You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- **bean-validation**: A sink that can be used for insecure bean validation, such as in calls to **ConstraintValidatorContext.buildConstraintViolationWithTemplate**.
331
+
- **command-injection**: A sink that can be used to inject shell commands, such as in calls to **Runtime.exec**.
332
+
- **file-content-store**: A sink that can be used to control the contents of a file, such as in a **Files.write** call.
333
+
- **fragment-injection**: A sink that can be used for Android fragment injection, such as in a **FragmentTransaction.replace** call.
334
+
- **groovy-injection**: A sink that can be used for Groovy injection, such as in a **GroovyShell.evaluate** call.
335
+
- **hostname-verification**: A sink that can be used for unsafe hostname verification, such as in calls to **HttpsURLConnection.setHostnameVerifier**.
336
+
- **html-injection**: A sink that can be used for XSS via HTML injection, such as in a **ResponseStream.write** call.
337
+
- **information-leak**: A sink that can be used to leak information to an HTTP response, such as in calls to **HttpServletResponse.sendError**.
338
+
- **intent-redirection**: A sink that can be used for Android intent redirection, such as in a **Context.startActivity** call.
339
+
- **jexl-injection**: A sink that can be used for JEXL expression injection, such as in a **JexlExpression.evaluate** call.
340
+
- **jndi-injection**: A sink that can be used for JNDI injection, such as in a **Context.lookup** call.
341
+
- **js-injection**: A sink that can be used for XSS via JavaScript injection, such as in a **Webview.evaluateJavaScript** call.
342
+
- **ldap-injection**: A sink that can be used for LDAP injection, such as in a **DirContext.search** call.
343
+
- **log-injection**: A sink that can be used for log injection, such as in a **Logger.warn** call.
344
+
- **mvel-injection**: A sink that can be used for MVEL expression injection, such as in a **MVEL.eval** call.
345
+
- **ognl-injection**: A sink that can be used for OGNL injection, such as in an **Ognl.getValue** call.
346
+
- **path-injection**: A sink that can be used for path injection in a file system access, such as in calls to **new FileReader**.
347
+
- **pending-intents**: A sink that can be used to send an implicit and mutable `PendingIntent` to a third party, such as in an **Activity.setResult** call.
348
+
- **request-forgery**: A sink that controls the URL of a request, such as in an **HttpRequest.newBuilder** call.
349
+
- **response-splitting**: A sink that can be used for HTTP response splitting, such as in calls to **HttpServletResponse.setHeader**.
350
+
- **sql-injection**: A sink that can be used for SQL injection, such as in a **Statement.executeQuery** call.
351
+
- **template-injection**: A sink that can be used for server side template injection, such as in a **Velocity.evaluate** call.
352
+
- **url-redirection**: A sink that can be used to redirect the user to a malicious URL, such as in a **Response.temporaryRedirect** call.
353
+
- **xpath-injection**: A sink that can be used for XPath injection, such as in a **XPath.evaluate** call.
354
+
- **xslt-injection**: A sink that can be used for XSLT injection, such as in a **Transformer.transform** call.
0 commit comments