Skip to content

feat(rules): Tune XSS rules, separate ERROR and NOTE version #113

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
misonijnik merged 83 commits into from
May 14, 2026
Merged

feat(rules): Tune XSS rules, separate ERROR and NOTE version #113

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
83 commits
Select commit Hold shift + click to select a range
8bdcb4c
chore(core): Add passThrough rules for Spring DeferredResult
misonijnik May 4, 2026
6346a16
chore(core): Move DeferredResult passThrough rules to spring-web jar-…
misonijnik May 4, 2026
aa1ba47
feat: add new xss sinks rules
misonijnik Apr 13, 2026
022f071
test: add tests for xss sinks
misonijnik Apr 13, 2026
0db53d5
docs: Spring XSS rule dynamic verification design
misonijnik Apr 16, 2026
7e92a2b
docs: plan for Spring XSS rule dynamic verification
misonijnik Apr 16, 2026
475b867
docs: record Appendix A runtime verdict table for Spring XSS matrix
misonijnik Apr 16, 2026
e074e37
docs: record Appendix B raw-vs-generic ResponseEntity probe outcome
misonijnik Apr 16, 2026
6d1dd31
test: cover 21 Spring XSS sink variants verified dynamically
misonijnik Apr 16, 2026
b7b0de5
feat: discriminate non-HTML produces in Spring XSS sink
misonijnik Apr 17, 2026
d00575f
docs: record Appendix D post-rule-update matrix
misonijnik Apr 17, 2026
67a044e
docs: add Appendix A.2 — real-browser re-verification
misonijnik Apr 17, 2026
b8165a7
feat: honest TP/FP labels + extended non-HTML content type coverage
misonijnik Apr 17, 2026
a3f0d07
docs: extend Appendix D/E with honest gap matrix
misonijnik Apr 17, 2026
b40c119
Improve XSS rules: programmatic safe-CT sanitizers, @RestController, …
misonijnik Apr 28, 2026
55d72ce
Fix metavariable binding in XSS pattern-(not)-inside and sanitizer focus
misonijnik Apr 28, 2026
37eb99b
Rewrite XSS sanitizers to assignment-form / multi-statement style
misonijnik Apr 28, 2026
6346b9b
Compact XSS sinks; add engine-limitation regression tests
misonijnik Apr 29, 2026
68bf885
Rewrite XSS html-response sinks to single-pattern shape
misonijnik Apr 29, 2026
2e536f4
Add regression tests for two more engine issues
misonijnik Apr 29, 2026
57cbfed
Add minimal repro for taint-through-concat in `return` sinks
misonijnik Apr 29, 2026
9ea3be9
Refactor Spring XSS html-response sink with typed return types
misonijnik Apr 30, 2026
58c540a
Collapse XSS sink negatives via grouped pattern-not-inside + metavari…
misonijnik May 3, 2026
59b9f92
Collapse Spring XSS Branch 2 (response writer) into pattern-inside + …
misonijnik May 3, 2026
1b8ee8c
Fix Spring XSS FNs: @ExceptionHandler source coverage + simpler sink …
misonijnik May 3, 2026
8f46de1
Re-enable forward-compatible ResponseEntity content-type sanitizers
misonijnik May 3, 2026
dcd191b
Trim verbose comments in XSS sink rules
misonijnik May 3, 2026
587f419
Cover DeferredResult<$T> XSS sink shape
misonijnik May 3, 2026
1cf1922
Cover setHeader/addHeader 2-arg via metavar-inside-quotes form
misonijnik May 3, 2026
cd5f37c
Merge DeferredResult sink branch into Branch 1
misonijnik May 3, 2026
7c6141c
Pair return-type shapes with their dedicated sink statements
misonijnik May 3, 2026
d107b51
Tighten Spring XSS Branch 1 to body-typed return types only
misonijnik May 3, 2026
9cfe65c
Use NOTE severity for XSS sink rules and example
misonijnik May 3, 2026
bdb289c
Remove docs/specs and docs/superpowers
misonijnik May 3, 2026
3938a70
Rename potential-xss rule IDs to response-injection
misonijnik May 3, 2026
6661269
