Java: Fix more broken performance.

2026-04-24 16:25:15 +02:00 · 2025-09-08 14:08:00 +02:00
parent 66379deadd
commit 4c1fa58367
6 changed files with 34 additions and 19 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -278,21 +278,23 @@ private predicate inputStreamWrapper(Constructor c, int argi) {

 /** An object construction that preserves the data flow status of any of its arguments. */
 private predicate constructorStep(Expr tracked, ConstructorCall sink, string model) {
-  exists(int argi | sink.getArgument(argi) = tracked |
+  exists(int argi | sink.getArgument(pragma[only_bind_into](argi)) = tracked |
    // wrappers constructed by extension
    exists(Constructor c, Parameter p, SuperConstructorInvocationStmt sup |
      c = sink.getConstructor() and
-      p = c.getParameter(argi) and
+      p = c.getParameter(pragma[only_bind_into](argi)) and
      sup.getEnclosingCallable() = c and
      constructorStep(p.getAnAccess(), sup, model)
    )
    or
    // a custom InputStream that wraps a tainted data source is tainted
    model = "inputStreamWrapper" and
-    inputStreamWrapper(sink.getConstructor(), argi)
+    inputStreamWrapper(sink.getConstructor(), pragma[only_bind_into](argi))
    or
    model = "TaintPreservingCallable" and
-    sink.getConstructor().(TaintPreservingCallable).returnsTaintFrom(argToParam(sink, argi))
+    sink.getConstructor()
+        .(TaintPreservingCallable)
+        .returnsTaintFrom(argToParam(sink, pragma[only_bind_into](argi)))
  )
 }

--- a/java/ql/lib/semmle/code/java/frameworks/android/ExternalStorage.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/android/ExternalStorage.qll
@@ -20,8 +20,10 @@ private predicate externalStorageFlowStep(DataFlow::Node node1, DataFlow::Node n
  node2.asExpr().(FieldRead).getField().getInitializer() = node1.asExpr()
 }

-private predicate externalStorageFlow(DataFlow::Node node1, DataFlow::Node node2) {
-  externalStorageFlowStep*(node1, node2)
+private predicate externalStorageDirFlowsTo(DataFlow::Node n) {
+  sourceNode(n, "android-external-storage-dir")
+  or
+  exists(DataFlow::Node mid | externalStorageDirFlowsTo(mid) and externalStorageFlowStep(mid, n))
 }

 /**
@@ -29,9 +31,8 @@ private predicate externalStorageFlow(DataFlow::Node node1, DataFlow::Node node2
 * This is controllable by third-party applications, so is treated as a remote flow source.
 */
 predicate androidExternalStorageSource(DataFlow::Node n) {
-  exists(DataFlow::Node externalDir, DirectFileReadExpr read |
-    sourceNode(externalDir, "android-external-storage-dir") and
+  exists(DirectFileReadExpr read |
    n.asExpr() = read and
-    externalStorageFlow(externalDir, DataFlow::exprNode(read.getFileExpr()))
+    externalStorageDirFlowsTo(DataFlow::exprNode(read.getFileExpr()))
  )
 }