Merge pull request #3547 from pwntester/issue_3139

add support for java.io.StringWriter
2026-04-25 16:55:19 +02:00 · 2020-06-08 10:02:23 +02:00
parent 7c0b8f5587 be862280b2
commit ad8647f345
1 changed files with 24 additions and 4 deletions
--- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -322,7 +322,11 @@ private predicate taintPreservingQualifierToMethod(Method m) {
  )
  or
  m.getDeclaringType().getQualifiedName().matches("%StringWriter") and
-  m.getName() = "toString"
+  (
+    m.getName() = "getBuffer"
+    or
+    m.getName() = "toString"
+  )
  or
  m.getDeclaringType().hasQualifiedName("java.util", "StringTokenizer") and
  m.getName().matches("next%")
@@ -335,7 +339,8 @@ private predicate taintPreservingQualifierToMethod(Method m) {
  or
  (
    m.getDeclaringType().hasQualifiedName("java.lang", "StringBuilder") or
-    m.getDeclaringType().hasQualifiedName("java.lang", "StringBuffer")
+    m.getDeclaringType().hasQualifiedName("java.lang", "StringBuffer") or
+    m.getDeclaringType().hasQualifiedName("java.io", "StringWriter")
  ) and
  (m.getName() = "toString" or m.getName() = "append")
  or
@@ -506,6 +511,10 @@ private predicate taintPreservingArgumentToMethod(Method method, int arg) {
  method instanceof JacksonWriteValueMethod and
  method.getNumberOfParameters() = 1 and
  arg = 0
+  or
+  method.getDeclaringType().hasQualifiedName("java.io", "StringWriter") and
+  method.hasName("append") and
+  arg = 0
 }

 /**
@@ -580,9 +589,20 @@ private predicate argToQualifierStep(Expr tracked, Expr sink) {
 private predicate taintPreservingArgumentToQualifier(Method method, int arg) {
  exists(Method write |
    method.overrides*(write) and
-    write.getDeclaringType().hasQualifiedName("java.io", "OutputStream") and
    write.hasName("write") and
-    arg = 0
+    arg = 0 and
+    (
+      write.getDeclaringType().hasQualifiedName("java.io", "OutputStream")
+      or
+      write.getDeclaringType().hasQualifiedName("java.io", "StringWriter")
+    )
+  )
+  or
+  exists(Method append |
+    method.overrides*(append) and
+    append.hasName("append") and
+    arg = 0 and
+    append.getDeclaringType().hasQualifiedName("java.io", "StringWriter")
  )
 }