanitizationTests.java:106:67:106:76 | unsafeUri6 : String | SanitizationTests.java:106:59:106:77 | new URI(...) : URI | provenance | Config | -| SanitizationTests.java:106:67:106:76 | unsafeUri6 : String | SanitizationTests.java:106:59:106:77 | new URI(...) : URI | provenance | MaD:285 | -| SanitizationTests.java:109:33:109:110 | format(...) : String | SanitizationTests.java:110:67:110:76 | unsafeUri7 : String | provenance | | -| SanitizationTests.java:109:33:109:110 | new ..[] { .. } : Object[] [[]] : String | SanitizationTests.java:109:33:109:110 | format(...) : String | provenance | MaD:281 | -| SanitizationTests.java:109:56:109:86 | getParameter(...) : String | SanitizationTests.java:109:33:109:110 | new ..[] { .. } : Object[] [[]] : String | provenance | Src:MaD:277 | -| SanitizationTests.java:110:36:110:78 | newBuilder(...) : Builder | SanitizationTests.java:110:36:110:86 | build(...) : HttpRequest | provenance | MaD:283 | -| SanitizationTests.java:110:36:110:86 | build(...) : HttpRequest | SanitizationTests.java:111:25:111:32 | unsafer7 | provenance | Sink:MaD:4 | -| SanitizationTests.java:110:59:110:77 | new URI(...) : URI | SanitizationTests.java:110:36:110:78 | newBuilder(...) : Builder | provenance | MaD:284 | -| SanitizationTests.java:110:67:110:76 | unsafeUri7 : String | SanitizationTests.java:110:59:110:77 | new URI(...) | provenance | Config Sink:MaD:6 | -| SanitizationTests.java:110:67:110:76 | unsafeUri7 : String | SanitizationTests.java:110:59:110:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | -| SanitizationTests.java:110:67:110:76 | unsafeUri7 : String | SanitizationTests.java:110:59:110:77 | new URI(...) : URI | provenance | Config | -| SanitizationTests.java:110:67:110:76 | unsafeUri7 : String | SanitizationTests.java:110:59:110:77 | new URI(...) : URI | provenance | MaD:285 | -| SanitizationTests.java:113:33:113:110 | format(...) : String | SanitizationTests.java:114:67:114:76 | unsafeUri8 : String | provenance | | -| SanitizationTests.java:113:33:113:110 | new ..[] { .. } : Object[] [[]] : String | SanitizationTests.java:113:33:113:110 | format(...) : String | provenance | MaD:281 | -| SanitizationTests.java:113:55:113:85 | getParameter(...) : String | SanitizationTests.java:113:33:113:110 | new ..[] { .. } : Object[] [[]] : String | provenance | Src:MaD:277 | -| SanitizationTests.java:114:36:114:78 | newBuilder(...) : Builder | SanitizationTests.java:114:36:114:86 | build(...) : HttpRequest | provenance | MaD:283 | -| SanitizationTests.java:114:36:114:86 | build(...) : HttpRequest | SanitizationTests.java:115:25:115:32 | unsafer8 | provenance | Sink:MaD:4 | -| SanitizationTests.java:114:59:114:77 | new URI(...) : URI | SanitizationTests.java:114:36:114:78 | newBuilder(...) : Builder | provenance | MaD:284 | -| SanitizationTests.java:114:67:114:76 | unsafeUri8 : String | SanitizationTests.java:114:59:114:77 | new URI(...) | provenance | Config Sink:MaD:6 | -| SanitizationTests.java:114:67:114:76 | unsafeUri8 : String | SanitizationTests.java:114:59:114:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | -| SanitizationTests.java:114:67:114:76 | unsafeUri8 : String | SanitizationTests.java:114:59:114:77 | new URI(...) : URI | provenance | Config | -| SanitizationTests.java:114:67:114:76 | unsafeUri8 : String | SanitizationTests.java:114:59:114:77 | new URI(...) : URI | provenance | MaD:285 | -| SanitizationTests.java:117:33:117:63 | getParameter(...) : String | SanitizationTests.java:118:67:118:76 | unsafeUri9 : String | provenance | Src:MaD:277 | -| SanitizationTests.java:118:36:118:78 | newBuilder(...) : Builder | SanitizationTests.java:118:36:118:86 | build(...) : HttpRequest | provenance | MaD:283 | -| SanitizationTests.java:118:36:118:86 | build(...) : HttpRequest | SanitizationTests.java:119:25:119:32 | unsafer9 | provenance | Sink:MaD:4 | -| SanitizationTests.java:118:59:118:77 | new URI(...) : URI | SanitizationTests.java:118:36:118:78 | newBuilder(...) : Builder | provenance | MaD:284 | -| SanitizationTests.java:118:67:118:76 | unsafeUri9 : String | SanitizationTests.java:118:59:118:77 | new URI(...) | provenance | Config Sink:MaD:6 | -| SanitizationTests.java:118:67:118:76 | unsafeUri9 : String | SanitizationTests.java:118:59:118:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | -| SanitizationTests.java:118:67:118:76 | unsafeUri9 : String | SanitizationTests.java:118:59:118:77 | new URI(...) : URI | provenance | Config | -| SanitizationTests.java:118:67:118:76 | unsafeUri9 : String | SanitizationTests.java:118:59:118:77 | new URI(...) : URI | provenance | MaD:285 | -| SanitizationTests.java:121:34:121:126 | format(...) : String | SanitizationTests.java:122:68:122:78 | unsafeUri10 : String | provenance | | -| SanitizationTests.java:121:34:121:126 | new ..[] { .. } : Object[] [[]] : String | SanitizationTests.java:121:34:121:126 | format(...) : String | provenance | MaD:281 | -| SanitizationTests.java:121:94:121:125 | getParameter(...) : String | SanitizationTests.java:121:34:121:126 | new ..[] { .. } : Object[] [[]] : String | provenance | Src:MaD:277 | -| SanitizationTests.java:122:37:122:80 | newBuilder(...) : Builder | SanitizationTests.java:122:37:122:88 | build(...) : HttpRequest | provenance | MaD:283 | -| SanitizationTests.java:122:37:122:88 | build(...) : HttpRequest | SanitizationTests.java:123:25:123:33 | unsafer10 | provenance | Sink:MaD:4 | -| SanitizationTests.java:122:60:122:79 | new URI(...) : URI | SanitizationTests.java:122:37:122:80 | newBuilder(...) : Builder | provenance | MaD:284 | -| SanitizationTests.java:122:68:122:78 | unsafeUri10 : String | SanitizationTests.java:122:60:122:79 | new URI(...) | provenance | Config Sink:MaD:6 | -| SanitizationTests.java:122:68:122:78 | unsafeUri10 : String | SanitizationTests.java:122:60:122:79 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | -| SanitizationTests.java:122:68:122:78 | unsafeUri10 : String | SanitizationTests.java:122:60:122:79 | new URI(...) : URI | provenance | Config | -| SanitizationTests.java:122:68:122:78 | unsafeUri10 : String | SanitizationTests.java:122:60:122:79 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:22:23:22:58 | new URI(...) : URI | SanitizationTests.java:25:52:25:54 | uri | provenance | Sink:MaD:6 | +| SanitizationTests.java:22:23:22:58 | new URI(...) : URI | SanitizationTests.java:25:52:25:54 | uri : URI | provenance | | +| SanitizationTests.java:22:31:22:57 | getParameter(...) : String | SanitizationTests.java:22:23:22:58 | new URI(...) : URI | provenance | Src:MaD:277 Config | +| SanitizationTests.java:22:31:22:57 | getParameter(...) : String | SanitizationTests.java:22:23:22:58 | new URI(...) : URI | provenance | Src:MaD:277 MaD:285 | +| SanitizationTests.java:25:29:25:55 | newBuilder(...) : Builder | SanitizationTests.java:25:29:25:63 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:25:29:25:63 | build(...) : HttpRequest | SanitizationTests.java:26:25:26:25 | r | provenance | Sink:MaD:4 | +| SanitizationTests.java:25:52:25:54 | uri : URI | SanitizationTests.java:25:29:25:55 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:78:33:78:63 | getParameter(...) : String | SanitizationTests.java:79:67:79:76 | unsafeUri3 : String | provenance | Src:MaD:277 | +| SanitizationTests.java:79:36:79:78 | newBuilder(...) : Builder | SanitizationTests.java:79:36:79:86 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:79:36:79:86 | build(...) : HttpRequest | SanitizationTests.java:80:25:80:32 | unsafer3 | provenance | Sink:MaD:4 | +| SanitizationTests.java:79:59:79:77 | new URI(...) : URI | SanitizationTests.java:79:36:79:78 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:79:67:79:76 | unsafeUri3 : String | SanitizationTests.java:79:59:79:77 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:79:67:79:76 | unsafeUri3 : String | SanitizationTests.java:79:59:79:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:79:67:79:76 | unsafeUri3 : String | SanitizationTests.java:79:59:79:77 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:79:67:79:76 | unsafeUri3 : String | SanitizationTests.java:79:59:79:77 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:82:49:82:79 | getParameter(...) : String | SanitizationTests.java:83:67:83:76 | unsafeUri4 : String | provenance | Src:MaD:277 | +| SanitizationTests.java:83:36:83:78 | newBuilder(...) : Builder | SanitizationTests.java:83:36:83:86 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:83:36:83:86 | build(...) : HttpRequest | SanitizationTests.java:84:25:84:32 | unsafer4 | provenance | Sink:MaD:4 | +| SanitizationTests.java:83:59:83:77 | new URI(...) : URI | SanitizationTests.java:83:36:83:78 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:83:67:83:76 | unsafeUri4 : String | SanitizationTests.java:83:59:83:77 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:83:67:83:76 | unsafeUri4 : String | SanitizationTests.java:83:59:83:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:83:67:83:76 | unsafeUri4 : String | SanitizationTests.java:83:59:83:77 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:83:67:83:76 | unsafeUri4 : String | SanitizationTests.java:83:59:83:77 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:87:13:87:22 | unsafeUri5 [post update] : StringBuilder | SanitizationTests.java:88:67:88:76 | unsafeUri5 : StringBuilder | provenance | | +| SanitizationTests.java:87:31:87:61 | getParameter(...) : String | SanitizationTests.java:87:13:87:22 | unsafeUri5 [post update] : StringBuilder | provenance | Src:MaD:277 MaD:278 | +| SanitizationTests.java:88:36:88:89 | newBuilder(...) : Builder | SanitizationTests.java:88:36:88:97 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:88:36:88:97 | build(...) : HttpRequest | SanitizationTests.java:89:25:89:32 | unsafer5 | provenance | Sink:MaD:4 | +| SanitizationTests.java:88:59:88:88 | new URI(...) : URI | SanitizationTests.java:88:36:88:89 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:88:67:88:76 | unsafeUri5 : StringBuilder | SanitizationTests.java:88:67:88:87 | toString(...) : String | provenance | MaD:280 | +| SanitizationTests.java:88:67:88:87 | toString(...) : String | SanitizationTests.java:88:59:88:88 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:88:67:88:87 | toString(...) : String | SanitizationTests.java:88:59:88:88 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:88:67:88:87 | toString(...) : String | SanitizationTests.java:88:59:88:88 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:88:67:88:87 | toString(...) : String | SanitizationTests.java:88:59:88:88 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:91:40:91:87 | new StringBuilder(...) : StringBuilder | SanitizationTests.java:93:68:93:77 | unafeUri5a : StringBuilder | provenance | | +| SanitizationTests.java:91:58:91:86 | getParameter(...) : String | SanitizationTests.java:91:40:91:87 | new StringBuilder(...) : StringBuilder | provenance | Src:MaD:277 MaD:282 | +| SanitizationTests.java:93:37:93:90 | newBuilder(...) : Builder | SanitizationTests.java:93:37:93:98 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:93:37:93:98 | build(...) : HttpRequest | SanitizationTests.java:94:25:94:33 | unsafer5a | provenance | Sink:MaD:4 | +| SanitizationTests.java:93:60:93:89 | new URI(...) : URI | SanitizationTests.java:93:37:93:90 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:93:68:93:77 | unafeUri5a : StringBuilder | SanitizationTests.java:93:68:93:88 | toString(...) : String | provenance | MaD:280 | +| SanitizationTests.java:93:68:93:88 | toString(...) : String | SanitizationTests.java:93:60:93:89 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:93:68:93:88 | toString(...) : String | SanitizationTests.java:93:60:93:89 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:93:68:93:88 | toString(...) : String | SanitizationTests.java:93:60:93:89 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:93:68:93:88 | toString(...) : String | SanitizationTests.java:93:60:93:89 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:96:41:96:105 | append(...) : StringBuilder | SanitizationTests.java:98:68:98:78 | unsafeUri5b : StringBuilder | provenance | | +| SanitizationTests.java:96:42:96:89 | new StringBuilder(...) : StringBuilder | SanitizationTests.java:96:41:96:105 | append(...) : StringBuilder | provenance | MaD:279 | +| SanitizationTests.java:96:60:96:88 | getParameter(...) : String | SanitizationTests.java:96:42:96:89 | new StringBuilder(...) : StringBuilder | provenance | Src:MaD:277 MaD:282 | +| SanitizationTests.java:98:37:98:91 | newBuilder(...) : Builder | SanitizationTests.java:98:37:98:99 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:98:37:98:99 | build(...) : HttpRequest | SanitizationTests.java:99:25:99:33 | unsafer5b | provenance | Sink:MaD:4 | +| SanitizationTests.java:98:60:98:90 | new URI(...) : URI | SanitizationTests.java:98:37:98:91 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:98:68:98:78 | unsafeUri5b : StringBuilder | SanitizationTests.java:98:68:98:89 | toString(...) : String | provenance | MaD:280 | +| SanitizationTests.java:98:68:98:89 | toString(...) : String | SanitizationTests.java:98:60:98:90 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:98:68:98:89 | toString(...) : String | SanitizationTests.java:98:60:98:90 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:98:68:98:89 | toString(...) : String | SanitizationTests.java:98:60:98:90 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:98:68:98:89 | toString(...) : String | SanitizationTests.java:98:60:98:90 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:101:41:101:106 | append(...) : StringBuilder | SanitizationTests.java:103:68:103:78 | unsafeUri5c : StringBuilder | provenance | | +| SanitizationTests.java:101:77:101:105 | getParameter(...) : String | SanitizationTests.java:101:41:101:106 | append(...) : StringBuilder | provenance | Src:MaD:277 MaD:278+MaD:279 | +| SanitizationTests.java:103:37:103:91 | newBuilder(...) : Builder | SanitizationTests.java:103:37:103:99 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:103:37:103:99 | build(...) : HttpRequest | SanitizationTests.java:104:25:104:33 | unsafer5c | provenance | Sink:MaD:4 | +| SanitizationTests.java:103:60:103:90 | new URI(...) : URI | SanitizationTests.java:103:37:103:91 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:103:68:103:78 | unsafeUri5c : StringBuilder | SanitizationTests.java:103:68:103:89 | toString(...) : String | provenance | MaD:280 | +| SanitizationTests.java:103:68:103:89 | toString(...) : String | SanitizationTests.java:103:60:103:90 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:103:68:103:89 | toString(...) : String | SanitizationTests.java:103:60:103:90 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:103:68:103:89 | toString(...) : String | SanitizationTests.java:103:60:103:90 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:103:68:103:89 | toString(...) : String | SanitizationTests.java:103:60:103:90 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:106:33:106:104 | format(...) : String | SanitizationTests.java:107:67:107:76 | unsafeUri6 : String | provenance | | +| SanitizationTests.java:106:33:106:104 | new ..[] { .. } : Object[] [[]] : String | SanitizationTests.java:106:33:106:104 | format(...) : String | provenance | MaD:281 | +| SanitizationTests.java:106:73:106:103 | getParameter(...) : String | SanitizationTests.java:106:33:106:104 | new ..[] { .. } : Object[] [[]] : String | provenance | Src:MaD:277 | +| SanitizationTests.java:107:36:107:78 | newBuilder(...) : Builder | SanitizationTests.java:107:36:107:86 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:107:36:107:86 | build(...) : HttpRequest | SanitizationTests.java:108:25:108:32 | unsafer6 | provenance | Sink:MaD:4 | +| SanitizationTests.java:107:59:107:77 | new URI(...) : URI | SanitizationTests.java:107:36:107:78 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:107:67:107:76 | unsafeUri6 : String | SanitizationTests.java:107:59:107:77 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:107:67:107:76 | unsafeUri6 : String | SanitizationTests.java:107:59:107:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:107:67:107:76 | unsafeUri6 : String | SanitizationTests.java:107:59:107:77 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:107:67:107:76 | unsafeUri6 : String | SanitizationTests.java:107:59:107:77 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:110:33:110:110 | format(...) : String | SanitizationTests.java:111:67:111:76 | unsafeUri7 : String | provenance | | +| SanitizationTests.java:110:33:110:110 | new ..