mirror of
https://github.com/github/codeql.git
synced 2026-02-23 10:23:41 +01:00
Merge pull request #15008 from igfoo/igfoo/kot-arr-taint
Kotlin: Track taint through Array.get/set
This commit is contained in:
@@ -4,6 +4,10 @@ import semmle.code.java.Maps
|
||||
private import semmle.code.java.dataflow.SSA
|
||||
private import DataFlowUtil
|
||||
|
||||
private class ArrayType extends RefType {
|
||||
ArrayType() { this.getSourceDeclaration().getASourceSupertype*() instanceof Array }
|
||||
}
|
||||
|
||||
private class EntryType extends RefType {
|
||||
EntryType() {
|
||||
this.getSourceDeclaration().getASourceSupertype*().hasQualifiedName("java.util", "Map$Entry")
|
||||
@@ -446,6 +450,14 @@ predicate arrayStoreStep(Node node1, Node node2) {
|
||||
exists(Assignment assign | assign.getSource() = node1.asExpr() |
|
||||
node2.(PostUpdateNode).getPreUpdateNode().asExpr() = assign.getDest().(ArrayAccess).getArray()
|
||||
)
|
||||
or
|
||||
exists(Expr arr, Call call |
|
||||
arr = node2.asExpr() and
|
||||
call.getArgument(1) = node1.asExpr() and
|
||||
call.getQualifier() = arr and
|
||||
arr.getType() instanceof ArrayType and
|
||||
call.getCallee().getName() = "set"
|
||||
)
|
||||
}
|
||||
|
||||
private predicate enhancedForStmtStep(Node node1, Node node2, Type containerType) {
|
||||
@@ -470,6 +482,14 @@ predicate arrayReadStep(Node node1, Node node2, Type elemType) {
|
||||
node2.asExpr() = aa
|
||||
)
|
||||
or
|
||||
exists(Expr arr, Call call |
|
||||
arr = node1.asExpr() and
|
||||
call = node2.asExpr() and
|
||||
arr.getType() instanceof ArrayType and
|
||||
call.getCallee().getName() = "get" and
|
||||
call.getQualifier() = arr
|
||||
)
|
||||
or
|
||||
exists(Array arr |
|
||||
enhancedForStmtStep(node1, node2, arr) and
|
||||
arr.getComponentType() = elemType
|
||||
|
||||
Reference in New Issue
Block a user