update more queries

Author: erik-krogh

java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql

@@ -16,4 +16,5 @@ import DataFlow::PathGraph
 from DataFlow::PathNode source, DataFlow::PathNode sink
 where any(PartialPathTraversalFromRemoteConfig config).hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
-  "Partial Path Traversal Vulnerability due to insufficient guard against path traversal from user-supplied data."
+  "Partial Path Traversal Vulnerability due to insufficient guard against path traversal from $@.",
+  source, "user-supplied data"

java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql

@@ -36,5 +36,5 @@ class LocalUserInputToQueryInjectionFlowConfig extends TaintTracking::Configurat
 from
   DataFlow::PathNode source, DataFlow::PathNode sink, LocalUserInputToQueryInjectionFlowConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Query might include code from $@.", source.getNode(),
-  "this user input"
+select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
+  "user-provided value"

java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql

@@ -17,5 +17,5 @@ import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, GroovyInjectionConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Groovy Injection from $@.", source.getNode(),
-  "this user input"
+select sink.getNode(), source, sink, "Groovy script depends on a $@.", source.getNode(),
+  "user-provided value"

java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql

@@ -80,5 +80,5 @@ where
     exists(SetMessageInterpolatorCall c | not c.isSafe())
   ) and
   cfg.hasFlowPath(source, sink)
-select sink.getNode(), source, sink,
-  "Custom constraint error message contains unsanitized user data."
+select sink.getNode(), source, sink, "Custom constraint error message contains an unsanitized $@.",
+  source, "user-provided value"

java/ql/src/Security/CWE/CWE-094/JexlInjection.ql

@@ -17,4 +17,5 @@ import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, JexlInjectionConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "JEXL injection from $@.", source.getNode(), "this user input"
+select sink.getNode(), source, sink, "JEXL expression depends on a $@.", source.getNode(),
+  "user-provided value"

java/ql/src/Security/CWE/CWE-094/MvelInjection.ql

@@ -17,4 +17,5 @@ import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, MvelInjectionFlowConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "MVEL injection from $@.", source.getNode(), "this user input"
+select sink.getNode(), source, sink, "MVEL expression depends on a $@.", source.getNode(),
+  "user-provided value"

java/ql/src/Security/CWE/CWE-094/SpelInjection.ql

@@ -18,4 +18,5 @@ import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, SpelInjectionConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "SpEL injection from $@.", source.getNode(), "this user input"
+select sink.getNode(), source, sink, "SpEL expression depends on a $@.", source.getNode(),
+  "user-provided value"

java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql

@@ -17,5 +17,5 @@ import DataFlow::PathGraph
 
 from TemplateInjectionFlowConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Potential arbitrary code execution due to $@.",
-  source.getNode(), "a template value loaded from a remote source."
+select sink.getNode(), source, sink, "Template, which may contain code, depends on a $@.",
+  source.getNode(), "user-provided value"

java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql

@@ -47,5 +47,6 @@ class ResponseSplittingConfig extends TaintTracking::Configuration {
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, ResponseSplittingConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Response-splitting vulnerability due to this $@.",
+select sink.getNode(), source, sink,
+  "This header depends on a $@, which may cause a response-splitting vulnerability.",
   source.getNode(), "user-provided value"

java/ql/src/Security/CWE/CWE-113/ResponseSplittingLocal.ql

@@ -31,5 +31,6 @@ class ResponseSplittingLocalConfig extends TaintTracking::Configuration {
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, ResponseSplittingLocalConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Response-splitting vulnerability due to this $@.",
+select sink.getNode(), source, sink,
+  "This header depends on a $@, which may cause a response-splitting vulnerability.",
   source.getNode(), "user-provided value"

java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql

@@ -20,5 +20,6 @@ import DataFlow::PathGraph
 from DataFlow::PathNode source, DataFlow::PathNode sink
 where any(IntentUriPermissionManipulationConf c).hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
-  "This Intent can be set with arbitrary flags from $@, " +
-    "and used to give access to internal content providers.", source.getNode(), "this user input"
+  "This Intent can be set with arbitrary flags from a $@, " +
+    "and used to give access to internal content providers.", source.getNode(),
+  "user-provided value"

