From 5e01e1d46425d52d34c3af3f5870f00f7923b381 Mon Sep 17 00:00:00 2001
From: Kristen Newbury <knewbury01@github.com>
Date: Mon, 21 Aug 2023 12:20:04 -0400
Subject: [PATCH] Java: add sanitizer to command injection query

---
 .../2023-08-21-java-command-injection-sanitizer.md            | 4 ++++
 java/ql/lib/semmle/code/java/security/CommandLineQuery.qll    | 2 ++
 2 files changed, 6 insertions(+)
 create mode 100644 java/ql/lib/change-notes/2023-08-21-java-command-injection-sanitizer.md

diff --git a/java/ql/lib/change-notes/2023-08-21-java-command-injection-sanitizer.md b/java/ql/lib/change-notes/2023-08-21-java-command-injection-sanitizer.md
new file mode 100644
index 00000000000..ca183d5d065
--- /dev/null
+++ b/java/ql/lib/change-notes/2023-08-21-java-command-injection-sanitizer.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added new sanitizer to Java command injection model
\ No newline at end of file
diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll
index c0d09a9eeab..30772d9fdf1 100644
--- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll
@@ -42,6 +42,8 @@ private class DefaultCommandInjectionSanitizer extends CommandInjectionSanitizer
     or
     this.getType() instanceof BoxedType
     or
+    this.getType() instanceof NumberType
+    or
     isSafeCommandArgument(this.asExpr())
   }
 }