[] { .. } : Object[] [[]] : String | SanitizationTests.java:110:33:110:110 | format(...) : String | provenance | MaD:281 | +| SanitizationTests.java:110:56:110:86 | getParameter(...) : String | SanitizationTests.java:110:33:110:110 | new ..[] { .. } : Object[] [[]] : String | provenance | Src:MaD:277 | +| SanitizationTests.java:111:36:111:78 | newBuilder(...) : Builder | SanitizationTests.java:111:36:111:86 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:111:36:111:86 | build(...) : HttpRequest | SanitizationTests.java:112:25:112:32 | unsafer7 | provenance | Sink:MaD:4 | +| SanitizationTests.java:111:59:111:77 | new URI(...) : URI | SanitizationTests.java:111:36:111:78 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:111:67:111:76 | unsafeUri7 : String | SanitizationTests.java:111:59:111:77 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:111:67:111:76 | unsafeUri7 : String | SanitizationTests.java:111:59:111:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:111:67:111:76 | unsafeUri7 : String | SanitizationTests.java:111:59:111:77 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:111:67:111:76 | unsafeUri7 : String | SanitizationTests.java:111:59:111:77 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:114:33:114:110 | format(...) : String | SanitizationTests.java:115:67:115:76 | unsafeUri8 : String | provenance | | +| SanitizationTests.java:114:33:114:110 | new ..[] { .. } : Object[] [[]] : String | SanitizationTests.java:114:33:114:110 | format(...) : String | provenance | MaD:281 | +| SanitizationTests.java:114:55:114:85 | getParameter(...) : String | SanitizationTests.java:114:33:114:110 | new ..[] { .. } : Object[] [[]] : String | provenance | Src:MaD:277 | +| SanitizationTests.java:115:36:115:78 | newBuilder(...) : Builder | SanitizationTests.java:115:36:115:86 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:115:36:115:86 | build(...) : HttpRequest | SanitizationTests.java:116:25:116:32 | unsafer8 | provenance | Sink:MaD:4 | +| SanitizationTests.java:115:59:115:77 | new URI(...) : URI | SanitizationTests.java:115:36:115:78 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:115:67:115:76 | unsafeUri8 : String | SanitizationTests.java:115:59:115:77 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:115:67:115:76 | unsafeUri8 : String | SanitizationTests.java:115:59:115:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:115:67:115:76 | unsafeUri8 : String | SanitizationTests.java:115:59:115:77 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:115:67:115:76 | unsafeUri8 : String | SanitizationTests.java:115:59:115:77 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:118:33:118:63 | getParameter(...) : String | SanitizationTests.java:119:67:119:76 | unsafeUri9 : String | provenance | Src:MaD:277 | +| SanitizationTests.java:119:36:119:78 | newBuilder(...) : Builder | SanitizationTests.java:119:36:119:86 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:119:36:119:86 | build(...) : HttpRequest | SanitizationTests.java:120:25:120:32 | unsafer9 | provenance | Sink:MaD:4 | +| SanitizationTests.java:119:59:119:77 | new URI(...) : URI | SanitizationTests.java:119:36:119:78 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:119:67:119:76 | unsafeUri9 : String | SanitizationTests.java:119:59:119:77 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:119:67:119:76 | unsafeUri9 : String | SanitizationTests.java:119:59:119:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:119:67:119:76 | unsafeUri9 : String | SanitizationTests.java:119:59:119:77 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:119:67:119:76 | unsafeUri9 : String | SanitizationTests.java:119:59:119:77 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:122:34:122:126 | format(...) : String | SanitizationTests.java:123:68:123:78 | unsafeUri10 : String | provenance | | +| SanitizationTests.java:122:34:122:126 | new ..[] { .. } : Object[] [[]] : String | SanitizationTests.java:122:34:122:126 | format(...) : String | provenance | MaD:281 | +| SanitizationTests.java:122:94:122:125 | getParameter(...) : String | SanitizationTests.java:122:34:122:126 | new ..[] { .. } : Object[] [[]] : String | provenance | Src:MaD:277 | +| SanitizationTests.java:123:37:123:80 | newBuilder(...) : Builder | SanitizationTests.java:123:37:123:88 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:123:37:123:88 | build(...) : HttpRequest | SanitizationTests.java:124:25:124:33 | unsafer10 | provenance | Sink:MaD:4 | +| SanitizationTests.java:123:60:123:79 | new URI(...) : URI | SanitizationTests.java:123:37:123:80 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:123:68:123:78 | unsafeUri10 : String | SanitizationTests.java:123:60:123:79 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:123:68:123:78 | unsafeUri10 : String | SanitizationTests.java:123:60:123:79 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:123:68:123:78 | unsafeUri10 : String | SanitizationTests.java:123:60:123:79 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:123:68:123:78 | unsafeUri10 : String | SanitizationTests.java:123:60:123:79 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:153:42:153:96 | new AnnotatedFieldObject(...) : AnnotatedFieldObject [uri] : String | SanitizationTests.java:154:63:154:67 | obj14 : AnnotatedFieldObject [uri] : String | provenance | | +| SanitizationTests.java:153:42:153:96 | new AnnotatedFieldObject(...) : AnnotatedFieldObject [uri] : String | SanitizationTests.java:156:63:156:67 | obj14 : AnnotatedFieldObject [uri] : String | provenance | | +| SanitizationTests.java:153:67:153:95 | getParameter(...) : String | SanitizationTests.java:153:42:153:96 | new AnnotatedFieldObject(...) : AnnotatedFieldObject [uri] : String | provenance | Src:MaD:277 | +| SanitizationTests.java:153:67:153:95 | getParameter(...) : String | SanitizationTests.java:207:37:207:46 | uri : String | provenance | Src:MaD:277 | +| SanitizationTests.java:154:32:154:73 | newBuilder(...) : Builder | SanitizationTests.java:154:32:154:81 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:154:32:154:81 | build(...) : HttpRequest | SanitizationTests.java:155:25:155:28 | r14a | provenance | Sink:MaD:4 | +| SanitizationTests.java:154:55:154:72 | new URI(...) : URI | SanitizationTests.java:154:32:154:73 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:154:63:154:67 | obj14 : AnnotatedFieldObject [uri] : String | SanitizationTests.java:154:63:154:71 | obj14.uri : String | provenance | | +| SanitizationTests.java:154:63:154:71 | obj14.uri : String | SanitizationTests.java:154:55:154:72 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:154:63:154:71 | obj14.uri : String | SanitizationTests.java:154:55:154:72 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:154:63:154:71 | obj14.uri : String | SanitizationTests.java:154:55:154:72 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:154:63:154:71 | obj14.uri : String | SanitizationTests.java:154:55:154:72 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:156:32:156:78 | newBuilder(...) : Builder | SanitizationTests.java:156:32:156:86 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:156:32:156:86 | build(...) : HttpRequest | SanitizationTests.java:157:25:157:28 | r14b | provenance | Sink:MaD:4 | +| SanitizationTests.java:156:55:156:77 | new URI(...) : URI | SanitizationTests.java:156:32:156:78 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:156:63:156:67 | obj14 : AnnotatedFieldObject [uri] : String | SanitizationTests.java:156:63:156:76 | getUri(...) : String | provenance | | +| SanitizationTests.java:156:63:156:67 | obj14 : AnnotatedFieldObject [uri] : String | SanitizationTests.java:211:23:211:28 | parameter this : AnnotatedFieldObject [uri] : String | provenance | | +| SanitizationTests.java:156:63:156:76 | getUri(...) : String | SanitizationTests.java:156:55:156:77 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:156:63:156:76 | getUri(...) : String | SanitizationTests.java:156:55:156:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:156:63:156:76 | getUri(...) : String | SanitizationTests.java:156:55:156:77 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:156:63:156:76 | getUri(...) : String | SanitizationTests.java:156:55:156:77 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:160:46:160:104 | new AnnotatedParameterObject(...) : AnnotatedParameterObject [uri] : String | SanitizationTests.java:161:63:161:67 | obj15 : AnnotatedParameterObject [uri] : String | provenance | | +| SanitizationTests.java:160:46:160:104 | new AnnotatedParameterObject(...) : AnnotatedParameterObject [uri] : String | SanitizationTests.java:163:63:163:67 | obj15 : AnnotatedParameterObject [uri] : String | provenance | | +| SanitizationTests.java:160:75:160:103 | getParameter(...) : String | SanitizationTests.java:160:46:160:104 | new AnnotatedParameterObject(...) : AnnotatedParameterObject [uri] : String | provenance | Src:MaD:277 | +| SanitizationTests.java:160:75:160:103 | getParameter(...) : String | SanitizationTests.java:219:41:219:115 | uri : String | provenance | Src:MaD:277 | +| SanitizationTests.java:161:32:161:73 | newBuilder(...) : Builder | SanitizationTests.java:161:32:161:81 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:161:32:161:81 | build(...) : HttpRequest | SanitizationTests.java:162:25:162:28 | r15a | provenance | Sink:MaD:4 | +| SanitizationTests.java:161:55:161:72 | new URI(...) : URI | SanitizationTests.java:161:32:161:73 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:161:63:161:67 | obj15 : AnnotatedParameterObject [uri] : String | SanitizationTests.java:161:63:161:71 | obj15.uri : String | provenance | | +| SanitizationTests.java:161:63:161:71 | obj15.uri : String | SanitizationTests.java:161:55:161:72 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:161:63:161:71 | obj15.uri : String | SanitizationTests.java:161:55:161:72 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:161:63:161:71 | obj15.uri : String | SanitizationTests.java:161:55:161:72 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:161:63:161:71 | obj15.uri : String | SanitizationTests.java:161:55:161:72 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:163:32:163:78 | newBuilder(...) : Builder | SanitizationTests.java:163:32:163:86 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:163:32:163:86 | build(...) : HttpRequest | SanitizationTests.java:164:25:164:28 | r15b | provenance | Sink:MaD:4 | +| SanitizationTests.java:163:55:163:77 | new URI(...) : URI | SanitizationTests.java:163:32:163:78 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:163:63:163:67 | obj15 : AnnotatedParameterObject [uri] : String | SanitizationTests.java:163:63:163:76 | getUri(...) : String | provenance | | +| SanitizationTests.java:163:63:163:67 | obj15 : AnnotatedParameterObject [uri] : String | SanitizationTests.java:223:23:223:28 | parameter this : AnnotatedParameterObject [uri] : String | provenance | | +| SanitizationTests.java:163:63:163:76 | getUri(...) : String | SanitizationTests.java:163:55:163:77 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:163:63:163:76 | getUri(...) : String | SanitizationTests.java:163:55:163:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:163:63:163:76 | getUri(...) : String | SanitizationTests.java:163:55:163:77 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:163:63:163:76 | getUri(...) : String | SanitizationTests.java:163:55:163:77 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:167:31:167:103 | newBuilder(...) : Builder | SanitizationTests.java:167:31:167:111 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:167:31:167:111 | build(...) : HttpRequest | SanitizationTests.java:168:25:168:27 | r16 | provenance | Sink:MaD:4 | +| SanitizationTests.java:167:54:167:102 | new URI(...) : URI | SanitizationTests.java:167:31:167:103 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:167:62:167:101 | identity1(...) : String | SanitizationTests.java:167:54:167:102 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:167:62:167:101 | identity1(...) : String | SanitizationTests.java:167:54:167:102 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:167:62:167:101 | identity1(...) : String | SanitizationTests.java:167:54:167:102 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:167:62:167:101 | identity1(...) : String | SanitizationTests.java:167:54:167:102 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:167:72:167:100 | getParameter(...) : String | SanitizationTests.java:167:62:167:101 | identity1(...) : String | provenance | Src:MaD:277 | +| SanitizationTests.java:167:72:167:100 | getParameter(...) : String | SanitizationTests.java:188:29:188:103 | uri : String | provenance | Src:MaD:277 | +| SanitizationTests.java:171:31:171:103 | newBuilder(...) : Builder | SanitizationTests.java:171:31:171:111 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:171:31:171:111 | build(...) : HttpRequest | SanitizationTests.java:172:25:172:27 | r17 | provenance | Sink:MaD:4 | +| SanitizationTests.java:171:54:171:102 | new URI(...) : URI | SanitizationTests.java:171:31:171:103 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:171:62:171:101 | identity2(...) : String | SanitizationTests.java:171:54:171:102 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:171:62:171:101 | identity2(...) : String | SanitizationTests.java:171:54:171:102 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:171:62:171:101 | identity2(...) : String | SanitizationTests.java:171:54:171:102 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:171:62:171:101 | identity2(...) : String | SanitizationTests.java:171:54:171:102 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:171:72:171:100 | getParameter(...) : String | SanitizationTests.java:171:62:171:101 | identity2(...) : String | provenance | Src:MaD:277 | +| SanitizationTests.java:171:72:171:100 | getParameter(...) : String | SanitizationTests.java:193:29:193:38 | uri : String | provenance | Src:MaD:277 | +| SanitizationTests.java:175:31:175:114 | newBuilder(...) : Builder | SanitizationTests.java:175:31:175:122 | build(...) : HttpRequest | provenance | MaD:283 | +| SanitizationTests.java:175:31:175:122 | build(...) : HttpRequest | SanitizationTests.java:176:25:176:27 | r18 | provenance | Sink:MaD:4 | +| SanitizationTests.java:175:54:175:113 | new URI(...) : URI | SanitizationTests.java:175:31:175:114 | newBuilder(...) : Builder | provenance | MaD:284 | +| SanitizationTests.java:175:62:175:112 | getFromList(...) : String | SanitizationTests.java:175:54:175:113 | new URI(...) | provenance | Config Sink:MaD:6 | +| SanitizationTests.java:175:62:175:112 | getFromList(...) : String | SanitizationTests.java:175:54:175:113 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | +| SanitizationTests.java:175:62:175:112 | getFromList(...) : String | SanitizationTests.java:175:54:175:113 | new URI(...) : URI | provenance | Config | +| SanitizationTests.java:175:62:175:112 | getFromList(...) : String | SanitizationTests.java:175:54:175:113 | new URI(...) : URI | provenance | MaD:285 | +| SanitizationTests.java:175:74:175:111 | of(...) : List [] : String | SanitizationTests.java:175:62:175:112 | getFromList(...) : String | provenance | MaD:290 | +| SanitizationTests.java:175:74:175:111 | of(...) : List [] : String | SanitizationTests.java:197:31:197:112 | list : List [] : String | provenance | | +| SanitizationTests.java:175:82:175:110 | getParameter(...) : String | SanitizationTests.java:175:74:175:111 | of(...) : List [] : String | provenance | Src:MaD:277 MaD:289 | +| SanitizationTests.java:188:29:188:103 | uri : String | SanitizationTests.java:189:16:189:18 | uri : String | provenance | | +| SanitizationTests.java:193:29:193:38 | uri : String | SanitizationTests.java:194:16:194:18 | uri : String | provenance | | +| SanitizationTests.java:197:31:197:112 | list : List [] : String | SanitizationTests.java:198:16:198:19 | list : List [] : String | provenance | | +| SanitizationTests.java:198:16:198:19 | list : List [] : String | SanitizationTests.java:198:16:198:26 | get(...) : String | provenance | MaD:290 | +| SanitizationTests.java:207:37:207:46 | uri : String | SanitizationTests.java:208:24:208:26 | uri : String | provenance | | +| SanitizationTests.java:208:13:208:16 | this [post update] : AnnotatedFieldObject [uri] : String | SanitizationTests.java:207:16:207:35 | parameter this [Return] : AnnotatedFieldObject [uri] : String | provenance | | +| SanitizationTests.java:208:24:208:26 | uri : String | SanitizationTests.java:208:13:208:16 | this [post update] : AnnotatedFieldObject [uri] : String | provenance | | +| SanitizationTests.java:211:23:211:28 | parameter this : AnnotatedFieldObject [uri] : String | SanitizationTests.java:212:20:212:22 | this <.field> : AnnotatedFieldObject [uri] : String | provenance | | +| SanitizationTests.java:212:20:212:22 | this <.field> : AnnotatedFieldObject [uri] : String | SanitizationTests.java:212:20:212:22 | uri : String | provenance | | +| SanitizationTests.java:219:41:219:115 | uri : String | SanitizationTests.java:220:24:220:26 | uri : String | provenance | | +| SanitizationTests.java:220:13:220:16 | this [post update] : AnnotatedParameterObject [uri] : String | SanitizationTests.java:219:16:219:39 | parameter this [Return] : AnnotatedParameterObject [uri] : String | provenance | | +| SanitizationTests.java:220:24:220:26 | uri : String | SanitizationTests.java:220:13:220:16 | this [post update] : AnnotatedParameterObject [uri] : String | provenance | | +| SanitizationTests.java:223:23:223:28 | parameter this : AnnotatedParameterObject [uri] : String | SanitizationTests.java:224:20:224:22 | this <.field> : AnnotatedParameterObject [uri] : String | provenance | | +| SanitizationTests.java:224:20:224:22 | this <.field> : AnnotatedParameterObject [uri] : String | SanitizationTests.java:224:20:224:22 | uri : String | provenance | | | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:32:39:32:59 | ... + ... | provenance | Src:MaD:277 Sink:MaD:264 | | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:33:69:33:82 | fooResourceUrl | provenance | Src:MaD:277 | | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:34:73:34:86 | fooResourceUrl | provenance | Src:MaD:277 | @@ -864,16 +962,16 @@ edges | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:82:107:82:120 | fooResourceUrl : String | provenance | Src:MaD:277 | | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:84:129:84:142 | fooResourceUrl : String | provenance | Src:MaD:277 | | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:87:48:87:61 | fooResourceUrl : String | provenance | Src:MaD:277 | -| SpringSSRF.java:38:83:38:96 | fooResourceUrl : String | SpringSSRF.java:38:69:38:97 | of(...) | provenance | MaD:289 | -| SpringSSRF.java:40:105:40:118 | fooResourceUrl : String | SpringSSRF.java:40:69:40:119 | of(...) | provenance | MaD:290 | -| SpringSSRF.java:49:105:49:118 | fooResourceUrl : String | SpringSSRF.java:49:91:49:119 | of(...) | provenance | MaD:289 | -| SpringSSRF.java:51:127:51:140 | fooResourceUrl : String | SpringSSRF.java:51:91:51:141 | of(...) | provenance | MaD:290 | -| SpringSSRF.java:60:93:60:106 | fooResourceUrl : String | SpringSSRF.java:60:79:60:107 | of(...) | provenance | MaD:289 | -| SpringSSRF.java:62:115:62:128 | fooResourceUrl : String | SpringSSRF.java:62:79:62:129 | of(...) | provenance | MaD:290 | -| SpringSSRF.java:71:83:71:96 | fooResourceUrl : String | SpringSSRF.java:71:69:71:97 | of(...) | provenance | MaD:289 | -| SpringSSRF.java:73:105:73:118 | fooResourceUrl : String | SpringSSRF.java:73:69:73:119 | of(...) | provenance | MaD:290 | -| SpringSSRF.java:82:107:82:120 | fooResourceUrl : String | SpringSSRF.java:82:93:82:121 | of(...) | provenance | MaD:289 | -| SpringSSRF.java:84:129:84:142 | fooResourceUrl : String | SpringSSRF.java:84:93:84:143 | of(...) | provenance | MaD:290 | +| SpringSSRF.java:38:83:38:96 | fooResourceUrl : String | SpringSSRF.java:38:69:38:97 | of(...) | provenance | MaD:291 | +| SpringSSRF.java:40:105:40:118 | fooResourceUrl : String | SpringSSRF.java:40:69:40:119 | of(...) | provenance | MaD:292 | +| SpringSSRF.java:49:105:49:118 | fooResourceUrl : String | SpringSSRF.java:49:91:49:119 | of(...) | provenance | MaD:291 | +| SpringSSRF.java:51:127:51:140 | fooResourceUrl : String | SpringSSRF.java:51:91:51:141 | of(...) | provenance | MaD:292 | +| SpringSSRF.java:60:93:60:106 | fooResourceUrl : String | SpringSSRF.java:60:79:60:107 | of(...) | provenance | MaD:291 | +| SpringSSRF.java:62:115:62:128 | fooResourceUrl : String | SpringSSRF.java:62:79:62:129 | of(...) | provenance | MaD:292 | +| SpringSSRF.java:71:83:71:96 | fooResourceUrl : String | SpringSSRF.java:71:69:71:97 | of(...) | provenance | MaD:291 | +| SpringSSRF.java:73:105:73:118 | fooResourceUrl : String | SpringSSRF.java:73:69:73:119 | of(...) | provenance | MaD:292 | +| SpringSSRF.java:82:107:82:120 | fooResourceUrl : String | SpringSSRF.java:82:93:82:121 | of(...) | provenance | MaD:291 | +| SpringSSRF.java:84:129:84:142 | fooResourceUrl : String | SpringSSRF.java:84:93:84:143 | of(...) | provenance | MaD:292 | | SpringSSRF.java:87:48:87:61 | fooResourceUrl : String | SpringSSRF.java:87:40:87:62 | new URI(...) | provenance | Config Sink:MaD:269 | | SpringSSRF.java:87:48:87:61 | fooResourceUrl : String | SpringSSRF.java:87:40:87:62 | new URI(...) | provenance | MaD:285 Sink:MaD:269 | | SpringSSRF.java:87:48:87:61 | fooResourceUrl : String | SpringSSRF.java:88:92:88:105 | fooResourceUrl | provenance | | @@ -918,20 +1016,20 @@ edges | SpringSSRF.java:87:48:87:61 | fooResourceUrl : String | SpringSSRF.java:159:72:159:85 | fooResourceUrl : String | provenance | | | SpringSSRF.java:87:48:87:61 | fooResourceUrl : String | SpringSSRF.java:161:94:161:107 | fooResourceUrl : String | provenance | | | SpringSSRF.java:87:48:87:61 | fooResourceUrl : String | SpringSSRF.java:166:35:166:48 | fooResourceUrl : String | provenance | | -| SpringSSRF.java:93:106:93:119 | fooResourceUrl : String | SpringSSRF.java:93:92:93:120 | of(...) | provenance | MaD:289 | -| SpringSSRF.java:95:128:95:141 | fooResourceUrl : String | SpringSSRF.java:95:92:95:142 | of(...) | provenance | MaD:290 | -| SpringSSRF.java:104:94:104:107 | fooResourceUrl : String | SpringSSRF.java:104:80:104:108 | of(...) | provenance | MaD:289 | -| SpringSSRF.java:106:116:106:129 | fooResourceUrl : String | SpringSSRF.java:106:80:106:130 | of(...) | provenance | MaD:290 | -| SpringSSRF.java:115:106:115:119 | fooResourceUrl : String | SpringSSRF.java:115:92:115:120 | of(...) | provenance | MaD:289 | -| SpringSSRF.java:117:128:117:141 | fooResourceUrl : String | SpringSSRF.java:117:92:117:142 | of(...) | provenance | MaD:290 | -| SpringSSRF.java:126:82:126:95 | fooResourceUrl : String | SpringSSRF.java:126:68:126:96 | of(...) | provenance | MaD:289 | -| SpringSSRF.java:128:104:128:117 | fooResourceUrl : String | SpringSSRF.java:128:68:128:118 | of(...) | provenance | MaD:290 | -| SpringSSRF.java:137:63:137:76 | fooResourceUrl : String | SpringSSRF.java:137:49:137:77 | of(...) | provenance | MaD:289 | -| SpringSSRF.java:139:85:139:98 | fooResourceUrl : String | SpringSSRF.java:139:49:139:99 | of(...) | provenance | MaD:290 | -| SpringSSRF.java:148:71:148:84 | fooResourceUrl : String | SpringSSRF.java:148:57:148:85 | of(...) | provenance | MaD:289 | -| SpringSSRF.java:150:93:150:106 | fooResourceUrl : String | SpringSSRF.java:150:57:150:107 | of(...) | provenance | MaD:290 | -| SpringSSRF.java:159:72:159:85 | fooResourceUrl : String | SpringSSRF.java:159:58:159:86 | of(...) | provenance | MaD:289 | -| SpringSSRF.java:161:94:161:107 | fooResourceUrl : String | SpringSSRF.java:161:58:161:108 | of(...) | provenance | MaD:290 | +| SpringSSRF.java:93:106:93:119 | fooResourceUrl : String | SpringSSRF.java:93:92:93:120 | of(...) | provenance | MaD:291 | +| SpringSSRF.java:95:128:95:141 | fooResourceUrl : String | SpringSSRF.java:95:92:95:142 | of(...) | provenance | MaD:292 | +| SpringSSRF.java:104:94:104:107 | fooResourceUrl : String | SpringSSRF.java:104:80:104:108 | of(...) | provenance | MaD:291 | +| SpringSSRF.java:106:116:106:129 | fooResourceUrl : String | SpringSSRF.java:106:80:106:130 | of(...) | provenance | MaD:292 | +| SpringSSRF.java:115:106:115:119 | fooResourceUrl : String | SpringSSRF.java:115:92:115:120 | of(...) | provenance | MaD:291 | +| SpringSSRF.java:117:128:117:141 | fooResourceUrl : String | SpringSSRF.java:117:92:117:142 | of(...) | provenance | MaD:292 | +| SpringSSRF.java:126:82:126:95 | fooResourceUrl : String | SpringSSRF.java:126:68:126:96 | of(...) | provenance | MaD:291 | +| SpringSSRF.java:128:104:128:117 | fooResourceUrl : String | SpringSSRF.java:128:68:128:118 | of(...) | provenance | MaD:292 | +| SpringSSRF.java:137:63:137:76 | fooResourceUrl : String | SpringSSRF.java:137:49:137:77 | of(...) | provenance | MaD:291 | +| SpringSSRF.java:139:85:139:98 | fooResourceUrl : String | SpringSSRF.java:139:49:139:99 | of(...) | provenance | MaD:292 | +| SpringSSRF.java:148:71:148:84 | fooResourceUrl : String | SpringSSRF.java:148:57:148:85 | of(...) | provenance | MaD:291 | +| SpringSSRF.java:150:93:150:106 | fooResourceUrl : String | SpringSSRF.java:150:57:150:107 | of(...) | provenance | MaD:292 | +| SpringSSRF.java:159:72:159:85 | fooResourceUrl : String | SpringSSRF.java:159:58:159:86 | of(...) | provenance | MaD:291 | +| SpringSSRF.java:161:94:161:107 | fooResourceUrl : String | SpringSSRF.java:161:58:161:108 | of(...) | provenance | MaD:292 | | SpringSSRF.java:166:27:166:49 | new URI(...) : URI | SpringSSRF.java:168:44:168:46 | uri | provenance | Sink:MaD:255 | | SpringSSRF.java:166:27:166:49 | new URI(...) : URI | SpringSSRF.java:170:35:170:37 | uri | provenance | Sink:MaD:250 | | SpringSSRF.java:166:27:166:49 | new URI(...) : URI | SpringSSRF.java:171:35:171:37 | uri | provenance | Sink:MaD:256 | @@ -1352,11 +1450,13 @@ models | 286 | Summary: java.net; URI; false; toString; ; ; Argument[this]; ReturnValue; taint; manual | | 287 | Summary: java.net; URI; false; toURL; ; ; Argument[this]; ReturnValue; taint; manual | | 288 | Summary: java.net; URL; false; URL; (String); ; Argument[0]; Argument[this]; taint; manual | -| 289 | Summary: java.util; Map; false; of; ; ; Argument[1]; ReturnValue.MapValue; value; manual | -| 290 | Summary: java.util; Map; false; of; ; ; Argument[3]; ReturnValue.MapValue; value; manual | -| 291 | Summary: java.util; Properties; true; setProperty; (String,String); ; Argument[1]; Argument[this].MapValue; value; manual | -| 292 | Summary: org.apache.hc.core5.http; HttpHost; true; HttpHost; (String); ; Argument[0]; Argument[this]; taint; hq-manual | -| 293 | Summary: org.apache.http.message; BasicRequestLine; false; BasicRequestLine; ; ; Argument[1]; Argument[this]; taint; manual | +| 289 | Summary: java.util; List; false; of; (Object); ; Argument[0]; ReturnValue.Element; value; manual | +| 290 | Summary: java.util; List; true; get; (int); ; Argument[this].Element; ReturnValue; value; manual | +| 291 | Summary: java.util; Map; false; of; ; ; Argument[1]; ReturnValue.MapValue; value; manual | +| 292 | Summary: java.util; Map; false; of; ; ; Argument[3]; ReturnValue.MapValue; value; manual | +| 293 | Summary: java.util; Properties; true; setProperty; (String,String); ; Argument[1]; Argument[this].MapValue; value; manual | +| 294 | Summary: org.apache.hc.core5.http; HttpHost; true; HttpHost; (String); ; Argument[0]; Argument[this]; taint; hq-manual | +| 295 | Summary: org.apache.http.message; BasicRequestLine; false; BasicRequestLine; ; ; Argument[1]; Argument[this]; taint; manual | nodes | ApacheHttpSSRF.java:27:27:27:53 | getParameter(...) : String | semmle.label | getParameter(...) : String | | ApacheHttpSSRF.java:28:23:28:35 | new URI(...) : URI | semmle.label | new URI(...) : URI | @@ -1714,107 +1814,182 @@ nodes | ReactiveWebClientSSRF.java:16:52:16:54 | url | semmle.label | url | | ReactiveWebClientSSRF.java:32:26:32:52 | getParameter(...) : String | semmle.label | getParameter(...) : String | | ReactiveWebClientSSRF.java:35:30:35:32 | url | semmle.label | url | -| SanitizationTests.java:21:23:21:58 | new URI(...) : URI | semmle.label | new URI(...) : URI | -| SanitizationTests.java:21:31:21:57 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| SanitizationTests.java:24:29:24:55 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | -| SanitizationTests.java:24:29:24:63 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | -| SanitizationTests.java:24:52:24:54 | uri | semmle.label | uri | -| SanitizationTests.java:24:52:24:54 | uri : URI | semmle.label | uri : URI | -| SanitizationTests.java:25:25:25:25 | r | semmle.label | r | -| SanitizationTests.java:77:33:77:63 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| SanitizationTests.java:78:36:78:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | -| SanitizationTests.java:78:36:78:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | -| SanitizationTests.java:78:59:78:77 | new URI(...) | semmle.label | new URI(...) | -| SanitizationTests.java:78:59:78:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | -| SanitizationTests.java:78:67:78:76 | unsafeUri3 : String | semmle.label | unsafeUri3 : String | -| SanitizationTests.java:79:25:79:32 | unsafer3 | semmle.label | unsafer3 | -| SanitizationTests.java:81:49:81:79 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| SanitizationTests.java:82:36:82:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | -| SanitizationTests.java:82:36:82:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | -| SanitizationTests.java:82:59:82:77 | new URI(...) | semmle.label | new URI(...) | -| SanitizationTests.java:82:59:82:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | -| SanitizationTests.java:82:67:82:76 | unsafeUri4 : String | semmle.label | unsafeUri4 : String | -| SanitizationTests.java:83:25:83:32 | unsafer4 | semmle.label | unsafer4 | -| SanitizationTests.java:86:13:86:22 | unsafeUri5 [post update] : StringBuilder | semmle.label | unsafeUri5 [post update] : StringBuilder | -| SanitizationTests.java:86:31:86:61 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| SanitizationTests.java:87:36:87:89 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | -| SanitizationTests.java:87:36:87:97 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | -| SanitizationTests.java:87:59:87:88 | new URI(...) | semmle.label | new URI(...) | -| SanitizationTests.java:87:59:87:88 | new URI(...) : URI | semmle.label | new URI(...) : URI | -| SanitizationTests.java:87:67:87:76 | unsafeUri5 : StringBuilder | semmle.label | unsafeUri5 : StringBuilder | -| SanitizationTests.java:87:67:87:87 | toString(...) : String | semmle.label | toString(...) : String | -| SanitizationTests.java:88:25:88:32 | unsafer5 | semmle.label | unsafer5 | -| SanitizationTests.java:90:40:90:87 | new StringBuilder(...) : StringBuilder | semmle.label | new StringBuilder(...) : StringBuilder | -| SanitizationTests.java:90:58:90:86 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| SanitizationTests.java:92:37:92:90 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | -| SanitizationTests.java:92:37:92:98 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | -| SanitizationTests.java:92:60:92:89 | new URI(...) | semmle.label | new URI(...) | -| SanitizationTests.java:92:60:92:89 | new URI(...) : URI | semmle.label | new URI(...) : URI | -| SanitizationTests.java:92:68:92:77 | unafeUri5a : StringBuilder | semmle.label | unafeUri5a : StringBuilder | -| SanitizationTests.java:92:68:92:88 | toString(...) : String | semmle.label | toString(...) : String | -| SanitizationTests.java:93:25:93:33 | unsafer5a | semmle.label | unsafer5a | -| SanitizationTests.java:95:41:95:105 | append(...) : StringBuilder | semmle.label | append(...) : StringBuilder | -| SanitizationTests.java:95:42:95:89 | new StringBuilder(...) : StringBuilder | semmle.label | new StringBuilder(...) : StringBuilder | -| SanitizationTests.java:95:60:95:88 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| SanitizationTests.java:97:37:97:91 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | -| SanitizationTests.java:97:37:97:99 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | -| SanitizationTests.java:97:60:97:90 | new URI(...) | semmle.label | new URI(...) | -| SanitizationTests.java:97:60:97:90 | new URI(...) : URI | semmle.label | new URI(...) : URI | -| SanitizationTests.java:97:68:97:78 | unsafeUri5b : StringBuilder | semmle.label | unsafeUri5b : StringBuilder | -| SanitizationTests.java:97:68:97:89 | toString(...) : String | semmle.label | toString(...) : String | -| SanitizationTests.java:98:25:98:33 | unsafer5b | semmle.label | unsafer5b | -| SanitizationTests.java:100:41:100:106 | append(...) : StringBuilder | semmle.label | append(...) : StringBuilder | -| SanitizationTests.java:100:77:100:105 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| SanitizationTests.java:102:37:102:91 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | -| SanitizationTests.java:102:37:102:99 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | -| SanitizationTests.java:102:60:102:90 | new URI(...) | semmle.label | new URI(...) | -| SanitizationTests.java:102:60:102:90 | new URI(...) : URI | semmle.label | new URI(...) : URI | -| SanitizationTests.java:102:68:102:78 | unsafeUri5c : StringBuilder | semmle.label | unsafeUri5c : StringBuilder | -| SanitizationTests.java:102:68:102:89 | toString(...) : String | semmle.label | toString(...) : String | -| SanitizationTests.java:103:25:103:33 | unsafer5c | semmle.label | unsafer5c | -| SanitizationTests.java:105:33:105:104 | format(...) : String | semmle.label | format(...) : String | -| SanitizationTests.java:105:33:105:104 | new ..