java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql

@@ -121,5 +121,5 @@ where
   not isNodeGuardedByFlag(sink.getNode()) and
   verifier = source.getNode().asExpr().(ClassInstanceExpr).getConstructedType()
 select sink, source, sink,
-  "This uses a $@ that is defined $@ and accepts any certificate as valid.", source,
-  "hostname verifier", verifier, "here"
+  "The $@ defined by $@ always accepts any certificate, even if the hostname does not match.",
+  source, "hostname verifier", verifier, "this type"

java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql

@@ -17,4 +17,4 @@ import DataFlow::PathGraph
 from DataFlow::PathNode source, DataFlow::PathNode sink
 where any(HttpStringToUrlOpenMethodFlowConfig c).hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "URL may have been constructed with HTTP protocol, using $@.",
-  source.getNode(), "this source"
+  source.getNode(), "this HTTP URL"

java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql

@@ -17,5 +17,6 @@ import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink
 where any(FragmentInjectionTaintConf conf).hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Fragment injection from $@.", source.getNode(),
-  "this user input"
+select sink.getNode(), source, sink,
+  "Fragment depends on a $@, which may allow a malicious application to bypass access controls.",
+  source.getNode(), "user-provided value"

java/ql/src/Security/CWE/CWE-522/InsecureBasicAuth.ql

@@ -20,5 +20,5 @@ import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, BasicAuthFlowConfig config
 where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Insecure basic authentication from $@.", source.getNode(),
+select sink.getNode(), source, sink, "Insecure basic authentication from a $@.", source.getNode(),
   "HTTP URL"

java/ql/src/Security/CWE/CWE-601/UrlRedirectLocal.ql

@@ -26,5 +26,5 @@ class UrlRedirectLocalConfig extends TaintTracking::Configuration {
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, UrlRedirectLocalConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Potentially untrusted URL redirection due to $@.",
-  source.getNode(), "user-provided value"
+select sink.getNode(), source, sink, "Untrusted URL redirection depends on a $@.", source.getNode(),
+  "user-provided value"

java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql

@@ -45,4 +45,4 @@ where
   conf.hasFlowPath(source, sink)
 select exp, source, sink,
   "This cast to a narrower type depends on a $@, potentially causing truncation.", source.getNode(),
-  "User-provided value"
+  "user-provided value"

java/ql/src/Security/CWE/CWE-681/NumericCastTaintedLocal.ql

@@ -47,4 +47,4 @@ where
   not exists(RightShiftOp e | e.getShiftedVariable() = tainted.getVariable())
 select exp, source, sink,
   "This cast to a narrower type depends on a $@, potentially causing truncation.", source.getNode(),
-  "User-provided value"
+  "user-provided value"

java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql

@@ -25,5 +25,5 @@ where
   sink.getNode().asExpr() = e and
   conf.hasFlowPath(source, sink)
 select m, source, sink,
-  "Sensitive method may not be executed depending on $@, which flows from $@.", e, "this condition",
-  source.getNode(), "user input"
+  "Sensitive method may not be executed depending on a $@, which flows from $@.", e,
+  "this condition", source.getNode(), "user-controlled value"

java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql

@@ -66,4 +66,5 @@ from
   DataFlow::PathNode source, DataFlow::PathNode sink, PermissionsConstruction p,
   TaintedPermissionsCheckFlowConfig conf
 where sink.getNode().asExpr() = p.getInput() and conf.hasFlowPath(source, sink)
-select p, source, sink, "Permissions check uses user-controlled $@.", source.getNode(), "data"
+select p, source, sink, "Permissions check depends on a $@.", source.getNode(),
+  "user-controlled value"

java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql

@@ -17,5 +17,5 @@ import DataFlow::PathGraph
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, OgnlInjectionFlowConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "OGNL expression might include data from $@.",
-  source.getNode(), "this user input"
+select sink.getNode(), source, sink, "OGNL Expression Language statement depends on a $@.",
+  source.getNode(), "user-provided value"

