Merge pull request #1633 from aschackmull/java/taint-string-concat

Java: Add taint step for String::concat.
2025-12-17 01:03:14 +01:00 · 2019-07-30 00:21:52 -04:00
parent 6bd22b01b3 046d4a01de
commit 37395877a7
1 changed files with 5 additions and 0 deletions
--- a/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll
+++ b/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll
@@ -377,6 +377,7 @@ module TaintTracking {
  private predicate taintPreservingQualifierToMethod(Method m) {
    m.getDeclaringType() instanceof TypeString and
    (
+      m.getName() = "concat" or
      m.getName() = "endsWith" or
      m.getName() = "getBytes" or
      m.getName() = "split" or
@@ -481,6 +482,10 @@ module TaintTracking {
      method.getName().matches("to%String") and arg = 0
    )
    or
+    method.getDeclaringType() instanceof TypeString and
+    method.getName() = "concat" and
+    arg = 0
+    or
    (
      method.getDeclaringType().hasQualifiedName("java.lang", "StringBuilder") or
      method.getDeclaringType().hasQualifiedName("java.lang", "StringBuffer")