[] { .. } : Object[] [[]] : String | semmle.label | new ..[] { .. } : Object[] [[]] : String | -| SanitizationTests.java:105:73:105:103 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| SanitizationTests.java:106:36:106:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | -| SanitizationTests.java:106:36:106:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | -| SanitizationTests.java:106:59:106:77 | new URI(...) | semmle.label | new URI(...) | -| SanitizationTests.java:106:59:106:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | -| SanitizationTests.java:106:67:106:76 | unsafeUri6 : String | semmle.label | unsafeUri6 : String | -| SanitizationTests.java:107:25:107:32 | unsafer6 | semmle.label | unsafer6 | -| SanitizationTests.java:109:33:109:110 | format(...) : String | semmle.label | format(...) : String | -| SanitizationTests.java:109:33:109:110 | new ..[] { .. } : Object[] [[]] : String | semmle.label | new ..[] { .. } : Object[] [[]] : String | -| SanitizationTests.java:109:56:109:86 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| SanitizationTests.java:110:36:110:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | -| SanitizationTests.java:110:36:110:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | -| SanitizationTests.java:110:59:110:77 | new URI(...) | semmle.label | new URI(...) | -| SanitizationTests.java:110:59:110:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | -| SanitizationTests.java:110:67:110:76 | unsafeUri7 : String | semmle.label | unsafeUri7 : String | -| SanitizationTests.java:111:25:111:32 | unsafer7 | semmle.label | unsafer7 | -| SanitizationTests.java:113:33:113:110 | format(...) : String | semmle.label | format(...) : String | -| SanitizationTests.java:113:33:113:110 | new ..[] { .. } : Object[] [[]] : String | semmle.label | new ..[] { .. } : Object[] [[]] : String | -| SanitizationTests.java:113:55:113:85 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| SanitizationTests.java:114:36:114:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | -| SanitizationTests.java:114:36:114:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | -| SanitizationTests.java:114:59:114:77 | new URI(...) | semmle.label | new URI(...) | -| SanitizationTests.java:114:59:114:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | -| SanitizationTests.java:114:67:114:76 | unsafeUri8 : String | semmle.label | unsafeUri8 : String | -| SanitizationTests.java:115:25:115:32 | unsafer8 | semmle.label | unsafer8 | -| SanitizationTests.java:117:33:117:63 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| SanitizationTests.java:118:36:118:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | -| SanitizationTests.java:118:36:118:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | -| SanitizationTests.java:118:59:118:77 | new URI(...) | semmle.label | new URI(...) | -| SanitizationTests.java:118:59:118:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | -| SanitizationTests.java:118:67:118:76 | unsafeUri9 : String | semmle.label | unsafeUri9 : String | -| SanitizationTests.java:119:25:119:32 | unsafer9 | semmle.label | unsafer9 | -| SanitizationTests.java:121:34:121:126 | format(...) : String | semmle.label | format(...) : String | -| SanitizationTests.java:121:34:121:126 | new ..[] { .. } : Object[] [[]] : String | semmle.label | new ..[] { .. } : Object[] [[]] : String | -| SanitizationTests.java:121:94:121:125 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| SanitizationTests.java:122:37:122:80 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | -| SanitizationTests.java:122:37:122:88 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | -| SanitizationTests.java:122:60:122:79 | new URI(...) | semmle.label | new URI(...) | -| SanitizationTests.java:122:60:122:79 | new URI(...) : URI | semmle.label | new URI(...) : URI | -| SanitizationTests.java:122:68:122:78 | unsafeUri10 : String | semmle.label | unsafeUri10 : String | -| SanitizationTests.java:123:25:123:33 | unsafer10 | semmle.label | unsafer10 | +| SanitizationTests.java:22:23:22:58 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:22:31:22:57 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:25:29:25:55 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:25:29:25:63 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:25:52:25:54 | uri | semmle.label | uri | +| SanitizationTests.java:25:52:25:54 | uri : URI | semmle.label | uri : URI | +| SanitizationTests.java:26:25:26:25 | r | semmle.label | r | +| SanitizationTests.java:78:33:78:63 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:79:36:79:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:79:36:79:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:79:59:79:77 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:79:59:79:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:79:67:79:76 | unsafeUri3 : String | semmle.label | unsafeUri3 : String | +| SanitizationTests.java:80:25:80:32 | unsafer3 | semmle.label | unsafer3 | +| SanitizationTests.java:82:49:82:79 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:83:36:83:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:83:36:83:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:83:59:83:77 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:83:59:83:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:83:67:83:76 | unsafeUri4 : String | semmle.label | unsafeUri4 : String | +| SanitizationTests.java:84:25:84:32 | unsafer4 | semmle.label | unsafer4 | +| SanitizationTests.java:87:13:87:22 | unsafeUri5 [post update] : StringBuilder | semmle.label | unsafeUri5 [post update] : StringBuilder | +| SanitizationTests.java:87:31:87:61 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:88:36:88:89 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:88:36:88:97 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:88:59:88:88 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:88:59:88:88 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:88:67:88:76 | unsafeUri5 : StringBuilder | semmle.label | unsafeUri5 : StringBuilder | +| SanitizationTests.java:88:67:88:87 | toString(...) : String | semmle.label | toString(...) : String | +| SanitizationTests.java:89:25:89:32 | unsafer5 | semmle.label | unsafer5 | +| SanitizationTests.java:91:40:91:87 | new StringBuilder(...) : StringBuilder | semmle.label | new StringBuilder(...) : StringBuilder | +| SanitizationTests.java:91:58:91:86 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:93:37:93:90 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:93:37:93:98 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:93:60:93:89 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:93:60:93:89 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:93:68:93:77 | unafeUri5a : StringBuilder | semmle.label | unafeUri5a : StringBuilder | +| SanitizationTests.java:93:68:93:88 | toString(...) : String | semmle.label | toString(...) : String | +| SanitizationTests.java:94:25:94:33 | unsafer5a | semmle.label | unsafer5a | +| SanitizationTests.java:96:41:96:105 | append(...) : StringBuilder | semmle.label | append(...) : StringBuilder | +| SanitizationTests.java:96:42:96:89 | new StringBuilder(...) : StringBuilder | semmle.label | new StringBuilder(...) : StringBuilder | +| SanitizationTests.java:96:60:96:88 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:98:37:98:91 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:98:37:98:99 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:98:60:98:90 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:98:60:98:90 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:98:68:98:78 | unsafeUri5b : StringBuilder | semmle.label | unsafeUri5b : StringBuilder | +| SanitizationTests.java:98:68:98:89 | toString(...) : String | semmle.label | toString(...) : String | +| SanitizationTests.java:99:25:99:33 | unsafer5b | semmle.label | unsafer5b | +| SanitizationTests.java:101:41:101:106 | append(...) : StringBuilder | semmle.label | append(...) : StringBuilder | +| SanitizationTests.java:101:77:101:105 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:103:37:103:91 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:103:37:103:99 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:103:60:103:90 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:103:60:103:90 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:103:68:103:78 | unsafeUri5c : StringBuilder | semmle.label | unsafeUri5c : StringBuilder | +| SanitizationTests.java:103:68:103:89 | toString(...) : String | semmle.label | toString(...) : String | +| SanitizationTests.java:104:25:104:33 | unsafer5c | semmle.label | unsafer5c | +| SanitizationTests.java:106:33:106:104 | format(...) : String | semmle.label | format(...) : String | +| SanitizationTests.java:106:33:106:104 | new ..[] { .. } : Object[] [[]] : String | semmle.label | new ..[] { .. } : Object[] [[]] : String | +| SanitizationTests.java:106:73:106:103 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:107:36:107:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:107:36:107:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:107:59:107:77 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:107:59:107:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:107:67:107:76 | unsafeUri6 : String | semmle.label | unsafeUri6 : String | +| SanitizationTests.java:108:25:108:32 | unsafer6 | semmle.label | unsafer6 | +| SanitizationTests.java:110:33:110:110 | format(...) : String | semmle.label | format(...) : String | +| SanitizationTests.java:110:33:110:110 | new ..[] { .. } : Object[] [[]] : String | semmle.label | new ..[] { .. } : Object[] [[]] : String | +| SanitizationTests.java:110:56:110:86 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:111:36:111:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:111:36:111:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:111:59:111:77 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:111:59:111:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:111:67:111:76 | unsafeUri7 : String | semmle.label | unsafeUri7 : String | +| SanitizationTests.java:112:25:112:32 | unsafer7 | semmle.label | unsafer7 | +| SanitizationTests.java:114:33:114:110 | format(...) : String | semmle.label | format(...) : String | +| SanitizationTests.java:114:33:114:110 | new ..[] { .. } : Object[] [[]] : String | semmle.label | new ..[] { .. } : Object[] [[]] : String | +| SanitizationTests.java:114:55:114:85 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:115:36:115:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:115:36:115:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:115:59:115:77 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:115:59:115:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:115:67:115:76 | unsafeUri8 : String | semmle.label | unsafeUri8 : String | +| SanitizationTests.java:116:25:116:32 | unsafer8 | semmle.label | unsafer8 | +| SanitizationTests.java:118:33:118:63 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:119:36:119:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:119:36:119:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:119:59:119:77 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:119:59:119:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:119:67:119:76 | unsafeUri9 : String | semmle.label | unsafeUri9 : String | +| SanitizationTests.java:120:25:120:32 | unsafer9 | semmle.label | unsafer9 | +| SanitizationTests.java:122:34:122:126 | format(...) : String | semmle.label | format(...) : String | +| SanitizationTests.java:122:34:122:126 | new ..[] { .. } : Object[] [[]] : String | semmle.label | new ..