Extend servlet HTML-response XSS sink to broad sink shapes
misonijnik May 3, 2026
65c1dcd
Use metavariable-pattern for setContentType safe-CT exclusion
misonijnik May 3, 2026
c93d354
Drop chained-writer alternatives from Spring XSS HTML-response Branch 2
misonijnik May 3, 2026
3fab961
Reformat sendError sink as block scalar in spring-xss-sinks
misonijnik May 3, 2026
07bd86d
Drop @ExceptionHandler coverage from spring XSS rules and tests
misonijnik May 3, 2026
b6323df
Disable known-engine-FP negative samples in spring/servlet XSS tests
misonijnik May 3, 2026
e774175
Remove issue 98-103 sample tests
misonijnik May 4, 2026
74313b6
XSS rules: tighten Spring sink with type-arg discrimination and @Rest…
misonijnik May 4, 2026
fb83b47
Fix XSS rule parse errors, add builder-chain HTML branch
misonijnik May 4, 2026
3021e3e
clean: Remove unrelated changes
misonijnik May 4, 2026
829fc33
XSS rules: scope @ResponseBody exclusion to String return shape
misonijnik May 4, 2026
f7009f9
ci: Bump OWASP analyzer expected trace count to 3835
misonijnik May 4, 2026
0ae2b1f
XSS rules: cover raw `ResponseEntity` return shape in Spring sink
misonijnik May 5, 2026
9aa0d34
XSS rules: drop @ResponseBody exclusion on Spring String return sink
misonijnik May 5, 2026
f88fa3c
XSS rules: subtract parameterized returns from raw ResponseEntity sink
misonijnik May 5, 2026
1fb1b60
XSS rules: hoist raw ResponseEntity branch to top-level patterns
misonijnik May 6, 2026
d6e0b63
XSS rules: nest raw ResponseEntity branch under shared Branch 1 scope
misonijnik May 6, 2026
6fe2a1c
wip: Test the rule
misonijnik May 6, 2026
b7051cb
wip: extend Spring XSS sink coverage (Resource family, raw, async)
misonijnik May 7, 2026
febe517
XSS rules: drop ResponseEntity<?> / wrapper wildcard branches
misonijnik May 7, 2026
6d131b9
XSS rules: drop dead Branch 1d (raw ResponseEntity)
misonijnik May 7, 2026
ec538e3
XSS rules: trim comments and consolidate Spring XSS tests into the ru…
misonijnik May 8, 2026
d0533b8
XSS rules: restore raw ResponseEntity positive test
misonijnik May 8, 2026
ca4cb03
XSS rules: re-engineering
misonijnik May 8, 2026
df5395c
XSS rules: fix Branch 1c scoping and rule-load typo
misonijnik May 8, 2026
aa42497
XSS rules: restore response-injection-in-servlet-app firing
misonijnik May 8, 2026
24aabe8
XSS rules: subtract non-HTML builder-chain content types
misonijnik May 12, 2026
0e6fe72
XSS rules: catch ResponseEntity.ok(body) convenience overload
misonijnik May 12, 2026
b829b43
engine test: pattern-not-inside ignored for chained constrained-arity…
misonijnik May 12, 2026
29d1e9e
issue 98: tighten engine test to wire metavariables through positive …
misonijnik May 12, 2026
4988735
issue 98: narrow scope to metavariable-pattern-narrowed pattern-not-i…
misonijnik May 12, 2026
019b93a
issue 98: drop the Builder type qualifier from pattern-inside
misonijnik May 12, 2026
f0af1ee
engine test: positive control for "$V" + metavariable-regex subtractor
misonijnik May 12, 2026
5da0cd8
engine test: pattern-not-inside over-subtracts under sibling-at-wrong…
misonijnik May 12, 2026
b3b519d
XSS rules: fix sibling-at-wrong-indent pattern-inside in servlet HTML…
misonijnik May 12, 2026
4cbda33
XSS rules: split servlet setContentType subtractor by arg form
misonijnik May 13, 2026
222e8a3
XSS rules: use local response metavars per servlet setContentType sub…
misonijnik May 13, 2026
e7dc84a
XSS rules: keep `(HttpServletResponse $RESPONSE)` in both setContentT…
misonijnik May 13, 2026
