Java: Add String.join as default taint step.

2026-04-30 11:15:13 +02:00 · 2020-02-07 14:43:31 +01:00
parent ee3af0a247
commit 85adc3be10
1 changed files with 11 additions and 4 deletions
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -381,15 +381,22 @@ private predicate argToMethodStep(Expr tracked, MethodAccess sink) {
    tracked = sink.(MethodAccess).getArgument(i)
  )
  or
-  exists(Method m, MethodAccess ma |
-    ma.getMethod() = m and
-    m.getDeclaringType() instanceof TypeString and
-    m.hasName("format") and
+  exists(MethodAccess ma |
+    taintPreservingArgumentToMethod(ma.getMethod()) and
    tracked = ma.getAnArgument() and
    sink = ma
  )
 }

+/**
+ * Holds if `method` is a library method that return tainted data if any
+ * of its arguments are tainted.
+ */
+private predicate taintPreservingArgumentToMethod(Method method) {
+  method.getDeclaringType() instanceof TypeString and
+  (method.hasName("format") or method.hasName("join"))
+}
+
 /**
 * Holds if `method` is a library method that return tainted data if its
 * `arg`th argument is tainted.