Propagate taint through AbstractStringBuilder.reverse() and its overrides.

2026-05-02 12:15:17 +02:00 · 2022-01-03 10:38:27 +07:00
parent 882caf4011
commit 421bd1b970
1 changed files with 2 additions and 0 deletions
--- a/java/ql/lib/semmle/code/java/frameworks/Strings.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/Strings.qll
@@ -50,6 +50,8 @@ private class StringSummaryCsv extends SummaryModelCsv {
        "java.lang;AbstractStringBuilder;true;insert;;;Argument[-1];ReturnValue;value",
        "java.lang;AbstractStringBuilder;true;replace;;;Argument[-1];ReturnValue;value",
        "java.lang;AbstractStringBuilder;true;replace;;;Argument[2];Argument[-1];taint",
+        "java.lang;AbstractStringBuilder;true;reverse;;;Argument[-1];ReturnValue;value",
+        "java.lang;AbstractStringBuilder;true;reverse;;;Argument[-1];ReturnValue;taint",
        "java.lang;AbstractStringBuilder;true;toString;;;Argument[-1];ReturnValue;taint",
        "java.lang;StringBuffer;true;StringBuffer;(CharSequence);;Argument[0];Argument[-1];taint",
        "java.lang;StringBuffer;true;StringBuffer;(String);;Argument[0];Argument[-1];taint",