Merge pull request #19962 from kaspersv/kaspersv/overlay-java-local-TC-fixes

kaspersv · web-flow · commit de717582361e · 2025-07-03T15:03:02.000+02:00
Overlay: Fix Java overlay compilation regressions
diff --git a/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll b/java/ql/lib/semmle/code/java/security/TempDirLocalInformationDisclosureQuery.qll
@@ -203,6 +203,7 @@ module TempDirSystemGetPropertyDirectlyToMkdir =
 /**
  * A `MethodCall` against a method that creates a temporary file or directory in a shared temporary directory.
  */
+overlay[local?]
 abstract class MethodCallInsecureFileCreation extends MethodCall {
   /**
    * Gets the type of entity created (e.g. `file`, `directory`, ...).
@@ -218,6 +219,7 @@ abstract class MethodCallInsecureFileCreation extends MethodCall {
 /**
  * An insecure call to `java.io.File.createTempFile`.
  */
+overlay[local?]
 class MethodCallInsecureFileCreateTempFile extends MethodCallInsecureFileCreation {
   MethodCallInsecureFileCreateTempFile() {
     this.getMethod() instanceof MethodFileCreateTempFile and
@@ -246,6 +248,7 @@ class MethodGuavaFilesCreateTempFile extends Method {
 /**
  * A call to the `com.google.common.io.Files.createTempDir` method.
  */
+overlay[local?]
 class MethodCallInsecureGuavaFilesCreateTempFile extends MethodCallInsecureFileCreation {
   MethodCallInsecureGuavaFilesCreateTempFile() {
     this.getMethod() instanceof MethodGuavaFilesCreateTempFile
diff --git a/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql b/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
@@ -16,6 +16,7 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 
+overlay[local?]
 abstract private class InsecureNettyObjectCreation extends ClassInstanceExpr {
   int vulnerableArgumentIndex;
 
@@ -27,6 +28,7 @@ abstract private class InsecureNettyObjectCreation extends ClassInstanceExpr {
   abstract string splittingType();
 }
 
+overlay[local?]
 abstract private class RequestOrResponseSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation
 {
   override string splittingType() { result = "Request splitting or response splitting" }
@@ -35,6 +37,7 @@ abstract private class RequestOrResponseSplittingInsecureNettyObjectCreation ext
 /**
  * Request splitting can allowing an attacker to inject/smuggle an additional HTTP request into the socket connection.
  */
+overlay[local?]
 abstract private class RequestSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation
 {
   override string splittingType() { result = "Request splitting" }
@@ -43,11 +46,13 @@ abstract private class RequestSplittingInsecureNettyObjectCreation extends Insec
 /**
  * Response splitting can lead to HTTP vulnerabilities like XSS and cache poisoning.
  */
+overlay[local?]
 abstract private class ResponseSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation
 {
   override string splittingType() { result = "Response splitting" }
 }
 
+overlay[local?]
 private class InsecureDefaultHttpHeadersClassInstantiation extends RequestOrResponseSplittingInsecureNettyObjectCreation
 {
   InsecureDefaultHttpHeadersClassInstantiation() {
@@ -58,6 +63,7 @@ private class InsecureDefaultHttpHeadersClassInstantiation extends RequestOrResp
   }
 }
 
+overlay[local?]
 private class InsecureDefaultHttpResponseClassInstantiation extends ResponseSplittingInsecureNettyObjectCreation
 {
   InsecureDefaultHttpResponseClassInstantiation() {
@@ -66,6 +72,7 @@ private class InsecureDefaultHttpResponseClassInstantiation extends ResponseSpli
   }
 }
 
+overlay[local?]
 private class InsecureDefaultHttpRequestClassInstantiation extends RequestSplittingInsecureNettyObjectCreation
 {
   InsecureDefaultHttpRequestClassInstantiation() {
@@ -74,6 +81,7 @@ private class InsecureDefaultHttpRequestClassInstantiation extends RequestSplitt
   }
 }
 
+overlay[local?]
 private class InsecureDefaultFullHttpResponseClassInstantiation extends ResponseSplittingInsecureNettyObjectCreation
 {
   InsecureDefaultFullHttpResponseClassInstantiation() {
@@ -83,6 +91,7 @@ private class InsecureDefaultFullHttpResponseClassInstantiation extends Response
   }
 }
 