[] { .. } : Object[] [[]] : String | +| SanitizationTests.java:122:94:122:125 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:123:37:123:80 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:123:37:123:88 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:123:60:123:79 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:123:60:123:79 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:123:68:123:78 | unsafeUri10 : String | semmle.label | unsafeUri10 : String | +| SanitizationTests.java:124:25:124:33 | unsafer10 | semmle.label | unsafer10 | +| SanitizationTests.java:153:42:153:96 | new AnnotatedFieldObject(...) : AnnotatedFieldObject [uri] : String | semmle.label | new AnnotatedFieldObject(...) : AnnotatedFieldObject [uri] : String | +| SanitizationTests.java:153:67:153:95 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:154:32:154:73 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:154:32:154:81 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:154:55:154:72 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:154:55:154:72 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:154:63:154:67 | obj14 : AnnotatedFieldObject [uri] : String | semmle.label | obj14 : AnnotatedFieldObject [uri] : String | +| SanitizationTests.java:154:63:154:71 | obj14.uri : String | semmle.label | obj14.uri : String | +| SanitizationTests.java:155:25:155:28 | r14a | semmle.label | r14a | +| SanitizationTests.java:156:32:156:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:156:32:156:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:156:55:156:77 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:156:55:156:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:156:63:156:67 | obj14 : AnnotatedFieldObject [uri] : String | semmle.label | obj14 : AnnotatedFieldObject [uri] : String | +| SanitizationTests.java:156:63:156:76 | getUri(...) : String | semmle.label | getUri(...) : String | +| SanitizationTests.java:157:25:157:28 | r14b | semmle.label | r14b | +| SanitizationTests.java:160:46:160:104 | new AnnotatedParameterObject(...) : AnnotatedParameterObject [uri] : String | semmle.label | new AnnotatedParameterObject(...) : AnnotatedParameterObject [uri] : String | +| SanitizationTests.java:160:75:160:103 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:161:32:161:73 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:161:32:161:81 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:161:55:161:72 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:161:55:161:72 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:161:63:161:67 | obj15 : AnnotatedParameterObject [uri] : String | semmle.label | obj15 : AnnotatedParameterObject [uri] : String | +| SanitizationTests.java:161:63:161:71 | obj15.uri : String | semmle.label | obj15.uri : String | +| SanitizationTests.java:162:25:162:28 | r15a | semmle.label | r15a | +| SanitizationTests.java:163:32:163:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:163:32:163:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:163:55:163:77 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:163:55:163:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:163:63:163:67 | obj15 : AnnotatedParameterObject [uri] : String | semmle.label | obj15 : AnnotatedParameterObject [uri] : String | +| SanitizationTests.java:163:63:163:76 | getUri(...) : String | semmle.label | getUri(...) : String | +| SanitizationTests.java:164:25:164:28 | r15b | semmle.label | r15b | +| SanitizationTests.java:167:31:167:103 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:167:31:167:111 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:167:54:167:102 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:167:54:167:102 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:167:62:167:101 | identity1(...) : String | semmle.label | identity1(...) : String | +| SanitizationTests.java:167:72:167:100 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:168:25:168:27 | r16 | semmle.label | r16 | +| SanitizationTests.java:171:31:171:103 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:171:31:171:111 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:171:54:171:102 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:171:54:171:102 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:171:62:171:101 | identity2(...) : String | semmle.label | identity2(...) : String | +| SanitizationTests.java:171:72:171:100 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:172:25:172:27 | r17 | semmle.label | r17 | +| SanitizationTests.java:175:31:175:114 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | +| SanitizationTests.java:175:31:175:122 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | +| SanitizationTests.java:175:54:175:113 | new URI(...) | semmle.label | new URI(...) | +| SanitizationTests.java:175:54:175:113 | new URI(...) : URI | semmle.label | new URI(...) : URI | +| SanitizationTests.java:175:62:175:112 | getFromList(...) : String | semmle.label | getFromList(...) : String | +| SanitizationTests.java:175:74:175:111 | of(...) : List [] : String | semmle.label | of(...) : List [] : String | +| SanitizationTests.java:175:82:175:110 | getParameter(...) : String | semmle.label | getParameter(...) : String | +| SanitizationTests.java:176:25:176:27 | r18 | semmle.label | r18 | +| SanitizationTests.java:188:29:188:103 | uri : String | semmle.label | uri : String | +| SanitizationTests.java:189:16:189:18 | uri : String | semmle.label | uri : String | +| SanitizationTests.java:193:29:193:38 | uri : String | semmle.label | uri : String | +| SanitizationTests.java:194:16:194:18 | uri : String | semmle.label | uri : String | +| SanitizationTests.java:197:31:197:112 | list : List [] : String | semmle.label | list : List [] : String | +| SanitizationTests.java:198:16:198:19 | list : List [] : String | semmle.label | list : List [] : String | +| SanitizationTests.java:198:16:198:26 | get(...) : String | semmle.label | get(...) : String | +| SanitizationTests.java:207:16:207:35 | parameter this [Return] : AnnotatedFieldObject [uri] : String | semmle.label | parameter this [Return] : AnnotatedFieldObject [uri] : String | +| SanitizationTests.java:207:37:207:46 | uri : String | semmle.label | uri : String | +| SanitizationTests.java:208:13:208:16 | this [post update] : AnnotatedFieldObject [uri] : String | semmle.label | this [post update] : AnnotatedFieldObject [uri] : String | +| SanitizationTests.java:208:24:208:26 | uri : String | semmle.label | uri : String | +| SanitizationTests.java:211:23:211:28 | parameter this : AnnotatedFieldObject [uri] : String | semmle.label | parameter this : AnnotatedFieldObject [uri] : String | +| SanitizationTests.java:212:20:212:22 | this <.field> : AnnotatedFieldObject [uri] : String | semmle.label | this <.field> : AnnotatedFieldObject [uri] : String | +| SanitizationTests.java:212:20:212:22 | uri : String | semmle.label | uri : String | +| SanitizationTests.java:219:16:219:39 | parameter this [Return] : AnnotatedParameterObject [uri] : String | semmle.label | parameter this [Return] : AnnotatedParameterObject [uri] : String | +| SanitizationTests.java:219:41:219:115 | uri : String | semmle.label | uri : String | +| SanitizationTests.java:220:13:220:16 | this [post update] : AnnotatedParameterObject [uri] : String | semmle.label | this [post update] : AnnotatedParameterObject [uri] : String | +| SanitizationTests.java:220:24:220:26 | uri : String | semmle.label | uri : String | +| SanitizationTests.java:223:23:223:28 | parameter this : AnnotatedParameterObject [uri] : String | semmle.label | parameter this : AnnotatedParameterObject [uri] : String | +| SanitizationTests.java:224:20:224:22 | this <.field> : AnnotatedParameterObject [uri] : String | semmle.label | this <.field> : AnnotatedParameterObject [uri] : String | +| SanitizationTests.java:224:20:224:22 | uri : String | semmle.label | uri : String | | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | semmle.label | getParameter(...) : String | | SpringSSRF.java:32:39:32:59 | ... + ... | semmle.label | ... + ... | | SpringSSRF.java:33:69:33:82 | fooResourceUrl | semmle.label | fooResourceUrl | @@ -2035,3 +2210,29 @@ nodes | mad/Test.java:112:15:112:31 | (...)... | semmle.label | (...)... | | mad/Test.java:112:24:112:31 | source(...) : String | semmle.label | source(...) : String | subpaths +| SanitizationTests.java:153:67:153:95 | getParameter(...) : String | SanitizationTests.java:207:37:207:46 | uri : String | SanitizationTests.java:207:16:207:35 | parameter this [Return] : AnnotatedFieldObject [uri] : String | SanitizationTests.java:153:42:153:96 | new AnnotatedFieldObject(...) : AnnotatedFieldObject [uri] : String | +| SanitizationTests.java:156:63:156:67 | obj14 : AnnotatedFieldObject [uri] : String | SanitizationTests.java:211:23:211:28 | parameter this : AnnotatedFieldObject [uri] : String | SanitizationTests.java:212:20:212:22 | uri : String | SanitizationTests.java:156:63:156:76 | getUri(...) : String | +| SanitizationTests.java:160:75:160:103 | getParameter(...) : String | SanitizationTests.java:219:41:219:115 | uri : String | SanitizationTests.java:219:16:219:39 | parameter this [Return] : AnnotatedParameterObject [uri] : String | SanitizationTests.java:160:46:160:104 | new AnnotatedParameterObject(...) : AnnotatedParameterObject [uri] : String | +| SanitizationTests.java:163:63:163:67 | obj15 : AnnotatedParameterObject [uri] : String | SanitizationTests.java:223:23:223:28 | parameter this : AnnotatedParameterObject [uri] : String | SanitizationTests.java:224:20:224:22 | uri : String | SanitizationTests.java:163:63:163:76 | getUri(...) : String | +| SanitizationTests.java:167:72:167:100 | getParameter(...) : String | SanitizationTests.java:188:29:188:103 | uri : String | SanitizationTests.java:189:16:189:18 | uri : String | SanitizationTests.java:167:62:167:101 | identity1(...) : String | +| SanitizationTests.java:171:72:171:100 | getParameter(...) : String | SanitizationTests.java:193:29:193:38 | uri : String | SanitizationTests.java:194:16:194:18 | uri : String | SanitizationTests.java:171:62:171:101 | identity2(...) : String | +| SanitizationTests.java:175:74:175:111 | of(...) : List [] : String | SanitizationTests.java:197:31:197:112 | list : List [] : String | SanitizationTests.java:198:16:198:26 | get(...) : String | SanitizationTests.java:175:62:175:112 | getFromList(...) : String | +testFailures +| SanitizationTests.java:153:67:153:95 | getParameter(...) : String | Unexpected result: Source | +| SanitizationTests.java:154:55:154:72 | new URI(...) | Unexpected result: Alert | +| SanitizationTests.java:155:25:155:28 | r14a | Unexpected result: Alert | +| SanitizationTests.java:156:55:156:77 | new URI(...) | Unexpected result: Alert | +| SanitizationTests.java:157:25:157:28 | r14b | Unexpected result: Alert | +| SanitizationTests.java:160:75:160:103 | getParameter(...) : String | Unexpected result: Source | +| SanitizationTests.java:161:55:161:72 | new URI(...) | Unexpected result: Alert | +| SanitizationTests.java:162:25:162:28 | r15a | Unexpected result: Alert | +| SanitizationTests.java:163:55:163:77 | new URI(...) | Unexpected result: Alert | +| SanitizationTests.java:164:25:164:28 | r15b | Unexpected result: Alert | +| SanitizationTests.java:167:54:167:102 | new URI(...) | Unexpected result: Alert | +| SanitizationTests.java:167:72:167:100 | getParameter(...) : String | Unexpected result: Alert | +| SanitizationTests.java:167:72:167:100 | getParameter(...) : String | Unexpected result: Source | +| SanitizationTests.java:168:25:168:27 | r16 | Unexpected result: Alert | +| SanitizationTests.java:171:54:171:102 | new URI(...) | Unexpected result: Alert | +| SanitizationTests.java:171:72:171:100 | getParameter(...) : String | Unexpected result: Alert | +| SanitizationTests.java:171:72:171:100 | getParameter(...) : String | Unexpected result: Source | +| SanitizationTests.java:172:25:172:27 | r17 | Unexpected result: Alert | diff --git a/java/ql/test/query-tests/security/CWE-918/SanitizationTests.java b/java/ql/test/query-tests/security/CWE-918/SanitizationTests.java index 4da70e8dd751..167875086591 100644 --- a/java/ql/test/query-tests/security/CWE-918/SanitizationTests.java +++ b/java/ql/test/query-tests/security/CWE-918/SanitizationTests.java @@ -2,8 +2,9 @@ import java.net.URI; import java.net.http.HttpClient; import java.net.http.HttpRequest; -import java.util.regex.Pattern; import java.util.regex.Matcher; +import java.util.regex.Pattern; +import java.util.List; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; @@ -147,6 +148,32 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response) HttpRequest r13 = HttpRequest.newBuilder(new URI(param13)).build(); client.send(r13, null); } + + // GOOD: sanitisation by @Pattern annotation on a field + AnnotatedFieldObject obj14 = new AnnotatedFieldObject(request.getParameter("uri14")); + HttpRequest r14a = HttpRequest.newBuilder(new URI(obj14.uri)).build(); + client.send(r14a, null); + HttpRequest r14b = HttpRequest.newBuilder(new URI(obj14.getUri())).build(); + client.send(r14b, null); + + // GOOD: sanitisation by @Pattern annotation on a parameter of a constructor + AnnotatedParameterObject obj15 = new AnnotatedParameterObject(request.getParameter("uri15")); + HttpRequest r15a = HttpRequest.newBuilder(new URI(obj15.uri)).build(); + client.send(r15a, null); + HttpRequest r15b = HttpRequest.newBuilder(new URI(obj15.getUri())).build(); + client.send(r15b, null); + + // GOOD: sanitisation by @Pattern annotation on a parameter of a method + HttpRequest r16 = HttpRequest.newBuilder(new URI(identity1(request.getParameter("uri16")))).build(); + client.send(r16, null); + + // GOOD: sanitisation by @Pattern annotation on a method (which constrains the return value) + HttpRequest r17 = HttpRequest.newBuilder(new URI(identity2(request.getParameter("uri17")))).build(); + client.send(r17, null); + + // GOOD: sanitisation by @Pattern annotation on a type (we do not recognise this, so we get an FP) + HttpRequest r18 = HttpRequest.newBuilder(new URI(getFromList(List.of(request.getParameter("uri18"))))).build(); // $ SPURIOUS: Source Alert + client.send(r18, null); // $ SPURIOUS: Alert } catch (Exception e) { // TODO: handle exception } @@ -157,4 +184,44 @@ private void validate(String s) { throw new IllegalArgumentException("Invalid ID"); } } + + public String identity1(@javax.validation.constraints.Pattern(regexp = "[a-zA-Z0-9_-]+") String uri) { + return uri; + } + + @javax.validation.constraints.Pattern(regexp = "[a-zA-Z0-9_-]+") + public String identity2(String uri) { + return uri; + } + + public String getFromList(List<@javax.validation.constraints.Pattern(regexp = "[a-zA-Z0-9_-]+") String> list) { + return list.get(0); + } + + public class AnnotatedFieldObject { + @javax.validation.constraints.Pattern(regexp = "[a-zA-Z0-9_-]+") + String uri; + + String otherField; + + public AnnotatedFieldObject(String uri) { + this.uri = uri; + } + + public String getUri() { + return uri; + } + } + + public class AnnotatedParameterObject { + String uri; + + public AnnotatedParameterObject(@javax.validation.constraints.Pattern(regexp = "[a-zA-Z0-9_-]+") String uri) { + this.uri = uri; + } + + public String getUri() { + return uri; + } + } } diff --git a/java/ql/test/query-tests/security/CWE-918/options b/java/ql/test/query-tests/security/CWE-918/options index 78a6c15024ae..6b6efaeca544 100644 --- a/java/ql/test/query-tests/security/CWE-918/options +++ b/java/ql/test/query-tests/security/CWE-918/options @@ -1 +1 @@ -//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/springframework-5.8.x:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jaxws-api-2.0:${testdir}/../../../stubs/apache-cxf +//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/javax-validation-constraints:${testdir}/../../../stubs/springframework-5.8.x:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jaxws-api-2.0:${testdir}/../../../stubs/apache-cxf diff --git a/java/ql/test/stubs/javax-validation-constraints/javax/validation/Constraint.java b/java/ql/test/stubs/javax-validation-constraints/javax/validation/Constraint.java new file mode 100644 index 000000000000..5ad2617b19cd --- /dev/null +++ b/java/ql/test/stubs/javax-validation-constraints/javax/validation/Constraint.java @@ -0,0 +1,88 @@ +/* + * Bean Validation API + * + * License: Apache License, Version 2.0 + * See the license.txt file in the root directory or . + */ +package javax.validation; + +import static java.lang.annotation.ElementType.ANNOTATION_TYPE; +import static java.lang.annotation.RetentionPolicy.RUNTIME; + +import java.lang.annotation.Documented; +import java.lang.annotation.Retention; +import java.lang.annotation.Target; + +/** + * Marks an annotation as being a Bean Validation constraint. + *

+ * A given constraint annotation must be annotated by a {@code @Constraint} + * annotation which refers to its list of constraint validation implementations. + *

+ * Each constraint annotation must host the following attributes: + *

    + *
  • {@code String message() default [...];} which should default to an error + * message key made of the fully-qualified class name of the constraint followed by + * {@code .message}. For example {@code "{com.acme.constraints.NotSafe.message}"}
    • + *
  • {@code Class[] groups() default {};} for user to customize the targeted + * groups
    • + *
  • {@code Class[] payload() default {};} for + * extensibility purposes
    • + *
+ *

+ * When building a constraint that is both generic and cross-parameter, the constraint + * annotation must host the {@code validationAppliesTo()} property. + * A constraint is generic if it targets the annotated element and is cross-parameter if + * it targets the array of parameters of a method or constructor. + * 

+ *     ConstraintTarget validationAppliesTo() default ConstraintTarget.IMPLICIT;
+ *
+ * This property allows the constraint user to choose whether the constraint + * targets the return type of the executable or its array of parameters. + * + * A constraint is both generic and cross-parameter if + *
    + *
  • two kinds of {@code ConstraintValidator}s are attached to the + * constraint, one targeting {@link ValidationTarget#ANNOTATED_ELEMENT} + * and one targeting {@link ValidationTarget#PARAMETERS},
    • + *
  • or if a {@code ConstraintValidator} targets both + * {@code ANNOTATED_ELEMENT} and {@code PARAMETERS}.
