Java: make inputStreamWrapper only act on constructors from outside of source

2026-03-05 07:06:47 +01:00 · 2023-05-12 15:43:27 +02:00
parent aa14105e1c
commit 549fa7e288
1 changed files with 1 additions and 0 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -255,6 +255,7 @@ private class BulkData extends RefType {
 * status of its argument.
 */
 private predicate inputStreamWrapper(Constructor c, int argi) {
+  not c.fromSource() and
  c.getParameterType(argi) instanceof BulkData and
  c.getDeclaringType().getASourceSupertype+().hasQualifiedName("java.io", "InputStream")
 }