Java: Fix a couple of flow step issues

Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
2026-02-28 21:03:50 +01:00 · 2020-10-12 14:05:50 +01:00
parent 4a8b7f64e8
commit 7e2c49fadd
2 changed files with 18 additions and 19 deletions
--- a/java/ql/src/semmle/code/java/dataflow/FlowSteps.qll
+++ b/java/ql/src/semmle/code/java/dataflow/FlowSteps.qll
@@ -62,7 +62,7 @@ private class StringTaintPreservingMethod extends TaintPreservingMethod {
  }

  override predicate returnsTaintFrom(int arg) {
-    arg = -1
+    arg = -1 and not this.isStatic()
    or
    this.hasName(["concat", "copyValueOf"]) and arg = 0
    or
--- a/java/ql/src/semmle/code/java/frameworks/android/SQLite.qll
+++ b/java/ql/src/semmle/code/java/frameworks/android/SQLite.qll
@@ -233,24 +233,23 @@ private class QueryBuilderBuildMethod extends TaintPreservingMethod {

  QueryBuilderBuildMethod() {
    this.getDeclaringType().getASourceSupertype*() instanceof TypeSQLiteQueryBuilder and
-    // buildQuery(String[] projectionIn, String selection, String groupBy, String having, String sortOrder, String limit)
-    // buildQuery(String[] projectionIn, String selection, String[] selectionArgs, String groupBy, String having, String sortOrder, String limit)
-    // buildUnionQuery(String[] subQueries, String sortOrder, String limit)
-    // buildUnionSubQuery(String typeDiscriminatorColumn, String[] unionColumns, Set<String> columnsPresentInTable, int computedColumnsOffset, String typeDiscriminatorValue, String selection, String[] selectionArgs, String groupBy, String having)
-    // buildUnionSubQuery(String typeDiscriminatorColumn, String[] unionColumns, Set<String> columnsPresentInTable, int computedColumnsOffset, String typeDiscriminatorValue, String selection, String groupBy, String having)
-    // static buildQueryString(boolean distinct, String tables, String[] columns, String where, String groupBy, String having, String orderBy, String limit)
-    this.hasName(["buildQuery", "buildUnionQuery", "buildUnionSubQuery"]) and
-    argument = -1
-    or
-    hasName(["buildQuery", "buildUnionQuery"]) and
-    argument = [0 .. getNumberOfParameters()]
-    or
-    hasName("buildQueryString") and
-    argument = [1 .. getNumberOfParameters()]
-    or
-    hasName("buildUnionSubQuery") and
-    argument = [0 .. getNumberOfParameters()] and
-    argument != 3
+    (
+      // buildQuery(String[] projectionIn, String selection, String groupBy, String having, String sortOrder, String limit)
+      // buildQuery(String[] projectionIn, String selection, String[] selectionArgs, String groupBy, String having, String sortOrder, String limit)
+      // buildUnionQuery(String[] subQueries, String sortOrder, String limit)
+      this.hasName(["buildQuery", "buildUnionQuery"]) and
+      argument = [-1 .. getNumberOfParameters()]
+      or
+      // buildUnionSubQuery(String typeDiscriminatorColumn, String[] unionColumns, Set<String> columnsPresentInTable, int computedColumnsOffset, String typeDiscriminatorValue, String selection, String[] selectionArgs, String groupBy, String having)
+      // buildUnionSubQuery(String typeDiscriminatorColumn, String[] unionColumns, Set<String> columnsPresentInTable, int computedColumnsOffset, String typeDiscriminatorValue, String selection, String groupBy, String having)
+      this.hasName("buildUnionSubQuery") and
+      argument = [-1 .. getNumberOfParameters()] and
+      argument != 3
+      or
+      // static buildQueryString(boolean distinct, String tables, String[] columns, String where, String groupBy, String having, String orderBy, String limit)
+      hasName("buildQueryString") and
+      argument = [1 .. getNumberOfParameters()]
+    )
  }

  override predicate returnsTaintFrom(int arg) { argument = arg }