Any plans to support JSP?

[slominskir]

It appears codeql doesn't currently detect Java Server Pages (JSP) Reflected Cross Site Scripting vulnerabilities. Any plans to support it? Rule may roughly involve looking for ${param.*} in JSP file and if that value isn't one of the three exemption cases then it's vulnerable. The exemption cases being:

1. isn't located inside a <c:out value="${?}"/>
2. isn't located inside a ${fn:escapeXml(?)}
3. isn't part of an expression with a function call or operand such as eq

[aibaars]

Thanks for your question. There has been some work on JSP support in the past, but I don't think it has become a fully supported feature.

If you're curious you could try running CodeQL with the environment variable CODEQL_EXTRACTOR_JAVA_JSP=true. Note that experimental features should typically be avoided for production use.

codeql/java/ql/integration-tests/java/java-web-jsp/test.py

Line 3 in f7db47b

command="mvn clean package -P tomcat8Jsp", _env={"CODEQL_EXTRACTOR_JAVA_JSP": "true"}