    • + *
+ * + * Such dual constraints are rare. See {@link SupportedValidationTarget} for more info. + *

+ * Here is an example of constraint definition: + * 

+ * @Documented
+ * @Constraint(validatedBy = OrderNumberValidator.class)
+ * @Target({ METHOD, FIELD, ANNOTATION_TYPE, CONSTRUCTOR, PARAMETER, TYPE_USE })
+ * @Retention(RUNTIME)
+ * public @interface OrderNumber {
+ *     String message() default "{com.acme.constraint.OrderNumber.message}";
+ *     Class<?>[] groups() default {};
+ *     Class<? extends Payload>[] payload() default {};
+ * }
+ *
+ * + * @author Emmanuel Bernard + * @author Gavin King + * @author Hardy Ferentschik + */ +@Documented +@Target({ ANNOTATION_TYPE }) +@Retention(RUNTIME) +public @interface Constraint { + + /** + * {@link ConstraintValidator} classes implementing the constraint. The given classes + * must reference distinct target types for a given {@link ValidationTarget}. If two + * {@code ConstraintValidator}s refer to the same type, an exception will occur. + *

+ * At most one {@code ConstraintValidator} targeting the array of parameters of + * methods or constructors (aka cross-parameter) is accepted. If two or more + * are present, an exception will occur. + * + * @return array of {@code ConstraintValidator} classes implementing the constraint + */ + Class[] validatedBy(); +} diff --git a/java/ql/test/stubs/javax-validation-constraints/javax/validation/Payload.java b/java/ql/test/stubs/javax-validation-constraints/javax/validation/Payload.java new file mode 100644 index 000000000000..12c2760d34d4 --- /dev/null +++ b/java/ql/test/stubs/javax-validation-constraints/javax/validation/Payload.java @@ -0,0 +1,23 @@ +/* + * Bean Validation API + * + * License: Apache License, Version 2.0 + * See the license.txt file in the root directory or . + */ +package javax.validation; + +/** + * Payload type that can be attached to a given + * constraint declaration. + *

+ * Payloads are typically used to carry on metadata information + * consumed by a validation client. + *

+ * With the exception of the {@link Unwrapping} payload types, the use of payloads is not + * considered portable. + * + * @author Emmanuel Bernard + * @author Gerhard Petracek + */ +public interface Payload { +} diff --git a/java/ql/test/stubs/javax-validation-constraints/javax/validation/constraints/Pattern.java b/java/ql/test/stubs/javax-validation-constraints/javax/validation/constraints/Pattern.java new file mode 100644 index 000000000000..0f3191fe0d95 --- /dev/null +++ b/java/ql/test/stubs/javax-validation-constraints/javax/validation/constraints/Pattern.java @@ -0,0 +1,148 @@ +/* + * Bean Validation API + * + * License: Apache License, Version 2.0 + * See the license.txt file in the root directory or . + */ +package javax.validation.constraints; + +import static java.lang.annotation.ElementType.ANNOTATION_TYPE; +import static java.lang.annotation.ElementType.CONSTRUCTOR; +import static java.lang.annotation.ElementType.FIELD; +import static java.lang.annotation.ElementType.METHOD; +import static java.lang.annotation.ElementType.PARAMETER; +import static java.lang.annotation.ElementType.TYPE_USE; +import static java.lang.annotation.RetentionPolicy.RUNTIME; + +import java.lang.annotation.Documented; +import java.lang.annotation.Repeatable; +import java.lang.annotation.Retention; +import java.lang.annotation.Target; + +import javax.validation.Constraint; +import javax.validation.Payload; +import javax.validation.constraints.Pattern.List; + +/** + * The annotated {@code CharSequence} must match the specified regular expression. + * The regular expression follows the Java regular expression conventions + * see {@link java.util.regex.Pattern}. + *

+ * Accepts {@code CharSequence}. {@code null} elements are considered valid. + * + * @author Emmanuel Bernard + */ +@Target({ METHOD, FIELD, ANNOTATION_TYPE, CONSTRUCTOR, PARAMETER, TYPE_USE }) +@Retention(RUNTIME) +@Repeatable(List.class) +@Documented +@Constraint(validatedBy = { }) +public @interface Pattern { + + /** + * @return the regular expression to match + */ + String regexp(); + + /** + * @return array of {@code Flag}s considered when resolving the regular expression + */ + Flag[] flags() default { }; + + /** + * @return the error message template + */ + String message() default "{javax.validation.constraints.Pattern.message}"; + + /** + * @return the groups the constraint belongs to + */ + Class[] groups() default { }; + + /** + * @return the payload associated to the constraint + */ + Class[] payload() default { }; + + /** + * Possible Regexp flags. + */ + public static enum Flag { + + /** + * Enables Unix lines mode. + * + * @see java.util.regex.Pattern#UNIX_LINES + */ + UNIX_LINES( java.util.regex.Pattern.UNIX_LINES ), + + /** + * Enables case-insensitive matching. + * + * @see java.util.regex.Pattern#CASE_INSENSITIVE + */ + CASE_INSENSITIVE( java.util.regex.Pattern.CASE_INSENSITIVE ), + + /** + * Permits whitespace and comments in pattern. + * + * @see java.util.regex.Pattern#COMMENTS + */ + COMMENTS( java.util.regex.Pattern.COMMENTS ), + + /** + * Enables multiline mode. + * + * @see java.util.regex.Pattern#MULTILINE + */ + MULTILINE( java.util.regex.Pattern.MULTILINE ), + + /** + * Enables dotall mode. + * + * @see java.util.regex.Pattern#DOTALL + */ + DOTALL( java.util.regex.Pattern.DOTALL ), + + /** + * Enables Unicode-aware case folding. + * + * @see java.util.regex.Pattern#UNICODE_CASE + */ + UNICODE_CASE( java.util.regex.Pattern.UNICODE_CASE ), + + /** + * Enables canonical equivalence. + * + * @see java.util.regex.Pattern#CANON_EQ + */ + CANON_EQ( java.util.regex.Pattern.CANON_EQ ); + + //JDK flag value + private final int value; + + private Flag(int value) { + this.value = value; + } + + /** + * @return flag value as defined in {@link java.util.regex.Pattern} + */ + public int getValue() { + return value; + } + } + + /** + * Defines several {@link Pattern} annotations on the same element. + * + * @see Pattern + */ + @Target({ METHOD, FIELD, ANNOTATION_TYPE, CONSTRUCTOR, PARAMETER, TYPE_USE }) + @Retention(RUNTIME) + @Documented + @interface List { + + Pattern[] value(); + } +} From bfe26c198981b1ed7e4007cd06792de090b9af64 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 12 Feb 2026 16:08:29 +0000 Subject: [PATCH 08/10] Add @Pattern as RegexExecution => SSRF sanitizer --- java/ql/lib/semmle/code/java/Concepts.qll | 1 + .../code/java/frameworks/JavaxAnnotations.qll | 35 ++++ .../semmle/code/java/security/Sanitizers.qll | 23 +-- .../security/CWE-918/RequestForgery.expected | 173 ------------------ 4 files changed, 48 insertions(+), 184 deletions(-) diff --git a/java/ql/lib/semmle/code/java/Concepts.qll b/java/ql/lib/semmle/code/java/Concepts.qll index ebe37bc2bc4d..eceb77d62acc 100644 --- a/java/ql/lib/semmle/code/java/Concepts.qll +++ b/java/ql/lib/semmle/code/java/Concepts.qll @@ -8,6 +8,7 @@ module; import java private import semmle.code.java.dataflow.DataFlow +private import semmle.code.java.frameworks.JavaxAnnotations /** * A data-flow node that executes a regular expression. diff --git a/java/ql/lib/semmle/code/java/frameworks/JavaxAnnotations.qll b/java/ql/lib/semmle/code/java/frameworks/JavaxAnnotations.qll index 22f33d346df0..922179384729 100644 --- a/java/ql/lib/semmle/code/java/frameworks/JavaxAnnotations.qll +++ b/java/ql/lib/semmle/code/java/frameworks/JavaxAnnotations.qll @@ -163,3 +163,38 @@ class WebServiceAnnotation extends Annotation { class WebServiceRefAnnotation extends Annotation { WebServiceRefAnnotation() { this.getType().hasQualifiedName("javax.xml.ws", "WebServiceRef") } } + +/* + * Annotations in the package `javax.validation.constraints`. + */ + +/** + * A `@javax.validation.constraints.Pattern` annotation. + */ +class PatternAnnotation extends Annotation, RegexExecutionExpr::Range { + PatternAnnotation() { + this.getType() + .hasQualifiedName(["javax.validation.constraints", "jakarta.validation.constraints"], + "Pattern") + } + + override Expr getRegex() { result = this.getValue("regexp") } + + override Expr getString() { + // Annotation on field accessed by direct read - value of field will match regexp + result = this.getAnnotatedElement().(Field).getAnAccess() + or + // Annotation on field accessed by getter - value of field will match regexp + result.(MethodCall).getMethod().(GetterMethod).getField() = this.getAnnotatedElement() + or + // Annotation on parameter - value of parameter will match regexp + result = this.getAnnotatedElement().(Parameter).getAnAccess().(VarRead) + or + // Annotation on method - return value of method will match regexp + result.(Call).getCallee() = this.getAnnotatedElement() + // TODO - we could also consider the case where the annotation is on a type + // but this harder to model and not very common. + } + + override string getName() { result = "@javax.validation.constraints.Pattern annotation" } +} diff --git a/java/ql/lib/semmle/code/java/security/Sanitizers.qll b/java/ql/lib/semmle/code/java/security/Sanitizers.qll index ddac010391e9..b08d2e43c01d 100644 --- a/java/ql/lib/semmle/code/java/security/Sanitizers.qll +++ b/java/ql/lib/semmle/code/java/security/Sanitizers.qll @@ -41,17 +41,11 @@ class SimpleTypeSanitizer extends DataFlow::Node { * make the type recursive. Otherwise use `RegexpCheckBarrier`. */ predicate regexpMatchGuardChecks(Guard guard, Expr e, boolean branch) { - exists(Method method, MethodCall mc | - method = mc.getMethod() and - guard = mc and - branch = true - | - e = mc.(RegexExecutionExpr::Range).getString() - or - // Other `matches` methods. - method.getName() = "matches" and - e = mc.getQualifier() - ) + exists(RegexExecutionExpr::Range ree | not ree instanceof Annotation | + guard = ree and + e = ree.getString() + ) and + branch = true } /** @@ -62,5 +56,12 @@ predicate regexpMatchGuardChecks(Guard guard, Expr e, boolean branch) { class RegexpCheckBarrier extends DataFlow::Node { RegexpCheckBarrier() { this = DataFlow::BarrierGuard::getABarrierNode() + or + // Annotations don't fit into the model of barrier guards because the + // annotation doesn't dominate the sanitized expression, so we instead + // treat them as barriers directly. + exists(RegexExecutionExpr::Range ree | ree instanceof Annotation | + this.asExpr() = ree.getString() + ) } } diff --git a/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected b/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected index f1e7c9e2b86d..1b1553da7ebe 100644 --- a/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected +++ b/java/ql/test/query-tests/security/CWE-918/RequestForgery.expected @@ -252,18 +252,6 @@ | SanitizationTests.java:120:25:120:32 | unsafer9 | SanitizationTests.java:118:33:118:63 | getParameter(...) : String | SanitizationTests.java:120:25:120:32 | unsafer9 | Potential server-side request forgery due to a $@. | SanitizationTests.java:118:33:118:63 | getParameter(...) | user-provided value | | SanitizationTests.java:123:60:123:79 | new URI(...) | SanitizationTests.java:122:94:122:125 | getParameter(...) : String | SanitizationTests.java:123:60:123:79 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:122:94:122:125 | getParameter(...) | user-provided value | | SanitizationTests.java:124:25:124:33 | unsafer10 | SanitizationTests.java:122:94:122:125 | getParameter(...) : String | SanitizationTests.java:124:25:124:33 | unsafer10 | Potential server-side request forgery due to a $@. | SanitizationTests.java:122:94:122:125 | getParameter(...) | user-provided value | -| SanitizationTests.java:154:55:154:72 | new URI(...) | SanitizationTests.java:153:67:153:95 | getParameter(...) : String | SanitizationTests.java:154:55:154:72 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:153:67:153:95 | getParameter(...) | user-provided value | -| SanitizationTests.java:155:25:155:28 | r14a | SanitizationTests.java:153:67:153:95 | getParameter(...) : String | SanitizationTests.java:155:25:155:28 | r14a | Potential server-side request forgery due to a $@. | SanitizationTests.java:153:67:153:95 | getParameter(...) | user-provided value | -| SanitizationTests.java:156:55:156:77 | new URI(...) | SanitizationTests.java:153:67:153:95 | getParameter(...) : String | SanitizationTests.java:156:55:156:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:153:67:153:95 | getParameter(...) | user-provided value | -| SanitizationTests.java:157:25:157:28 | r14b | SanitizationTests.java:153:67:153:95 | getParameter(...) : String | SanitizationTests.java:157:25:157:28 | r14b | Potential server-side request forgery due to a $@. | SanitizationTests.java:153:67:153:95 | getParameter(...) | user-provided value | -| SanitizationTests.java:161:55:161:72 | new URI(...) | SanitizationTests.java:160:75:160:103 | getParameter(...) : String | SanitizationTests.java:161:55:161:72 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:160:75:160:103 | getParameter(...) | user-provided value | -| SanitizationTests.java:162:25:162:28 | r15a | SanitizationTests.java:160:75:160:103 | getParameter(...) : String | SanitizationTests.java:162:25:162:28 | r15a | Potential server-side request forgery due to a $@. | SanitizationTests.java:160:75:160:103 | getParameter(...) | user-provided value | -| SanitizationTests.java:163:55:163:77 | new URI(...) | SanitizationTests.java:160:75:160:103 | getParameter(...) : String | SanitizationTests.java:163:55:163:77 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:160:75:160:103 | getParameter(...) | user-provided value | -| SanitizationTests.java:164:25:164:28 | r15b | SanitizationTests.java:160:75:160:103 | getParameter(...) : String | SanitizationTests.java:164:25:164:28 | r15b | Potential server-side request forgery due to a $@. | SanitizationTests.java:160:75:160:103 | getParameter(...) | user-provided value | -| SanitizationTests.java:167:54:167:102 | new URI(...) | SanitizationTests.java:167:72:167:100 | getParameter(...) : String | SanitizationTests.java:167:54:167:102 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:167:72:167:100 | getParameter(...) | user-provided value | -| SanitizationTests.java:168:25:168:27 | r16 | SanitizationTests.java:167:72:167:100 | getParameter(...) : String | SanitizationTests.java:168:25:168:27 | r16 | Potential server-side request forgery due to a $@. | SanitizationTests.java:167:72:167:100 | getParameter(...) | user-provided value | -| SanitizationTests.java:171:54:171:102 | new URI(...) | SanitizationTests.java:171:72:171:100 | getParameter(...) : String | SanitizationTests.java:171:54:171:102 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:171:72:171:100 | getParameter(...) | user-provided value | -| SanitizationTests.java:172:25:172:27 | r17 | SanitizationTests.java:171:72:171:100 | getParameter(...) : String | SanitizationTests.java:172:25:172:27 | r17 | Potential server-side request forgery due to a $@. | SanitizationTests.java:171:72:171:100 | getParameter(...) | user-provided value | | SanitizationTests.java:175:54:175:113 | new URI(...) | SanitizationTests.java:175:82:175:110 | getParameter(...) : String | SanitizationTests.java:175:54:175:113 | new URI(...) | Potential