Java: Add taint step for String::concat.

2026-03-01 13:23:49 +01:00 · 2019-07-25 11:38:34 +02:00
parent a42d9b1f96
commit 046d4a01de
1 changed files with 5 additions and 0 deletions
--- a/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll
+++ b/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll
@@ -377,6 +377,7 @@ module TaintTracking {
  private predicate taintPreservingQualifierToMethod(Method m) {
    m.getDeclaringType() instanceof TypeString and
    (
+      m.getName() = "concat" or
      m.getName() = "endsWith" or
      m.getName() = "getBytes" or
      m.getName() = "split" or
@@ -481,6 +482,10 @@ module TaintTracking {
      method.getName().matches("to%String") and arg = 0
    )
    or
+    method.getDeclaringType() instanceof TypeString and
+    method.getName() = "concat" and
+    arg = 0
+    or
    (
      method.getDeclaringType().hasQualifiedName("java.lang", "StringBuilder") or
      method.getDeclaringType().hasQualifiedName("java.lang", "StringBuffer")