hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fixed sensitive logging barriers for substring to allow single-arg use

Browse Source
This commit is contained in:
aegilops
2025-11-14 18:12:05 +00:00
parent fa703e3e60
commit 0c0fbc1457
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
View File

@@ -61,13 +61,19 @@ private class SensitiveLoggerSanitizerCalled extends SensitiveLoggerBarrier {
m.hasQualifiedName("java.lang", "StringBuffer", "substring") or m.hasQualifiedName("java.lang", "StringBuffer", "substring") or
m.hasQualifiedName("java.lang", "StringBuilder", "substring") m.hasQualifiedName("java.lang", "StringBuilder", "substring")
) and ) and
twoArgLimit(mc, limit, false) and (
twoArgLimit(mc, limit, false) or
singleArgLimit(mc, limit, false)
) and
this.asExpr() = mc.getQualifier() this.asExpr() = mc.getQualifier()
or or
// Kotlin string operations, which use extension methods (so the string is the first argument) // Kotlin string operations, which use extension methods (so the string is the first argument)
( (
m.hasQualifiedName("kotlin.text", "StringsKt", "substring") and m.hasQualifiedName("kotlin.text", "StringsKt", "substring") and
twoArgLimit(mc, limit, true) (
twoArgLimit(mc, limit, true) or
singleArgLimit(mc, limit, true)
)
or or
m.hasQualifiedName("kotlin.text", "StringsKt", ["take", "takeLast"]) and m.hasQualifiedName("kotlin.text", "StringsKt", ["take", "takeLast"]) and
singleArgLimit(mc, limit, true) singleArgLimit(mc, limit, true)