Java: update xss sink kind to html-injection and js-injection

Author: Jami Cogswell

java/ql/lib/ext/android.webkit.model.yml

@@ -10,6 +10,6 @@ extensions:
       extensible: sinkModel
     data:
       # Models representing methods susceptible to XSS attacks.
-      - ["android.webkit", "WebView", False, "evaluateJavascript", "", "", "Argument[0]", "xss", "manual"]
-      - ["android.webkit", "WebView", False, "loadData", "", "", "Argument[0]", "xss", "manual"]
-      - ["android.webkit", "WebView", False, "loadDataWithBaseURL", "", "", "Argument[1]", "xss", "manual"]
+      - ["android.webkit", "WebView", False, "evaluateJavascript", "", "", "Argument[0]", "js-injection", "manual"]
+      - ["android.webkit", "WebView", False, "loadData", "", "", "Argument[0]", "html-injection", "manual"]
+      - ["android.webkit", "WebView", False, "loadDataWithBaseURL", "", "", "Argument[1]", "html-injection", "manual"]

java/ql/lib/ext/jakarta.faces.context.model.yml

@@ -14,5 +14,5 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
-      - ["jakarta.faces.context", "ResponseStream", True, "write", "", "", "Argument[0]", "xss", "manual"]
-      - ["jakarta.faces.context", "ResponseWriter", True, "write", "", "", "Argument[0]", "xss", "manual"]
+      - ["jakarta.faces.context", "ResponseStream", True, "write", "", "", "Argument[0]", "html-injection", "manual"]
+      - ["jakarta.faces.context", "ResponseWriter", True, "write", "", "", "Argument[0]", "html-injection", "manual"]

java/ql/lib/ext/javax.faces.context.model.yml

@@ -14,5 +14,5 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
-      - ["javax.faces.context", "ResponseStream", True, "write", "", "", "Argument[0]", "xss", "manual"]
-      - ["javax.faces.context", "ResponseWriter", True, "write", "", "", "Argument[0]", "xss", "manual"]
+      - ["javax.faces.context", "ResponseStream", True, "write", "", "", "Argument[0]", "html-injection", "manual"]
+      - ["javax.faces.context", "ResponseWriter", True, "write", "", "", "Argument[0]", "html-injection", "manual"]

java/ql/lib/ext/org.apache.hc.core5.http.model.yml

@@ -3,7 +3,7 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
-      - ["org.apache.hc.core5.http", "HttpEntityContainer", True, "setEntity", "(HttpEntity)", "", "Argument[0]", "xss", "manual"]
+      - ["org.apache.hc.core5.http", "HttpEntityContainer", True, "setEntity", "(HttpEntity)", "", "Argument[0]", "html-injection", "manual"]
       - ["org.apache.hc.core5.http", "HttpRequest", True, "setUri", "(URI)", "", "Argument[0]", "open-url", "hq-manual"]
       - ["org.apache.hc.core5.http", "HttpRequestFactory", True, "newHttpRequest", "(String,String)", "", "Argument[1]", "open-url", "hq-manual"]
       - ["org.apache.hc.core5.http", "HttpRequestFactory", True, "newHttpRequest", "(String,URI)", "", "Argument[1]", "open-url", "hq-manual"]

java/ql/lib/ext/org.apache.http.model.yml

@@ -10,7 +10,7 @@ extensions:
       extensible: sinkModel
     data:
       - ["org.apache.http", "HttpRequestFactory", True, "newHttpRequest", "(String,String)", "", "Argument[1]", "open-url", "hq-manual"]
-      - ["org.apache.http", "HttpResponse", True, "setEntity", "(HttpEntity)", "", "Argument[0]", "xss", "manual"]
+      - ["org.apache.http", "HttpResponse", True, "setEntity", "(HttpEntity)", "", "Argument[0]", "html-injection", "manual"]
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel

java/ql/lib/ext/org.apache.http.util.model.yml

@@ -3,7 +3,7 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
-      - ["org.apache.http.util", "EntityUtils", True, "updateEntity", "(HttpResponse,HttpEntity)", "", "Argument[1]", "xss", "manual"]
+      - ["org.apache.http.util", "EntityUtils", True, "updateEntity", "(HttpResponse,HttpEntity)", "", "Argument[1]", "html-injection", "manual"]
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -275,11 +275,12 @@ module ModelValidation {
       not kind =
         [
           "open-url", "jndi-injection", "ldap-injection", "sql-injection", "jdbc-url",
-          "log-injection", "mvel-injection", "xpath-injection", "groovy-injection", "xss",
-          "ognl-injection", "intent-redirection", "pending-intents", "url-redirection",
-          "create-file", "read-file", "write-file", "hostname-verification", "response-splitting",
-          "information-leak", "xslt-injection", "jexl-injection", "bean-validation",
-          "template-injection", "fragment-injection", "command-injection"
+          "log-injection", "mvel-injection", "xpath-injection", "groovy-injection",
+          "html-injection", "js-injection", "ognl-injection", "intent-redirection",
+          "pending-intents", "url-redirection", "create-file", "read-file", "write-file",
+          "hostname-verification", "response-splitting", "information-leak", "xslt-injection",
+          "jexl-injection", "bean-validation", "template-injection", "fragment-injection",
+          "command-injection"
         ] and
       not kind.matches("regex-use%") and
       not kind.matches("qltest%") and

java/ql/lib/semmle/code/java/security/XSS.qll

@@ -39,7 +39,7 @@ class XssAdditionalTaintStep extends Unit {
 /** A default sink representing methods susceptible to XSS attacks. */
 private class DefaultXssSink extends XssSink {
   DefaultXssSink() {
-    sinkNode(this, "xss")
+    sinkNode(this, ["html-injection", "js-injection"])
     or
     exists(MethodAccess ma |
       ma.getMethod() instanceof WritingMethod and