java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql

@@ -21,4 +21,4 @@ from DataFlow::PathNode source, DataFlow::PathNode sink, IntentRedirectionConfig
 where conf.hasFlowPath(source, sink)
 select sink.getNode(), source, sink,
   "Arbitrary Android activities or services can be started from $@.", source.getNode(),
-  "this user input"
+  "user-provided value"

java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.expected

@@ -38,12 +38,12 @@ nodes
 | Test.java:218:14:218:17 | args : String[] | semmle.label | args : String[] |
 subpaths
 #select
-| Mongo.java:17:45:17:67 | parse(...) | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:45:17:67 | parse(...) | Query might include code from $@. | Mongo.java:10:29:10:41 | args | this user input |
-| Mongo.java:21:49:21:52 | json | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:21:49:21:52 | json | Query might include code from $@. | Mongo.java:10:29:10:41 | args | this user input |
-| Test.java:36:47:36:52 | query1 | Test.java:213:26:213:38 | args : String[] | Test.java:36:47:36:52 | query1 | Query might include code from $@. | Test.java:213:26:213:38 | args | this user input |
-| Test.java:42:57:42:62 | query2 | Test.java:213:26:213:38 | args : String[] | Test.java:42:57:42:62 | query2 | Query might include code from $@. | Test.java:213:26:213:38 | args | this user input |
-| Test.java:50:62:50:67 | query3 | Test.java:213:26:213:38 | args : String[] | Test.java:50:62:50:67 | query3 | Query might include code from $@. | Test.java:213:26:213:38 | args | this user input |
-| Test.java:62:47:62:61 | querySbToString | Test.java:213:26:213:38 | args : String[] | Test.java:62:47:62:61 | querySbToString | Query might include code from $@. | Test.java:213:26:213:38 | args | this user input |
-| Test.java:70:40:70:44 | query | Test.java:213:26:213:38 | args : String[] | Test.java:70:40:70:44 | query | Query might include code from $@. | Test.java:213:26:213:38 | args | this user input |
-| Test.java:78:46:78:50 | query | Test.java:213:26:213:38 | args : String[] | Test.java:78:46:78:50 | query | Query might include code from $@. | Test.java:213:26:213:38 | args | this user input |
-| Test.java:209:47:209:68 | queryWithUserTableName | Test.java:213:26:213:38 | args : String[] | Test.java:209:47:209:68 | queryWithUserTableName | Query might include code from $@. | Test.java:213:26:213:38 | args | this user input |
+| Mongo.java:17:45:17:67 | parse(...) | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:45:17:67 | parse(...) | This query depends on a $@. | Mongo.java:10:29:10:41 | args | user-provided value |
+| Mongo.java:21:49:21:52 | json | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:21:49:21:52 | json | This query depends on a $@. | Mongo.java:10:29:10:41 | args | user-provided value |
+| Test.java:36:47:36:52 | query1 | Test.java:213:26:213:38 | args : String[] | Test.java:36:47:36:52 | query1 | This query depends on a $@. | Test.java:213:26:213:38 | args | user-provided value |
+| Test.java:42:57:42:62 | query2 | Test.java:213:26:213:38 | args : String[] | Test.java:42:57:42:62 | query2 | This query depends on a $@. | Test.java:213:26:213:38 | args | user-provided value |
+| Test.java:50:62:50:67 | query3 | Test.java:213:26:213:38 | args : String[] | Test.java:50:62:50:67 | query3 | This query depends on a $@. | Test.java:213:26:213:38 | args | user-provided value |
+| Test.java:62:47:62:61 | querySbToString | Test.java:213:26:213:38 | args : String[] | Test.java:62:47:62:61 | querySbToString | This query depends on a $@. | Test.java:213:26:213:38 | args | user-provided value |
+| Test.java:70:40:70:44 | query | Test.java:213:26:213:38 | args : String[] | Test.java:70:40:70:44 | query | This query depends on a $@. | Test.java:213:26:213:38 | args | user-provided value |
+| Test.java:78:46:78:50 | query | Test.java:213:26:213:38 | args : String[] | Test.java:78:46:78:50 | query | This query depends on a $@. | Test.java:213:26:213:38 | args | user-provided value |
+| Test.java:209:47:209:68 | queryWithUserTableName | Test.java:213:26:213:38 | args : String[] | Test.java:209:47:209:68 | queryWithUserTableName | This query depends on a $@. | Test.java:213:26:213:38 | args | user-provided value |

