Merge pull request #20589 from aschackmull/java/array-entrypoint-read-taint

Java: Allow taint-read-steps for array sources.

java/ql/lib/change-notes/2025-10-07-array-entrypointtype.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fields of certain objects are considered tainted if the object is tainted. This holds, for example, for objects that occur directly as sources in the active threat model (for instance, a remote flow source). This has now been amended to also include array types, such that if an array like `MyPojo[]` is a source, then fields of a tainted `MyPojo` are now also considered tainted.

java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

@@ -655,6 +655,8 @@ private SrcRefType entrypointType() {
   )
   or
   result = entrypointType().getAField().getType().(RefType).getSourceDeclaration()
+  or
+  result = entrypointType().(Array).getElementType().(RefType).getSourceDeclaration()
 }
 
 private predicate entrypointFieldStep(DataFlow::Node src, DataFlow::Node sink) {

java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.java

@@ -41,6 +41,10 @@ public class EntryPointTypesTest {
         public String safeField;
     }
 
+    static class ArrayElemObject {
+        public String field;
+    }
+
     private static void sink(String sink) {}
 
     public static void test(TestObject source) {
@@ -70,4 +74,8 @@ public class EntryPointTypesTest {
         UnrelatedObject unrelated = (UnrelatedObject) subtypeSource.getField8();
         sink(unrelated.safeField); // Safe
     }
+
+    public static void testArray(ArrayElemObject[] source) {
+        sink(source[0].field); // $hasTaintFlow
+    }
 }