Merge pull request #15008 from igfoo/igfoo/kot-arr-taint

Kotlin: Track taint through Array.get/set
2026-02-23 10:23:41 +01:00 · 2023-12-05 18:30:21 +00:00
parent a09078a5ca 8ea155ef24
commit 2c625e34b5
4 changed files with 43 additions and 2 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/internal/ContainerFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/ContainerFlow.qll
@@ -4,6 +4,10 @@ import semmle.code.java.Maps
 private import semmle.code.java.dataflow.SSA
 private import DataFlowUtil

+private class ArrayType extends RefType {
+  ArrayType() { this.getSourceDeclaration().getASourceSupertype*() instanceof Array }
+}
+
 private class EntryType extends RefType {
  EntryType() {
    this.getSourceDeclaration().getASourceSupertype*().hasQualifiedName("java.util", "Map$Entry")
@@ -446,6 +450,14 @@ predicate arrayStoreStep(Node node1, Node node2) {
  exists(Assignment assign | assign.getSource() = node1.asExpr() |
    node2.(PostUpdateNode).getPreUpdateNode().asExpr() = assign.getDest().(ArrayAccess).getArray()
  )
+  or
+  exists(Expr arr, Call call |
+    arr = node2.asExpr() and
+    call.getArgument(1) = node1.asExpr() and
+    call.getQualifier() = arr and
+    arr.getType() instanceof ArrayType and
+    call.getCallee().getName() = "set"
+  )
 }

 private predicate enhancedForStmtStep(Node node1, Node node2, Type containerType) {
@@ -470,6 +482,14 @@ predicate arrayReadStep(Node node1, Node node2, Type elemType) {
    node2.asExpr() = aa
  )
  or
+  exists(Expr arr, Call call |
+    arr = node1.asExpr() and
+    call = node2.asExpr() and
+    arr.getType() instanceof ArrayType and
+    call.getCallee().getName() = "get" and
+    call.getQualifier() = arr
+  )
+  or
  exists(Array arr |
    enhancedForStmtStep(node1, node2, arr) and
    arr.getComponentType() = elemType