Exclude bounds-check arithmetic from tainted-arithmetic sinks

The java/tainted-arithmetic query now recognizes when an arithmetic expression appears directly as an operand of a comparison (e.g., `if (off + len > array.length)`). Such expressions are bounds checks, not vulnerable computations, and are excluded via the existing overflowIrrelevant predicate. Add test cases for bounds-checking patterns that should not be flagged.
2026-04-14 03:24:06 +02:00 · 2026-03-28 17:39:40 +08:00
parent a8b52acaa9
commit 0c5e89a68e
3 changed files with 33 additions and 1 deletions
--- a/java/ql/lib/semmle/code/java/security/ArithmeticCommon.qll
+++ b/java/ql/lib/semmle/code/java/security/ArithmeticCommon.qll
@@ -132,7 +132,21 @@ private predicate inBitwiseAnd(Expr exp) {
 /** Holds if overflow/underflow is irrelevant for this expression. */
 predicate overflowIrrelevant(Expr exp) {
  inBitwiseAnd(exp) or
-  exp.getEnclosingCallable() instanceof HashCodeMethod
+  exp.getEnclosingCallable() instanceof HashCodeMethod or
+  arithmeticUsedInBoundsCheck(exp)
+}
+
+/**
+ * Holds if `exp` is an arithmetic expression used directly as an operand of a
+ * comparison, indicating it is part of a bounds check rather than a vulnerable
+ * computation. For example, in `if (off + len > array.length)`, the addition
+ * is the bounds check itself.
+ */
+private predicate arithmeticUsedInBoundsCheck(ArithExpr exp) {
+  exists(ComparisonExpr comp |
+    comp.getAnOperand() = exp and
+    comp.getEnclosingStmt() instanceof IfStmt
+  )
 }

 /**