Java: Implement code review changes

2026-04-30 11:15:13 +02:00 · 2020-10-08 16:34:04 +01:00
parent 91ce02aad4
commit a510f58865
2 changed files with 12 additions and 11 deletions
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -265,7 +265,7 @@ private int argToParam(MethodAccess ma, int arg) {
  exists(ma.getArgument(arg)) and
  exists(Method m | m = ma.getMethod() |
    if m.isVarargs() and arg >= m.getNumberOfParameters()
-    then result = m.getNumberOfParameters() - 2
+    then result = m.getNumberOfParameters() - 1
    else result = arg
  )
 }
--- a/java/ql/src/semmle/code/java/frameworks/android/SQLite.qll
+++ b/java/ql/src/semmle/code/java/frameworks/android/SQLite.qll
@@ -229,30 +229,31 @@ private class ContentProviderUpdateMethod extends SQLiteRunner {
 }

 private class QueryBuilderBuildMethod extends TaintPreservingMethod {
+  int argument;
+
  QueryBuilderBuildMethod() {
-    this.getDeclaringType().getASourceSupertype*() instanceof TypeSQLiteQueryBuilder and
+    this.getDeclaringType().getASourceSupertype*() instanceof Class and
    // buildQuery(String[] projectionIn, String selection, String groupBy, String having, String sortOrder, String limit)
    // buildQuery(String[] projectionIn, String selection, String[] selectionArgs, String groupBy, String having, String sortOrder, String limit)
    // buildUnionQuery(String[] subQueries, String sortOrder, String limit)
    // buildUnionSubQuery(String typeDiscriminatorColumn, String[] unionColumns, Set<String> columnsPresentInTable, int computedColumnsOffset, String typeDiscriminatorValue, String selection, String[] selectionArgs, String groupBy, String having)
    // buildUnionSubQuery(String typeDiscriminatorColumn, String[] unionColumns, Set<String> columnsPresentInTable, int computedColumnsOffset, String typeDiscriminatorValue, String selection, String groupBy, String having)
    // static buildQueryString(boolean distinct, String tables, String[] columns, String where, String groupBy, String having, String orderBy, String limit)
-    this.hasName(["buildQuery", "buildUnionQuery", "buildUnionSubQuery", "buildQueryString"])
-  }
-
-  override predicate returnsTaint(int arg) {
-    arg = -1
+    this.hasName(["buildQuery", "buildUnionQuery", "buildUnionSubQuery"]) and
+    argument = -1
    or
    hasName(["buildQuery", "buildUnionQuery"]) and
-    arg = [0 .. getNumberOfParameters()]
+    argument = [0 .. getNumberOfParameters()]
    or
    hasName("buildQueryString") and
-    arg = [1 .. getNumberOfParameters()]
+    argument = [1 .. getNumberOfParameters()]
    or
    hasName("buildUnionSubQuery") and
-    arg = [0 .. getNumberOfParameters()] and
-    arg != 3
+    argument = [0 .. getNumberOfParameters()] and
+    argument != 3
  }
+
+  override predicate returnsTaint(int arg) { argument = arg }
 }

 private class QueryBuilderAppendMethod extends TaintTransferringMethod {