Java: Adjust taint steps for Reader::read.

2026-02-28 21:03:50 +01:00 · 2019-08-02 14:21:06 +02:00
parent 0e64c84f7e
commit 4ffc41277a
1 changed files with 10 additions and 2 deletions
--- a/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll
+++ b/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll
@@ -363,6 +363,10 @@ module TaintTracking {
    m.getDeclaringType().hasQualifiedName("java.io", "InputStream") and
    m.hasName("read") and
    arg = 0
+    or
+    m.getDeclaringType().getASupertype*().hasQualifiedName("java.io", "Reader") and
+    m.hasName("read") and
+    arg = 0
  }

  /** Access to a method that passes taint from the qualifier. */
@@ -398,8 +402,12 @@ module TaintTracking {
      m.getName().matches("%Value")
    )
    or
-    m.getDeclaringType().getQualifiedName().matches("%Reader") and
-    m.getName().matches("read%")
+    m.getDeclaringType().getASupertype*().hasQualifiedName("java.io", "Reader") and
+    (
+      m.getName() = "read" and m.getNumberOfParameters() = 0
+      or
+      m.getName() = "readLine"
+    )
    or
    m.getDeclaringType().getQualifiedName().matches("%StringWriter") and
    m.getName() = "toString"