update {java/rb}/xxe to match python/javascript

erik-krogh · erik-krogh · commit 034d197e0103 · 2022-08-22T21:41:46.000+02:00
diff --git a/java/ql/src/Security/CWE/CWE-611/XXE.ql b/java/ql/src/Security/CWE/CWE-611/XXE.ql
@@ -51,5 +51,6 @@ class XxeConfig extends TaintTracking::Configuration {
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, XxeConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Unsafe parsing of XML file from $@.", source.getNode(),
-  "user input"
+select sink.getNode(), source, sink,
+  "A $@ is parsed as XML without guarding against external entity expansion.", source.getNode(),
+  "user-provided value"
diff --git a/ruby/ql/src/queries/security/cwe-611/Xxe.ql b/ruby/ql/src/queries/security/cwe-611/Xxe.ql
@@ -39,5 +39,6 @@ class XxeConfig extends TaintTracking::Configuration {
 
 from DataFlow::PathNode source, DataFlow::PathNode sink, XxeConfig conf
 where conf.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Unsafe parsing of XML file from $@.", source.getNode(),
-  "user input"
+select sink.getNode(), source, sink,
+  "A $@ is parsed as XML without guarding against external entity expansion.", source.getNode(),
+  "user-provided value"