server-side request forgery due to a $@. | SanitizationTests.java:175:82:175:110 | getParameter(...) | user-provided value | | SanitizationTests.java:176:25:176:27 | r18 | SanitizationTests.java:175:82:175:110 | getParameter(...) : String | SanitizationTests.java:176:25:176:27 | r18 | Potential server-side request forgery due to a $@. | SanitizationTests.java:175:82:175:110 | getParameter(...) | user-provided value | | SpringSSRF.java:32:39:32:59 | ... + ... | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:32:39:32:59 | ... + ... | Potential server-side request forgery due to a $@. | SpringSSRF.java:28:33:28:60 | getParameter(...) | user-provided value | @@ -847,66 +835,6 @@ edges | SanitizationTests.java:123:68:123:78 | unsafeUri10 : String | SanitizationTests.java:123:60:123:79 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | | SanitizationTests.java:123:68:123:78 | unsafeUri10 : String | SanitizationTests.java:123:60:123:79 | new URI(...) : URI | provenance | Config | | SanitizationTests.java:123:68:123:78 | unsafeUri10 : String | SanitizationTests.java:123:60:123:79 | new URI(...) : URI | provenance | MaD:285 | -| SanitizationTests.java:153:42:153:96 | new AnnotatedFieldObject(...) : AnnotatedFieldObject [uri] : String | SanitizationTests.java:154:63:154:67 | obj14 : AnnotatedFieldObject [uri] : String | provenance | | -| SanitizationTests.java:153:42:153:96 | new AnnotatedFieldObject(...) : AnnotatedFieldObject [uri] : String | SanitizationTests.java:156:63:156:67 | obj14 : AnnotatedFieldObject [uri] : String | provenance | | -| SanitizationTests.java:153:67:153:95 | getParameter(...) : String | SanitizationTests.java:153:42:153:96 | new AnnotatedFieldObject(...) : AnnotatedFieldObject [uri] : String | provenance | Src:MaD:277 | -| SanitizationTests.java:153:67:153:95 | getParameter(...) : String | SanitizationTests.java:207:37:207:46 | uri : String | provenance | Src:MaD:277 | -| SanitizationTests.java:154:32:154:73 | newBuilder(...) : Builder | SanitizationTests.java:154:32:154:81 | build(...) : HttpRequest | provenance | MaD:283 | -| SanitizationTests.java:154:32:154:81 | build(...) : HttpRequest | SanitizationTests.java:155:25:155:28 | r14a | provenance | Sink:MaD:4 | -| SanitizationTests.java:154:55:154:72 | new URI(...) : URI | SanitizationTests.java:154:32:154:73 | newBuilder(...) : Builder | provenance | MaD:284 | -| SanitizationTests.java:154:63:154:67 | obj14 : AnnotatedFieldObject [uri] : String | SanitizationTests.java:154:63:154:71 | obj14.uri : String | provenance | | -| SanitizationTests.java:154:63:154:71 | obj14.uri : String | SanitizationTests.java:154:55:154:72 | new URI(...) | provenance | Config Sink:MaD:6 | -| SanitizationTests.java:154:63:154:71 | obj14.uri : String | SanitizationTests.java:154:55:154:72 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | -| SanitizationTests.java:154:63:154:71 | obj14.uri : String | SanitizationTests.java:154:55:154:72 | new URI(...) : URI | provenance | Config | -| SanitizationTests.java:154:63:154:71 | obj14.uri : String | SanitizationTests.java:154:55:154:72 | new URI(...) : URI | provenance | MaD:285 | -| SanitizationTests.java:156:32:156:78 | newBuilder(...) : Builder | SanitizationTests.java:156:32:156:86 | build(...) : HttpRequest | provenance | MaD:283 | -| SanitizationTests.java:156:32:156:86 | build(...) : HttpRequest | SanitizationTests.java:157:25:157:28 | r14b | provenance | Sink:MaD:4 | -| SanitizationTests.java:156:55:156:77 | new URI(...) : URI | SanitizationTests.java:156:32:156:78 | newBuilder(...) : Builder | provenance | MaD:284 | -| SanitizationTests.java:156:63:156:67 | obj14 : AnnotatedFieldObject [uri] : String | SanitizationTests.java:156:63:156:76 | getUri(...) : String | provenance | | -| SanitizationTests.java:156:63:156:67 | obj14 : AnnotatedFieldObject [uri] : String | SanitizationTests.java:211:23:211:28 | parameter this : AnnotatedFieldObject [uri] : String | provenance | | -| SanitizationTests.java:156:63:156:76 | getUri(...) : String | SanitizationTests.java:156:55:156:77 | new URI(...) | provenance | Config Sink:MaD:6 | -| SanitizationTests.java:156:63:156:76 | getUri(...) : String | SanitizationTests.java:156:55:156:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | -| SanitizationTests.java:156:63:156:76 | getUri(...) : String | SanitizationTests.java:156:55:156:77 | new URI(...) : URI | provenance | Config | -| SanitizationTests.java:156:63:156:76 | getUri(...) : String | SanitizationTests.java:156:55:156:77 | new URI(...) : URI | provenance | MaD:285 | -| SanitizationTests.java:160:46:160:104 | new AnnotatedParameterObject(...) : AnnotatedParameterObject [uri] : String | SanitizationTests.java:161:63:161:67 | obj15 : AnnotatedParameterObject [uri] : String | provenance | | -| SanitizationTests.java:160:46:160:104 | new AnnotatedParameterObject(...) : AnnotatedParameterObject [uri] : String | SanitizationTests.java:163:63:163:67 | obj15 : AnnotatedParameterObject [uri] : String | provenance | | -| SanitizationTests.java:160:75:160:103 | getParameter(...) : String | SanitizationTests.java:160:46:160:104 | new AnnotatedParameterObject(...) : AnnotatedParameterObject [uri] : String | provenance | Src:MaD:277 | -| SanitizationTests.java:160:75:160:103 | getParameter(...) : String | SanitizationTests.java:219:41:219:115 | uri : String | provenance | Src:MaD:277 | -| SanitizationTests.java:161:32:161:73 | newBuilder(...) : Builder | SanitizationTests.java:161:32:161:81 | build(...) : HttpRequest | provenance | MaD:283 | -| SanitizationTests.java:161:32:161:81 | build(...) : HttpRequest | SanitizationTests.java:162:25:162:28 | r15a | provenance | Sink:MaD:4 | -| SanitizationTests.java:161:55:161:72 | new URI(...) : URI | SanitizationTests.java:161:32:161:73 | newBuilder(...) : Builder | provenance | MaD:284 | -| SanitizationTests.java:161:63:161:67 | obj15 : AnnotatedParameterObject [uri] : String | SanitizationTests.java:161:63:161:71 | obj15.uri : String | provenance | | -| SanitizationTests.java:161:63:161:71 | obj15.uri : String | SanitizationTests.java:161:55:161:72 | new URI(...) | provenance | Config Sink:MaD:6 | -| SanitizationTests.java:161:63:161:71 | obj15.uri : String | SanitizationTests.java:161:55:161:72 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | -| SanitizationTests.java:161:63:161:71 | obj15.uri : String | SanitizationTests.java:161:55:161:72 | new URI(...) : URI | provenance | Config | -| SanitizationTests.java:161:63:161:71 | obj15.uri : String | SanitizationTests.java:161:55:161:72 | new URI(...) : URI | provenance | MaD:285 | -| SanitizationTests.java:163:32:163:78 | newBuilder(...) : Builder | SanitizationTests.java:163:32:163:86 | build(...) : HttpRequest | provenance | MaD:283 | -| SanitizationTests.java:163:32:163:86 | build(...) : HttpRequest | SanitizationTests.java:164:25:164:28 | r15b | provenance | Sink:MaD:4 | -| SanitizationTests.java:163:55:163:77 | new URI(...) : URI | SanitizationTests.java:163:32:163:78 | newBuilder(...) : Builder | provenance | MaD:284 | -| SanitizationTests.java:163:63:163:67 | obj15 : AnnotatedParameterObject [uri] : String | SanitizationTests.java:163:63:163:76 | getUri(...) : String | provenance | | -| SanitizationTests.java:163:63:163:67 | obj15 : AnnotatedParameterObject [uri] : String | SanitizationTests.java:223:23:223:28 | parameter this : AnnotatedParameterObject [uri] : String | provenance | | -| SanitizationTests.java:163:63:163:76 | getUri(...) : String | SanitizationTests.java:163:55:163:77 | new URI(...) | provenance | Config Sink:MaD:6 | -| SanitizationTests.java:163:63:163:76 | getUri(...) : String | SanitizationTests.java:163:55:163:77 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | -| SanitizationTests.java:163:63:163:76 | getUri(...) : String | SanitizationTests.java:163:55:163:77 | new URI(...) : URI | provenance | Config | -| SanitizationTests.java:163:63:163:76 | getUri(...) : String | SanitizationTests.java:163:55:163:77 | new URI(...) : URI | provenance | MaD:285 | -| SanitizationTests.java:167:31:167:103 | newBuilder(...) : Builder | SanitizationTests.java:167:31:167:111 | build(...) : HttpRequest | provenance | MaD:283 | -| SanitizationTests.java:167:31:167:111 | build(...) : HttpRequest | SanitizationTests.java:168:25:168:27 | r16 | provenance | Sink:MaD:4 | -| SanitizationTests.java:167:54:167:102 | new URI(...) : URI | SanitizationTests.java:167:31:167:103 | newBuilder(...) : Builder | provenance | MaD:284 | -| SanitizationTests.java:167:62:167:101 | identity1(...) : String | SanitizationTests.java:167:54:167:102 | new URI(...) | provenance | Config Sink:MaD:6 | -| SanitizationTests.java:167:62:167:101 | identity1(...) : String | SanitizationTests.java:167:54:167:102 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | -| SanitizationTests.java:167:62:167:101 | identity1(...) : String | SanitizationTests.java:167:54:167:102 | new URI(...) : URI | provenance | Config | -| SanitizationTests.java:167:62:167:101 | identity1(...) : String | SanitizationTests.java:167:54:167:102 | new URI(...) : URI | provenance | MaD:285 | -| SanitizationTests.java:167:72:167:100 | getParameter(...) : String | SanitizationTests.java:167:62:167:101 | identity1(...) : String | provenance | Src:MaD:277 | -| SanitizationTests.java:167:72:167:100 | getParameter(...) : String | SanitizationTests.java:188:29:188:103 | uri : String | provenance | Src:MaD:277 | -| SanitizationTests.java:171:31:171:103 | newBuilder(...) : Builder | SanitizationTests.java:171:31:171:111 | build(...) : HttpRequest | provenance | MaD:283 | -| SanitizationTests.java:171:31:171:111 | build(...) : HttpRequest | SanitizationTests.java:172:25:172:27 | r17 | provenance | Sink:MaD:4 | -| SanitizationTests.java:171:54:171:102 | new URI(...) : URI | SanitizationTests.java:171:31:171:103 | newBuilder(...) : Builder | provenance | MaD:284 | -| SanitizationTests.java:171:62:171:101 | identity2(...) : String | SanitizationTests.java:171:54:171:102 | new URI(...) | provenance | Config Sink:MaD:6 | -| SanitizationTests.java:171:62:171:101 | identity2(...) : String | SanitizationTests.java:171:54:171:102 | new URI(...) | provenance | MaD:285 Sink:MaD:6 | -| SanitizationTests.java:171:62:171:101 | identity2(...) : String | SanitizationTests.java:171:54:171:102 | new URI(...) : URI | provenance | Config | -| SanitizationTests.java:171:62:171:101 | identity2(...) : String | SanitizationTests.java:171:54:171:102 | new URI(...) : URI | provenance | MaD:285 | -| SanitizationTests.java:171:72:171:100 | getParameter(...) : String | SanitizationTests.java:171:62:171:101 | identity2(...) : String | provenance | Src:MaD:277 | -| SanitizationTests.java:171:72:171:100 | getParameter(...) : String | SanitizationTests.java:193:29:193:38 | uri : String | provenance | Src:MaD:277 | | SanitizationTests.java:175:31:175:114 | newBuilder(...) : Builder | SanitizationTests.java:175:31:175:122 | build(...) : HttpRequest | provenance | MaD:283 | | SanitizationTests.java:175:31:175:122 | build(...) : HttpRequest | SanitizationTests.java:176:25:176:27 | r18 | provenance | Sink:MaD:4 | | SanitizationTests.java:175:54:175:113 | new URI(...) : URI | SanitizationTests.java:175:31:175:114 | newBuilder(...) : Builder | provenance | MaD:284 | @@ -917,20 +845,8 @@ edges | SanitizationTests.java:175:74:175:111 | of(...) : List [] : String | SanitizationTests.java:175:62:175:112 | getFromList(...) : String | provenance | MaD:290 | | SanitizationTests.java:175:74:175:111 | of(...) : List [] : String | SanitizationTests.java:197:31:197:112 | list : List [] : String | provenance | | | SanitizationTests.java:175:82:175:110 | getParameter(...) : String | SanitizationTests.java:175:74:175:111 | of(...) : List [] : String | provenance | Src:MaD:277 MaD:289 | -| SanitizationTests.java:188:29:188:103 | uri : String | SanitizationTests.java:189:16:189:18 | uri : String | provenance | | -| SanitizationTests.java:193:29:193:38 | uri : String | SanitizationTests.java:194:16:194:18 | uri : String | provenance | | | SanitizationTests.java:197:31:197:112 | list : List [] : String | SanitizationTests.java:198:16:198:19 | list : List [] : String | provenance | | | SanitizationTests.java:198:16:198:19 | list : List [] : String | SanitizationTests.java:198:16:198:26 | get(...) : String | provenance | MaD:290 | -| SanitizationTests.java:207:37:207:46 | uri : String | SanitizationTests.java:208:24:208:26 | uri : String | provenance | | -| SanitizationTests.java:208:13:208:16 | this [post update] : AnnotatedFieldObject [uri] : String | SanitizationTests.java:207:16:207:35 | parameter this [Return] : AnnotatedFieldObject [uri] : String | provenance | | -| SanitizationTests.java:208:24:208:26 | uri : String | SanitizationTests.java:208:13:208:16 | this [post update] : AnnotatedFieldObject [uri] : String | provenance | | -| SanitizationTests.java:211:23:211:28 | parameter this : AnnotatedFieldObject [uri] : String | SanitizationTests.java:212:20:212:22 | this <.field> : AnnotatedFieldObject [uri] : String | provenance | | -| SanitizationTests.java:212:20:212:22 | this <.field> : AnnotatedFieldObject [uri] : String | SanitizationTests.java:212:20:212:22 | uri : String | provenance | | -| SanitizationTests.java:219:41:219:115 | uri : String | SanitizationTests.java:220:24:220:26 | uri : String | provenance | | -| SanitizationTests.java:220:13:220:16 | this [post update] : AnnotatedParameterObject [uri] : String | SanitizationTests.java:219:16:219:39 | parameter this [Return] : AnnotatedParameterObject [uri] : String | provenance | | -| SanitizationTests.java:220:24:220:26 | uri : String | SanitizationTests.java:220:13:220:16 | this [post update] : AnnotatedParameterObject [uri] : String | provenance | | -| SanitizationTests.java:223:23:223:28 | parameter this : AnnotatedParameterObject [uri] : String | SanitizationTests.java:224:20:224:22 | this <.field> : AnnotatedParameterObject [uri] : String | provenance | | -| SanitizationTests.java:224:20:224:22 | this <.field> : AnnotatedParameterObject [uri] : String | SanitizationTests.java:224:20:224:22 | uri : String | provenance | | | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:32:39:32:59 | ... + ... | provenance | Src:MaD:277 Sink:MaD:264 | | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:33:69:33:82 | fooResourceUrl | provenance | Src:MaD:277 | | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | SpringSSRF.java:34:73:34:86 | fooResourceUrl | provenance | Src:MaD:277 | @@ -1915,52 +1831,6 @@ nodes | SanitizationTests.java:123:60:123:79 | new URI(...) : URI | semmle.label | new URI(...) : URI | | SanitizationTests.java:123:68:123:78 | unsafeUri10 : String | semmle.label | unsafeUri10 : String | | SanitizationTests.java:124:25:124:33 | unsafer10 | semmle.label | unsafer10 | -| SanitizationTests.java:153:42:153:96 | new AnnotatedFieldObject(...) : AnnotatedFieldObject [uri] : String | semmle.label | new AnnotatedFieldObject(...) : AnnotatedFieldObject [uri] : String | -| SanitizationTests.java:153:67:153:95 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| SanitizationTests.java:154:32:154:73 