Merge pull request #15292 from egregius313/egregius313/java/dataflow/common-sanitizers/uuid-and-date

Java: Add `java.util.UUID` and `java.util.Date` to the `SimpleTypeSanitizer` class
2026-04-22 23:35:14 +02:00 · 2024-01-26 13:16:18 -05:00
parent 031bd8bd0c ef884fa721
commit 4602f8933d
2 changed files with 9 additions and 2 deletions
--- a/java/ql/lib/change-notes/2024-01-23-add-uuid-and-date-to-simpletypesanitizer.md
+++ b/java/ql/lib/change-notes/2024-01-23-add-uuid-and-date-to-simpletypesanitizer.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added the `java.util.Date` and `java.util.UUID` classes to the list of types in the `SimpleTypeSanitizer` class in `semmle.code.java.security.Sanitizers`.
--- a/java/ql/lib/semmle/code/java/security/Sanitizers.qll
+++ b/java/ql/lib/semmle/code/java/security/Sanitizers.qll
@@ -4,12 +4,15 @@ import java
 private import semmle.code.java.dataflow.DataFlow

 /**
- * A node whose type is a simple type unlikely to carry taint, such as primitives or their boxed counterparts.
+ * A node whose type is a simple type unlikely to carry taint, such as primitives and their boxed counterparts,
+ * `java.util.UUID` and `java.util.Date`.
 */
 class SimpleTypeSanitizer extends DataFlow::Node {
  SimpleTypeSanitizer() {
    this.getType() instanceof PrimitiveType or
    this.getType() instanceof BoxedType or
-    this.getType() instanceof NumberType
+    this.getType() instanceof NumberType or
+    this.getType().(RefType).hasQualifiedName("java.util", "UUID") or
+    this.getType().(RefType).hasQualifiedName("java.util", "Date")
  }
 }