Merge pull request #13899 from egregius313/egregius313/random-nextbytes-typo-fix

Java: Fix typo in `StdlibRandomSource::getOutput`
2026-04-25 16:55:19 +02:00 · 2023-08-07 07:36:44 -04:00
parent 2126ab0dde 23e2eb11dd
commit 58d8a2d77f
2 changed files with 5 additions and 1 deletions
--- a/java/ql/lib/change-notes/2023-08-07-randomdatasource-typo-fix.md
+++ b/java/ql/lib/change-notes/2023-08-07-randomdatasource-typo-fix.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed a typo in the `StdlibRandomSource` class in `RandomDataSource.qll`, which caused the class to improperly model calls to the `nextBytes` method. Queries relying on `StdlibRandomSource` may see an increase in results.
--- a/java/ql/lib/semmle/code/java/security/RandomDataSource.qll
+++ b/java/ql/lib/semmle/code/java/security/RandomDataSource.qll
@@ -103,7 +103,7 @@ class StdlibRandomSource extends RandomDataSource {
  }

  override Expr getOutput() {
-    if m.hasName("getBytes") then result = this.getArgument(0) else result = this
+    if m.hasName("nextBytes") then result = this.getArgument(0) else result = this
  }
 }