Merge pull request #13772 from atorralba/atorralba/java/inputstream-wrapper-read-step

Java: Add taint steps for InputStream wrappers
2026-02-23 10:23:41 +01:00 · 2023-07-31 11:12:43 +02:00
parent e534afe634 6c0d47f122
commit 41f1315da9
12 changed files with 249 additions and 7 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll
@@ -20,11 +20,11 @@ private module Frameworks {
  private import semmle.code.java.frameworks.Guice
  private import semmle.code.java.frameworks.IoJsonWebToken
  private import semmle.code.java.frameworks.jackson.JacksonSerializability
+  private import semmle.code.java.frameworks.InputStream
  private import semmle.code.java.frameworks.Properties
  private import semmle.code.java.frameworks.Protobuf
  private import semmle.code.java.frameworks.ratpack.RatpackExec
  private import semmle.code.java.frameworks.stapler.Stapler
-  private import semmle.code.java.JDK
 }

 /**
--- a/java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll
@@ -757,7 +757,7 @@ private predicate baseBound(Expr e, int b, boolean upper) {
  or
  exists(Method read |
    e.(MethodAccess).getMethod().overrides*(read) and
-    read.getDeclaringType().hasQualifiedName("java.io", "InputStream") and
+    read.getDeclaringType() instanceof TypeInputStream and
    read.hasName("read") and
    read.getNumberOfParameters() = 0
  |
--- a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -239,7 +239,7 @@ private class BulkData extends RefType {
    this.(Array).getElementType().(PrimitiveType).hasName(["byte", "char"])
    or
    exists(RefType t | this.getASourceSupertype*() = t |
-      t.hasQualifiedName("java.io", "InputStream") or
+      t instanceof TypeInputStream or
      t.hasQualifiedName("java.nio", "ByteBuffer") or
      t.hasQualifiedName("java.lang", "Readable") or
      t.hasQualifiedName("java.io", "DataInput") or
@@ -259,7 +259,7 @@ private class BulkData extends RefType {
 private predicate inputStreamWrapper(Constructor c, int argi) {
  not c.fromSource() and
  c.getParameterType(argi) instanceof BulkData and
-  c.getDeclaringType().getASourceSupertype+().hasQualifiedName("java.io", "InputStream")
+  c.getDeclaringType().getASourceSupertype+() instanceof TypeInputStream
 }

 /** An object construction that preserves the data flow status of any of its arguments. */