Merge pull request #3948 from aibaars/java-3941

Java: stack trace exposure: address false positives
2025-12-24 04:36:35 +01:00 · 2020-08-05 09:31:01 +02:00
parent ea0896c78b c585b2e483
commit 32d9d270fc
1 changed files with 6 additions and 2 deletions
--- a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
+++ b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
@@ -22,7 +22,10 @@ import semmle.code.java.security.XSS
 */
 class PrintStackTraceMethod extends Method {
  PrintStackTraceMethod() {
-    getDeclaringType().hasQualifiedName("java.lang", "Throwable") and
+    getDeclaringType()
+        .getSourceDeclaration()
+        .getASourceSupertype*()
+        .hasQualifiedName("java.lang", "Throwable") and
    getName() = "printStackTrace"
  }
 }
@@ -96,7 +99,8 @@ class StackTraceStringToXssSinkFlowConfig extends TaintTracking2::Configuration
 */
 predicate printsStackExternally(MethodAccess call, Expr stackTrace) {
  printsStackToWriter(call) and
-  call.getQualifier() = stackTrace
+  call.getQualifier() = stackTrace and
+  not call.getQualifier() instanceof SuperAccess
 }

 /**