3e951ba
XSS rules: use short-name HttpServletResponse everywhere in servlet H…
misonijnik May 13, 2026
42e2e56
XSS rules: flatten servlet HTML sink to clear 4 servlet FPs
misonijnik May 13, 2026
fb5749f
XSS rules: add class-level produces= subtractor to clear Row 31 FP
misonijnik May 13, 2026
a887bad
XSS rules: drop issue 99 reference from servlet writer comment
misonijnik May 13, 2026
47fa30a
engine test: drop disabled fixtures for issues 98 and 99
misonijnik May 13, 2026
c1fabd2
XSS rules: refactor
misonijnik May 13, 2026
3d94108
XSS rules: align descriptions and rename NOTE-tier sink files
misonijnik May 14, 2026
fafbba1
XSS rules: align messages to the shared `<name>: <detail>` shape
misonijnik May 14, 2026
f892529
XSS rules: drop self-referencing severity rationale, add CTA to NOTE …
misonijnik May 14, 2026
fc10271
XSS rules: strip all source comments from rule and test files
misonijnik May 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/ci-analyzer-owasp.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ concurrency:
cancel-in-progress: true

env:
EXPECTED_TRACES: 3011
EXPECTED_TRACES: 3835

jobs:
owasp:
Expand Down
4 changes: 2 additions & 2 deletions rules/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,11 +59,11 @@ lib/
command-injection-sinks.yaml
servlet-sqli-sinks.yaml
servlet-untrusted-data-source.yaml
servlet-xss-sinks.yaml
servlet-response-injection-sinks.yaml
xxe-sinks.yaml
spring/
jdbc-sqli-sinks.yaml
spring-xss-sinks.yaml
spring-response-injection-sinks.yaml
untrusted-data-source.yaml
```

Expand Down
58 changes: 58 additions & 0 deletions rules/ruleset/java/lib/generic/servlet-response-injection-sinks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
rules:
- id: java-servlet-response-injection-sink
options:
lib: true
severity: NOTE
message: Direct write of unvalidated user input into response
metadata:
provenance: https://github.com/semgrep/semgrep-rules/blob/develop/java/lang/security/audit/xss/no-direct-response-writer.yaml
languages:
- java
mode: taint
pattern-sanitizers:
- patterns:
- pattern-either:
- pattern: Encode.forHtml(..., $UNTRUSTED, ...)
- pattern: (PolicyFactory $POLICY).sanitize(..., $UNTRUSTED, ...)
- pattern: (AntiSamy $AS).scan(..., $UNTRUSTED, ...)
- pattern: JSoup.clean(..., $UNTRUSTED, ...)
- pattern: HtmlUtils.htmlEscape(..., $UNTRUSTED, ...)
- pattern: org.apache.commons.lang.StringEscapeUtils.escapeHtml(..., $UNTRUSTED, ...)
- pattern: org.apache.commons.text.StringEscapeUtils.escapeHtml3(..., $UNTRUSTED, ...)
- pattern: org.apache.commons.text.StringEscapeUtils.escapeHtml4(..., $UNTRUSTED, ...)
- pattern: org.owasp.esapi.ESAPI.encoder().encodeForHTML(..., $UNTRUSTED, ...)
- focus-metavariable: $UNTRUSTED

pattern-sinks:
- patterns:
- pattern-either:
- patterns:
- patterns:
- pattern-inside: |
$RETURNTYPE $ENTRYPOINT(HttpServletRequest $_, HttpServletResponse $RESPONSE) {
...
}
- metavariable-pattern:
metavariable: $ENTRYPOINT
pattern-either:
- pattern: doDelete
- pattern: doGet
- pattern: doPost
- pattern: doPut
- pattern: doTrace
- pattern: _jspService
- patterns:
- pattern-inside: |
$W = (HttpServletResponse $RESPONSE).getWriter(...);
...
- pattern: |
$W.$WRITE(..., $UNTRUSTED, ...);
- patterns:
- pattern-inside: |
$S = (HttpServletResponse $RESPONSE).getOutputStream(...);
...
- pattern: |
$S.$WRITE(..., $UNTRUSTED, ...);
- pattern: (HttpServletResponse $RESPONSE).sendError($CODE, $UNTRUSTED)
- pattern: (JspWriter $W).$WRITE(..., $UNTRUSTED, ...)