+overlay[local?]
 private class InsecureDefaultFullHttpRequestClassInstantiation extends RequestSplittingInsecureNettyObjectCreation
 {
   InsecureDefaultFullHttpRequestClassInstantiation() {

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@`
`16`	`16`	`import java`
`17`	`17`	`import semmle.code.java.dataflow.FlowSources`
`18`	`18`
	`19`	`+overlay[local?]`
`19`	`20`	`abstract private class InsecureNettyObjectCreation extends ClassInstanceExpr {`
`20`	`21`	`int vulnerableArgumentIndex;`
`21`	`22`
`@@ -27,6 +28,7 @@ abstract private class InsecureNettyObjectCreation extends ClassInstanceExpr {`
`27`	`28`	`abstract string splittingType();`
`28`	`29`	`}`
`29`	`30`
	`31`	`+overlay[local?]`
`30`	`32`	`abstract private class RequestOrResponseSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation`
`31`	`33`	`{`
`32`	`34`	`override string splittingType() { result = "Request splitting or response splitting" }`
`@@ -35,6 +37,7 @@ abstract private class RequestOrResponseSplittingInsecureNettyObjectCreation ext`
`35`	`37`	`/**`
`36`	`38`	`* Request splitting can allowing an attacker to inject/smuggle an additional HTTP request into the socket connection.`
`37`	`39`	`*/`
	`40`	`+overlay[local?]`
`38`	`41`	`abstract private class RequestSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation`
`39`	`42`	`{`
`40`	`43`	`override string splittingType() { result = "Request splitting" }`
`@@ -43,11 +46,13 @@ abstract private class RequestSplittingInsecureNettyObjectCreation extends Insec`
`43`	`46`	`/**`
`44`	`47`	`* Response splitting can lead to HTTP vulnerabilities like XSS and cache poisoning.`
`45`	`48`	`*/`
	`49`	`+overlay[local?]`
`46`	`50`	`abstract private class ResponseSplittingInsecureNettyObjectCreation extends InsecureNettyObjectCreation`
`47`	`51`	`{`
`48`	`52`	`override string splittingType() { result = "Response splitting" }`
`49`	`53`	`}`
`50`	`54`
	`55`	`+overlay[local?]`
`51`	`56`	`private class InsecureDefaultHttpHeadersClassInstantiation extends RequestOrResponseSplittingInsecureNettyObjectCreation`
`52`	`57`	`{`
`53`	`58`	`InsecureDefaultHttpHeadersClassInstantiation() {`
`@@ -58,6 +63,7 @@ private class InsecureDefaultHttpHeadersClassInstantiation extends RequestOrResp`
`58`	`63`	`}`
`59`	`64`	`}`
`60`	`65`
	`66`	`+overlay[local?]`
`61`	`67`	`private class InsecureDefaultHttpResponseClassInstantiation extends ResponseSplittingInsecureNettyObjectCreation`
`62`	`68`	`{`
`63`	`69`	`InsecureDefaultHttpResponseClassInstantiation() {`
`@@ -66,6 +72,7 @@ private class InsecureDefaultHttpResponseClassInstantiation extends ResponseSpli`
`66`	`72`	`}`
`67`	`73`	`}`
`68`	`74`
	`75`	`+overlay[local?]`
`69`	`76`	`private class InsecureDefaultHttpRequestClassInstantiation extends RequestSplittingInsecureNettyObjectCreation`
`70`	`77`	`{`
`71`	`78`	`InsecureDefaultHttpRequestClassInstantiation() {`
`@@ -74,6 +81,7 @@ private class InsecureDefaultHttpRequestClassInstantiation extends RequestSplitt`
`74`	`81`	`}`
`75`	`82`	`}`
`76`	`83`
	`84`	`+overlay[local?]`
`77`	`85`	`private class InsecureDefaultFullHttpResponseClassInstantiation extends ResponseSplittingInsecureNettyObjectCreation`
`78`	`86`	`{`
`79`	`87`	`InsecureDefaultFullHttpResponseClassInstantiation() {`
`@@ -83,6 +91,7 @@ private class InsecureDefaultFullHttpResponseClassInstantiation extends Response`
`83`	`91`	`}`
`84`	`92`	`}`
`85`	`93`
	`94`	`+overlay[local?]`
`86`	`95`	`private class InsecureDefaultFullHttpRequestClassInstantiation extends RequestSplittingInsecureNettyObjectCreation`
`87`	`96`	`{`
`88`	`97`	`InsecureDefaultFullHttpRequestClassInstantiation() {`