Exclude bounds-check arithmetic from tainted-arithmetic sinks

The java/tainted-arithmetic query now recognizes when an arithmetic expression appears directly as an operand of a comparison (e.g., `if (off + len > array.length)`). Such expressions are bounds checks, not vulnerable computations, and are excluded via the existing overflowIrrelevant predicate. Add test cases for bounds-checking patterns that should not be flagged.
2026-04-26 17:25:19 +02:00 · 2026-03-28 17:39:40 +08:00
parent a8b52acaa9
commit 0c5e89a68e
3 changed files with 33 additions and 1 deletions
--- a/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java
+++ b/java/ql/test/query-tests/security/CWE-190/semmle/tests/ArithmeticTainted.java
@@ -138,4 +138,18 @@ public class ArithmeticTainted {
 		// BAD: may underflow if input data is very small
 		--data;
 	}
+
+	public static void boundsCheckGood(byte[] bs, int off, int len) {
+		// GOOD: arithmetic used directly in a bounds check, not as a computation
+		if (off + len > bs.length) {
+			throw new IndexOutOfBoundsException();
+		}
+	}
+
+	public static void boundsCheckGood2(int[] arr, int offset, int count) {
+		// GOOD: subtraction used directly in a bounds check
+		if (offset - count < 0) {
+			throw new IndexOutOfBoundsException();
+		}
+	}
 }