Merge pull request #20589 from aschackmull/java/array-entrypoint-read-taint

Java: Allow taint-read-steps for array sources.

java/ql/lib/change-notes/2025-10-07-array-entrypointtype.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fields of certain objects are considered tainted if the object is tainted. This holds, for example, for objects that occur directly as sources in the active threat model (for instance, a remote flow source). This has now been amended to also include array types, such that if an array like `MyPojo[]` is a source, then fields of a tainted `MyPojo` are now also considered tainted.

java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

@@ -655,6 +655,8 @@ private SrcRefType entrypointType() {
   )
   or
   result = entrypointType().getAField().getType().(RefType).getSourceDeclaration()
+  or
+  result = entrypointType().(Array).getElementType().(RefType).getSourceDeclaration()
 }
 
 private predicate entrypointFieldStep(DataFlow::Node src, DataFlow::Node sink) {