From 8990ac7cf7f330552872203692d0a3214b681a67 Mon Sep 17 00:00:00 2001 From: Kevin Stubbings Date: Tue, 19 Aug 2025 01:24:24 -0700 Subject: [PATCH 1/2] Add struts ognl model --- java/ql/lib/ext/struts2.model.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/java/ql/lib/ext/struts2.model.yml b/java/ql/lib/ext/struts2.model.yml index bf49066bd67e..9d7238e658c6 100644 --- a/java/ql/lib/ext/struts2.model.yml +++ b/java/ql/lib/ext/struts2.model.yml @@ -37,6 +37,7 @@ extensions: - ["com.opensymphony.xwork2.util", "TextParseUtil", true, "translateVariablesCollection", "(char[],String,ValueStack,boolean,TextParseUtil$ParsedValueEvaluator,int)", "", "Argument[1]", "ognl-injection", "manual"] - ["com.opensymphony.xwork2", "ActionSupport", true, "getFormatted", "(String,String)", "", "Argument[0]", "ognl-injection", "manual"] - ["com.opensymphony.xwork2", "ActionSupport", true, "getFormatted", "(String,String)", "", "Argument[1]", "ognl-injection", "manual"] + - ["com.opensymphony.xwork2", "ActionSupport", false, "getText", "(String)", "", "Argument[0]", "ognl-injection", "manual"] - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String)", "", "Argument[0]", "ognl-injection", "manual"] - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,List)", "", "Argument[0]", "ognl-injection", "manual"] - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String)", "", "Argument[0]", "ognl-injection", "manual"] From cf1b7f8560724779117b9214b5a7f62645577d4c Mon Sep 17 00:00:00 2001 From: Kevin Stubbings Date: Tue, 26 Aug 2025 00:05:10 -0700 Subject: [PATCH 2/2] Add change note --- java/ql/lib/ext/struts2.model.yml | 2 +- java/ql/src/change-notes/2025-08-25-ognl-additional-sink.md | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 java/ql/src/change-notes/2025-08-25-ognl-additional-sink.md diff --git a/java/ql/lib/ext/struts2.model.yml b/java/ql/lib/ext/struts2.model.yml index 9d7238e658c6..db05fd9f7451 100644 --- a/java/ql/lib/ext/struts2.model.yml +++ b/java/ql/lib/ext/struts2.model.yml @@ -37,7 +37,7 @@ extensions: - ["com.opensymphony.xwork2.util", "TextParseUtil", true, "translateVariablesCollection", "(char[],String,ValueStack,boolean,TextParseUtil$ParsedValueEvaluator,int)", "", "Argument[1]", "ognl-injection", "manual"] - ["com.opensymphony.xwork2", "ActionSupport", true, "getFormatted", "(String,String)", "", "Argument[0]", "ognl-injection", "manual"] - ["com.opensymphony.xwork2", "ActionSupport", true, "getFormatted", "(String,String)", "", "Argument[1]", "ognl-injection", "manual"] - - ["com.opensymphony.xwork2", "ActionSupport", false, "getText", "(String)", "", "Argument[0]", "ognl-injection", "manual"] + - ["com.opensymphony.xwork2", "ActionSupport", False, "getText", "(String)", "", "Argument[0]", "ognl-injection", "manual"] - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String)", "", "Argument[0]", "ognl-injection", "manual"] - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,List)", "", "Argument[0]", "ognl-injection", "manual"] - ["com.opensymphony.xwork2", "TextProvider", true, "getText", "(String,String)", "", "Argument[0]", "ognl-injection", "manual"] diff --git a/java/ql/src/change-notes/2025-08-25-ognl-additional-sink.md b/java/ql/src/change-notes/2025-08-25-ognl-additional-sink.md new file mode 100644 index 000000000000..8aa3e9f36f2e --- /dev/null +++ b/java/ql/src/change-notes/2025-08-25-ognl-additional-sink.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Add sink related to `com.opensymphony.xwork2.TextProvider.getText` from the query `java/ognl-injection`. \ No newline at end of file