Java: Expand ExactPathSanitizer to work on the argument of 'equals' too

2026-04-29 18:55:14 +02:00 · 2024-02-15 09:54:29 +01:00
parent 8aff913c3c
commit 90a9d82b9d
4 changed files with 19 additions and 1 deletions
--- a/java/ql/test/library-tests/pathsanitizer/Test.java
+++ b/java/ql/test/library-tests/pathsanitizer/Test.java
@@ -25,6 +25,13 @@ public class Test {
            else
                sink(source); // $ hasTaintFlow
        }
+        {
+            String source = (String) source();
+            if ("/safe/path".equals(source))
+                sink(source); // Safe
+            else
+                sink(source); // $ hasTaintFlow
+        }
        {
            URI source = (URI) source();
            if (source.equals(new URI("http://safe/uri")))
--- a/java/ql/test/library-tests/pathsanitizer/TestKt.kt
+++ b/java/ql/test/library-tests/pathsanitizer/TestKt.kt
@@ -25,6 +25,13 @@ class TestKt {
            else
                sink(source) // $ hasTaintFlow
        }
+        run {
+            val source = source() as String?
+            if ("/safe/path".equals(source))
+                sink(source) // Safe
+            else
+                sink(source) // $ hasTaintFlow
+        }
        run {
            val source = source() as URI?
            if (source!!.equals(URI("http://safe/uri")))