Fix up query tests.

2026-06-18 19:31:11 +02:00 · 2022-08-18 18:15:43 +07:00
parent 354a7fd252
commit 11f527ea5b
4 changed files with 22 additions and 2 deletions
--- a/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
+++ b/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
@@ -27,8 +27,15 @@ class ResponseSplittingConfig extends TaintTracking::Configuration {
  override predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }

  override predicate isSanitizer(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or
+    node.getType() instanceof PrimitiveType
+    or
    node.getType() instanceof BoxedType
+    or
+    exists(MethodAccess ma |
+      ma.getMethod().hasQualifiedName("java.lang", "String", "replaceAll") and
+      ma.getArgument(0).(StringLiteral).getValue().matches("%[^%") and
+      node.asExpr() = ma
+    )
  }
 }