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | -| SanitizationTests.java:154:32:154:81 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | -| SanitizationTests.java:154:55:154:72 | new URI(...) | semmle.label | new URI(...) | -| SanitizationTests.java:154:55:154:72 | new URI(...) : URI | semmle.label | new URI(...) : URI | -| SanitizationTests.java:154:63:154:67 | obj14 : AnnotatedFieldObject [uri] : String | semmle.label | obj14 : AnnotatedFieldObject [uri] : String | -| SanitizationTests.java:154:63:154:71 | obj14.uri : String | semmle.label | obj14.uri : String | -| SanitizationTests.java:155:25:155:28 | r14a | semmle.label | r14a | -| SanitizationTests.java:156:32:156:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | -| SanitizationTests.java:156:32:156:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | -| SanitizationTests.java:156:55:156:77 | new URI(...) | semmle.label | new URI(...) | -| SanitizationTests.java:156:55:156:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | -| SanitizationTests.java:156:63:156:67 | obj14 : AnnotatedFieldObject [uri] : String | semmle.label | obj14 : AnnotatedFieldObject [uri] : String | -| SanitizationTests.java:156:63:156:76 | getUri(...) : String | semmle.label | getUri(...) : String | -| SanitizationTests.java:157:25:157:28 | r14b | semmle.label | r14b | -| SanitizationTests.java:160:46:160:104 | new AnnotatedParameterObject(...) : AnnotatedParameterObject [uri] : String | semmle.label | new AnnotatedParameterObject(...) : AnnotatedParameterObject [uri] : String | -| SanitizationTests.java:160:75:160:103 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| SanitizationTests.java:161:32:161:73 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | -| SanitizationTests.java:161:32:161:81 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | -| SanitizationTests.java:161:55:161:72 | new URI(...) | semmle.label | new URI(...) | -| SanitizationTests.java:161:55:161:72 | new URI(...) : URI | semmle.label | new URI(...) : URI | -| SanitizationTests.java:161:63:161:67 | obj15 : AnnotatedParameterObject [uri] : String | semmle.label | obj15 : AnnotatedParameterObject [uri] : String | -| SanitizationTests.java:161:63:161:71 | obj15.uri : String | semmle.label | obj15.uri : String | -| SanitizationTests.java:162:25:162:28 | r15a | semmle.label | r15a | -| SanitizationTests.java:163:32:163:78 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | -| SanitizationTests.java:163:32:163:86 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | -| SanitizationTests.java:163:55:163:77 | new URI(...) | semmle.label | new URI(...) | -| SanitizationTests.java:163:55:163:77 | new URI(...) : URI | semmle.label | new URI(...) : URI | -| SanitizationTests.java:163:63:163:67 | obj15 : AnnotatedParameterObject [uri] : String | semmle.label | obj15 : AnnotatedParameterObject [uri] : String | -| SanitizationTests.java:163:63:163:76 | getUri(...) : String | semmle.label | getUri(...) : String | -| SanitizationTests.java:164:25:164:28 | r15b | semmle.label | r15b | -| SanitizationTests.java:167:31:167:103 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | -| SanitizationTests.java:167:31:167:111 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | -| SanitizationTests.java:167:54:167:102 | new URI(...) | semmle.label | new URI(...) | -| SanitizationTests.java:167:54:167:102 | new URI(...) : URI | semmle.label | new URI(...) : URI | -| SanitizationTests.java:167:62:167:101 | identity1(...) : String | semmle.label | identity1(...) : String | -| SanitizationTests.java:167:72:167:100 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| SanitizationTests.java:168:25:168:27 | r16 | semmle.label | r16 | -| SanitizationTests.java:171:31:171:103 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | -| SanitizationTests.java:171:31:171:111 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | -| SanitizationTests.java:171:54:171:102 | new URI(...) | semmle.label | new URI(...) | -| SanitizationTests.java:171:54:171:102 | new URI(...) : URI | semmle.label | new URI(...) : URI | -| SanitizationTests.java:171:62:171:101 | identity2(...) : String | semmle.label | identity2(...) : String | -| SanitizationTests.java:171:72:171:100 | getParameter(...) : String | semmle.label | getParameter(...) : String | -| SanitizationTests.java:172:25:172:27 | r17 | semmle.label | r17 | | SanitizationTests.java:175:31:175:114 | newBuilder(...) : Builder | semmle.label | newBuilder(...) : Builder | | SanitizationTests.java:175:31:175:122 | build(...) : HttpRequest | semmle.label | build(...) : HttpRequest | | SanitizationTests.java:175:54:175:113 | new URI(...) | semmle.label | new URI(...) | @@ -1969,27 +1839,9 @@ nodes | SanitizationTests.java:175:74:175:111 | of(...) : List [] : String | semmle.label | of(...) : List [] : String | | SanitizationTests.java:175:82:175:110 | getParameter(...) : String | semmle.label | getParameter(...) : String | | SanitizationTests.java:176:25:176:27 | r18 | semmle.label | r18 | -| SanitizationTests.java:188:29:188:103 | uri : String | semmle.label | uri : String | -| SanitizationTests.java:189:16:189:18 | uri : String | semmle.label | uri : String | -| SanitizationTests.java:193:29:193:38 | uri : String | semmle.label | uri : String | -| SanitizationTests.java:194:16:194:18 | uri : String | semmle.label | uri : String | | SanitizationTests.java:197:31:197:112 | list : List [] : String | semmle.label | list : List [] : String | | SanitizationTests.java:198:16:198:19 | list : List [] : String | semmle.label | list : List [] : String | | SanitizationTests.java:198:16:198:26 | get(...) : String | semmle.label | get(...) : String | -| SanitizationTests.java:207:16:207:35 | parameter this [Return] : AnnotatedFieldObject [uri] : String | semmle.label | parameter this [Return] : AnnotatedFieldObject [uri] : String | -| SanitizationTests.java:207:37:207:46 | uri : String | semmle.label | uri : String | -| SanitizationTests.java:208:13:208:16 | this [post update] : AnnotatedFieldObject [uri] : String | semmle.label | this [post update] : AnnotatedFieldObject [uri] : String | -| SanitizationTests.java:208:24:208:26 | uri : String | semmle.label | uri : String | -| SanitizationTests.java:211:23:211:28 | parameter this : AnnotatedFieldObject [uri] : String | semmle.label | parameter this : AnnotatedFieldObject [uri] : String | -| SanitizationTests.java:212:20:212:22 | this <.field> : AnnotatedFieldObject [uri] : String | semmle.label | this <.field> : AnnotatedFieldObject [uri] : String | -| SanitizationTests.java:212:20:212:22 | uri : String | semmle.label | uri : String | -| SanitizationTests.java:219:16:219:39 | parameter this [Return] : AnnotatedParameterObject [uri] : String | semmle.label | parameter this [Return] : AnnotatedParameterObject [uri] : String | -| SanitizationTests.java:219:41:219:115 | uri : String | semmle.label | uri : String | -| SanitizationTests.java:220:13:220:16 | this [post update] : AnnotatedParameterObject [uri] : String | semmle.label | this [post update] : AnnotatedParameterObject [uri] : String | -| SanitizationTests.java:220:24:220:26 | uri : String | semmle.label | uri : String | -| SanitizationTests.java:223:23:223:28 | parameter this : AnnotatedParameterObject [uri] : String | semmle.label | parameter this : AnnotatedParameterObject [uri] : String | -| SanitizationTests.java:224:20:224:22 | this <.field> : AnnotatedParameterObject [uri] : String | semmle.label | this <.field> : AnnotatedParameterObject [uri] : String | -| SanitizationTests.java:224:20:224:22 | uri : String | semmle.label | uri : String | | SpringSSRF.java:28:33:28:60 | getParameter(...) : String | semmle.label | getParameter(...) : String | | SpringSSRF.java:32:39:32:59 | ... + ... | semmle.label | ... + ... | | SpringSSRF.java:33:69:33:82 | fooResourceUrl | semmle.label | fooResourceUrl | @@ -2210,29 +2062,4 @@ nodes | mad/Test.java:112:15:112:31 | (...)... | semmle.label | (...)... | | mad/Test.java:112:24:112:31 | source(...) : String | semmle.label | source(...) : String | subpaths -| SanitizationTests.java:153:67:153:95 | getParameter(...) : String | SanitizationTests.java:207:37:207:46 | uri : String | SanitizationTests.java:207:16:207:35 | parameter this [Return] : AnnotatedFieldObject [uri] : String | SanitizationTests.java:153:42:153:96 | new AnnotatedFieldObject(...) : AnnotatedFieldObject [uri] : String | -| SanitizationTests.java:156:63:156:67 | obj14 : AnnotatedFieldObject [uri] : String | SanitizationTests.java:211:23:211:28 | parameter this : AnnotatedFieldObject [uri] : String | SanitizationTests.java:212:20:212:22 | uri : String | SanitizationTests.java:156:63:156:76 | getUri(...) : String | -| SanitizationTests.java:160:75:160:103 | getParameter(...) : String | SanitizationTests.java:219:41:219:115 | uri : String | SanitizationTests.java:219:16:219:39 | parameter this [Return] : AnnotatedParameterObject [uri] : String | SanitizationTests.java:160:46:160:104 | new AnnotatedParameterObject(...) : AnnotatedParameterObject [uri] : String | -| SanitizationTests.java:163:63:163:67 | obj15 : AnnotatedParameterObject [uri] : String | SanitizationTests.java:223:23:223:28 | parameter this : AnnotatedParameterObject [uri] : String | SanitizationTests.java:224:20:224:22 | uri : String | SanitizationTests.java:163:63:163:76 | getUri(...) : String | -| SanitizationTests.java:167:72:167:100 | getParameter(...) : String | SanitizationTests.java:188:29:188:103 | uri : String | SanitizationTests.java:189:16:189:18 | uri : String | SanitizationTests.java:167:62:167:101 | identity1(...) : String | -| SanitizationTests.java:171:72:171:100 | getParameter(...) : String | SanitizationTests.java:193:29:193:38 | uri : String | SanitizationTests.java:194:16:194:18 | uri : String | SanitizationTests.java:171:62:171:101 | identity2(...) : String | | SanitizationTests.java:175:74:175:111 | of(...) : List [] : String | SanitizationTests.java:197:31:197:112 | list : List [] : String | SanitizationTests.java:198:16:198:26 | get(...) : String | SanitizationTests.java:175:62:175:112 | getFromList(...) : String | -testFailures -| SanitizationTests.java:153:67:153:95 | getParameter(...) : String | Unexpected result: Source | -| SanitizationTests.java:154:55:154:72 | new URI(...) | Unexpected result: Alert | -| SanitizationTests.java:155:25:155:28 | r14a | Unexpected result: Alert | -| SanitizationTests.java:156:55:156:77 | new URI(...) | Unexpected result: Alert | -| SanitizationTests.java:157:25:157:28 | r14b | Unexpected result: Alert | -| SanitizationTests.java:160:75:160:103 | getParameter(...) : String | Unexpected result: Source | -| SanitizationTests.java:161:55:161:72 | new URI(...) | Unexpected result: Alert | -| SanitizationTests.java:162:25:162:28 | r15a | Unexpected result: Alert | -| SanitizationTests.java:163:55:163:77 | new URI(...) | Unexpected result: Alert | -| SanitizationTests.java:164:25:164:28 | r15b | Unexpected result: Alert | -| SanitizationTests.java:167:54:167:102 | new URI(...) | Unexpected result: Alert | -| SanitizationTests.java:167:72:167:100 | getParameter(...) : String | Unexpected result: Alert | -| SanitizationTests.java:167:72:167:100 | getParameter(...) : String | Unexpected result: Source | -| SanitizationTests.java:168:25:168:27 | r16 | Unexpected result: Alert | -| SanitizationTests.java:171:54:171:102 | new URI(...) | Unexpected result: Alert | -| SanitizationTests.java:171:72:171:100 | getParameter(...) : String | Unexpected result: Alert | -| SanitizationTests.java:171:72:171:100 | getParameter(...) : String | Unexpected result: Source | -| SanitizationTests.java:172:25:172:27 | r17 | Unexpected result: Alert | From c539c2f4fd1c85ff86053149315e92e7ffafc58d Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 12 Feb 2026 16:24:30 +0000 Subject: [PATCH 09/10] Add change note --- .../2026-02-12-pattern-annotation-ssrf-sanitizer.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 java/ql/lib/change-notes/2026-02-12-pattern-annotation-ssrf-sanitizer.md diff --git a/java/ql/lib/change-notes/2026-02-12-pattern-annotation-ssrf-sanitizer.md b/java/ql/lib/change-notes/2026-02-12-pattern-annotation-ssrf-sanitizer.md new file mode 100644 index 000000000000..20d3d08b3009 --- /dev/null +++ b/java/ql/lib/change-notes/2026-02-12-pattern-annotation-ssrf-sanitizer.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* More ways of checking that a string matches a regular expression are now considered as sanitizers for various queries, including `java/ssrf` and `java/path-injection`. In particular, being annotated with `@javax.validation.constraints.Pattern` is now recognised as a sanitizer for those queries. From 5bdf550317f72b47e3b754c54297466ce568dda0 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Thu, 12 Feb 2026 16:32:06 +0000 Subject: [PATCH 10/10] Fix QLDocs --- java/ql/lib/semmle/code/java/Concepts.qll | 2 +- java/ql/lib/semmle/code/java/frameworks/Regex.qll | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/java/ql/lib/semmle/code/java/Concepts.qll b/java/ql/lib/semmle/code/java/Concepts.qll index eceb77d62acc..327c9a2c4593 100644 --- a/java/ql/lib/semmle/code/java/Concepts.qll +++ b/java/ql/lib/semmle/code/java/Concepts.qll @@ -77,7 +77,7 @@ module RegexExecutionExpr { /** Gets the expression for the regex being executed by this node. */ abstract Expr getRegex(); - /** Gets a expression for the string to be searched or matched against. */ + /** Gets an expression for the string to be searched or matched against. */ abstract Expr getString(); /** diff --git a/java/ql/lib/semmle/code/java/frameworks/Regex.qll b/java/ql/lib/semmle/code/java/frameworks/Regex.qll index 28b7dd6a31a6..2578b4d24dbf 100644 --- a/java/ql/lib/semmle/code/java/frameworks/Regex.qll +++ b/java/ql/lib/semmle/code/java/frameworks/Regex.qll @@ -71,17 +71,17 @@ class PatternLiteralField extends Field { } } -/** A call to the `compile` method of `java.util.regex.Pattern` */ +/** A call to the `compile` method of `java.util.regex.Pattern`. */ class PatternCompileCall extends MethodCall { PatternCompileCall() { this.getMethod() instanceof PatternCompileMethod } } -/** A call to the `matcher` method of `java.util.regex.Pattern` */ +/** A call to the `matcher` method of `java.util.regex.Pattern`. */ class PatternMatcherCall extends MethodCall { PatternMatcherCall() { this.getMethod() instanceof PatternMatcherMethod } } -/** A call to the `matches` method of `java.util.regex.Pattern` */ +/** A call to the `matches` method of `java.util.regex.Pattern`. */ class PatternMatchesCall extends MethodCall, RegexExecutionExpr::Range { PatternMatchesCall() { this.getMethod() instanceof PatternMatchesMethod } @@ -92,7 +92,7 @@ class PatternMatchesCall extends MethodCall, RegexExecutionExpr::Range { override string getName() { result = "Pattern.matches" } } -/** A call to the `matches` method of `java.util.regex.Matcher` */ +/** A call to the `matches` method of `java.util.regex.Matcher`. */ class MatcherMatchesCall extends MethodCall, RegexExecutionExpr::Range { MatcherMatchesCall() { this.getMethod() instanceof MatcherMatchesMethod }