- focus-metavariable: $UNTRUSTED
78 changes: 78 additions & 0 deletions rules/ruleset/java/lib/generic/servlet-xss-html-response-sinks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
rules:
- id: java-servlet-xss-html-response-sink
options:
lib: true
severity: NOTE
message: Direct write of unvalidated user input into a response without safe content type
metadata:
provenance:
- https://github.com/github/codeql/blob/main/java/ql/lib/semmle/code/java/security/XSS.qll
languages:
- java
mode: taint


pattern-sanitizers:
- patterns:
- pattern-either:
- pattern: Encode.forHtml(..., $UNTRUSTED, ...)
- pattern: (PolicyFactory $POLICY).sanitize(..., $UNTRUSTED, ...)
- pattern: (AntiSamy $AS).scan(..., $UNTRUSTED, ...)
- pattern: JSoup.clean(..., $UNTRUSTED, ...)
- pattern: HtmlUtils.htmlEscape(..., $UNTRUSTED, ...)
- pattern: org.apache.commons.lang.StringEscapeUtils.escapeHtml(..., $UNTRUSTED, ...)
- pattern: org.apache.commons.text.StringEscapeUtils.escapeHtml3(..., $UNTRUSTED, ...)
- pattern: org.apache.commons.text.StringEscapeUtils.escapeHtml4(..., $UNTRUSTED, ...)
- pattern: org.owasp.esapi.ESAPI.encoder().encodeForHTML(..., $UNTRUSTED, ...)
- focus-metavariable: $UNTRUSTED

pattern-sinks:
- patterns:
- pattern-inside: |
$RETURNTYPE $ENTRYPOINT(HttpServletRequest $_, HttpServletResponse $RESPONSE) {
...
}
- metavariable-pattern:
metavariable: $ENTRYPOINT
pattern-either:
- pattern: doDelete
- pattern: doGet
- pattern: doPost
- pattern: doPut
- pattern: doTrace
- pattern: _jspService
- pattern-either:
- pattern: |
$W = (HttpServletResponse $RESPONSE).getWriter(...);
...
$W.$WRITE(..., $UNTRUSTED, ...);
- pattern: |
$S = (HttpServletResponse $RESPONSE).getOutputStream(...);
...
$S.$WRITE(..., $UNTRUSTED, ...);
- pattern: (HttpServletResponse $RESPONSE).sendError($CODE, $UNTRUSTED)
- pattern: (JspWriter $W).$WRITE(..., $UNTRUSTED, ...)

- pattern-not-inside: |
(HttpServletResponse $RESPONSE).setContentType("$CT_SAFE");
...
- metavariable-regex:
metavariable: $CT_SAFE
regex: '^(application/(json|pdf|octet-stream|xml)|text/(plain|xml)|image/(png|jpeg|gif))(\s*;.*)?$'
- pattern-not-inside: |
(HttpServletResponse $RESPONSE).setContentType($CT_CONST);
...
- metavariable-pattern:
metavariable: $CT_CONST
patterns:
- pattern-either:
- pattern: MediaType.APPLICATION_JSON_VALUE
- pattern: MediaType.TEXT_PLAIN_VALUE
- pattern: MediaType.APPLICATION_PDF_VALUE
- pattern: MediaType.APPLICATION_OCTET_STREAM_VALUE
- pattern: MediaType.APPLICATION_XML_VALUE
- pattern: MediaType.TEXT_XML_VALUE
- pattern: MediaType.IMAGE_PNG_VALUE
- pattern: MediaType.IMAGE_JPEG_VALUE
- pattern: MediaType.IMAGE_GIF_VALUE
- focus-metavariable: $UNTRUSTED
43 changes: 0 additions & 43 deletions rules/ruleset/java/lib/generic/servlet-xss-sinks.yaml
View file
Open in desktop

This file was deleted.

3 changes: 1 addition & 2 deletions ...set/java/lib/spring/spring-xss-sinks.yaml → ...ring/spring-response-injection-sinks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
rules:
- id: spring-xss-sink
- id: spring-response-injection-sink
options:
lib: true
severity: NOTE
Expand Down Expand Up @@ -41,7 +41,6 @@ rules:
- pattern: PatchMapping
- pattern: PostMapping
- pattern: PutMapping
- pattern: (HttpServletResponse $RESPONSE).sendError($CODE, $UNTRUSTED)
- pattern: |
(HttpServletResponse $RESPONSE).getWriter(...).$WRITE(..., $UNTRUSTED, ...)
- pattern: |
Expand Down
Loading
Loading