java/ql/test/query-tests/security/CWE-094/InsecureBeanValidation.expected

@@ -5,4 +5,4 @@ nodes
 | InsecureBeanValidation.java:11:64:11:68 | value | semmle.label | value |
 subpaths
 #select
-| InsecureBeanValidation.java:11:64:11:68 | value | InsecureBeanValidation.java:7:28:7:40 | object : String | InsecureBeanValidation.java:11:64:11:68 | value | Custom constraint error message contains unsanitized user data. |
+| InsecureBeanValidation.java:11:64:11:68 | value | InsecureBeanValidation.java:7:28:7:40 | object : String | InsecureBeanValidation.java:11:64:11:68 | value | Custom constraint error message contains an unsanitized $@. | InsecureBeanValidation.java:7:28:7:40 | object : String | user-provided value |

java/ql/test/query-tests/security/CWE-113/semmle/tests/ResponseSplitting.expected

@@ -14,7 +14,7 @@ nodes
 | ResponseSplitting.java:59:27:59:57 | replaceFirst(...) | semmle.label | replaceFirst(...) |
 subpaths
 #select
-| ResponseSplitting.java:23:23:23:28 | cookie | ResponseSplitting.java:22:39:22:66 | getParameter(...) : String | ResponseSplitting.java:23:23:23:28 | cookie | Response-splitting vulnerability due to this $@. | ResponseSplitting.java:22:39:22:66 | getParameter(...) | user-provided value |
-| ResponseSplitting.java:28:38:28:72 | getParameter(...) | ResponseSplitting.java:28:38:28:72 | getParameter(...) | ResponseSplitting.java:28:38:28:72 | getParameter(...) | Response-splitting vulnerability due to this $@. | ResponseSplitting.java:28:38:28:72 | getParameter(...) | user-provided value |
-| ResponseSplitting.java:29:38:29:72 | getParameter(...) | ResponseSplitting.java:29:38:29:72 | getParameter(...) | ResponseSplitting.java:29:38:29:72 | getParameter(...) | Response-splitting vulnerability due to this $@. | ResponseSplitting.java:29:38:29:72 | getParameter(...) | user-provided value |
-| ResponseSplitting.java:59:27:59:57 | replaceFirst(...) | ResponseSplitting.java:53:14:53:48 | getParameter(...) : String | ResponseSplitting.java:59:27:59:57 | replaceFirst(...) | Response-splitting vulnerability due to this $@. | ResponseSplitting.java:53:14:53:48 | getParameter(...) | user-provided value |
+| ResponseSplitting.java:23:23:23:28 | cookie | ResponseSplitting.java:22:39:22:66 | getParameter(...) : String | ResponseSplitting.java:23:23:23:28 | cookie | This header depends on a $@, which may cause a response-splitting vulnerability. | ResponseSplitting.java:22:39:22:66 | getParameter(...) | user-provided value |
+| ResponseSplitting.java:28:38:28:72 | getParameter(...) | ResponseSplitting.java:28:38:28:72 | getParameter(...) | ResponseSplitting.java:28:38:28:72 | getParameter(...) | This header depends on a $@, which may cause a response-splitting vulnerability. | ResponseSplitting.java:28:38:28:72 | getParameter(...) | user-provided value |
+| ResponseSplitting.java:29:38:29:72 | getParameter(...) | ResponseSplitting.java:29:38:29:72 | getParameter(...) | ResponseSplitting.java:29:38:29:72 | getParameter(...) | This header depends on a $@, which may cause a response-splitting vulnerability. | ResponseSplitting.java:29:38:29:72 | getParameter(...) | user-provided value |
+| ResponseSplitting.java:59:27:59:57 | replaceFirst(...) | ResponseSplitting.java:53:14:53:48 | getParameter(...) : String | ResponseSplitting.java:59:27:59:57 | replaceFirst(...) | This header depends on a $@, which may cause a response-splitting vulnerability. | ResponseSplitting.java:53:14:53:48 | getParameter(...) | user-provided value |