From 2757ea4c7a2611b9c82279bf67ce37bd40b1ba39 Mon Sep 17 00:00:00 2001
From: seqradev <seqradev@gmail.com>
Date: Thu, 15 Jan 2026 08:52:58 +0000
Subject: [PATCH] feat: Add JSP source and sink

---
 CHANGELOG.md                                      |  3 +++
 .../generic/servlet-untrusted-data-source.yaml    |  1 +
 rules/java/lib/generic/servlet-xss-sinks.yaml     | 15 +++++++++------
 3 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e2197d8..998da33 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,6 @@
+## v2.1.0
+### feat: Add JSP source and sink
+- feat: Add jsp source and sink
 ## v2.0.0
 ### feat!: Overhaul rules and fix sinks
 - feat!: Complete rules overhaul
diff --git a/rules/java/lib/generic/servlet-untrusted-data-source.yaml b/rules/java/lib/generic/servlet-untrusted-data-source.yaml
index 50c0774..f841a52 100644
--- a/rules/java/lib/generic/servlet-untrusted-data-source.yaml
+++ b/rules/java/lib/generic/servlet-untrusted-data-source.yaml
@@ -21,6 +21,7 @@ rules:
                     - pattern: doPost
                     - pattern: doDelete
                     - pattern: doTrace
+                    - pattern: _jspService
           - pattern: |
               $UNTRUSTED = (MessageBodyReader $READER).readFrom(...);
           - pattern: |
diff --git a/rules/java/lib/generic/servlet-xss-sinks.yaml b/rules/java/lib/generic/servlet-xss-sinks.yaml
index d9eab82..f27ac3b 100644
--- a/rules/java/lib/generic/servlet-xss-sinks.yaml
+++ b/rules/java/lib/generic/servlet-xss-sinks.yaml
@@ -25,16 +25,19 @@ rules:
       - patterns:
           - pattern-either:
               - pattern: |
-                  (HttpServletResponse $RESPONSE).getWriter(...).$WRITE(...)
+                  (HttpServletResponse $RESPONSE).getWriter(...).$WRITE(..., $UNTRUSTED, ...)
               - pattern: |
-                  (HttpServletResponse $RESPONSE).getOutputStream(...).$WRITE(...)
+                  (HttpServletResponse $RESPONSE).getOutputStream(...).$WRITE(..., $UNTRUSTED, ...)
               - pattern: |
                   (HttpServletResponse $RESPONSE).sendError($CODE, $UNTRUSTED)
               - pattern: |
-                  (java.io.PrintWriter $WRITER).$WRITE(...)
+                  (java.io.PrintWriter $WRITER).$WRITE(..., $UNTRUSTED, ...)
               - pattern: |
-                  (PrintWriter $WRITER).$WRITE(...)
+                  (PrintWriter $WRITER).$WRITE(..., $UNTRUSTED, ...)
               - pattern: |
-                  (javax.servlet.ServletOutputStream $WRITER).$WRITE(...)
+                  (javax.servlet.ServletOutputStream $WRITER).$WRITE(..., $UNTRUSTED, ...)
               - pattern: |
-                  (ServletOutputStream $WRITER).$WRITE(...)
+                  (ServletOutputStream $WRITER).$WRITE(..., $UNTRUSTED, ...)
+              - pattern: |
+                  (jakarta.servlet.jsp.JspWriter $WRITER).$WRITE(..., $UNTRUSTED, ...)
+          - focus-metavariable: $UNTRUSTED