Java: treat Stack.push as data flow instead of taint flow

2026-04-25 08:45:14 +02:00 · 2020-07-13 11:36:34 +02:00
parent a484aff76d
commit b1e604b490
2 changed files with 12 additions and 3 deletions
--- a/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
@@ -270,9 +270,6 @@ private predicate taintPreservingArgumentToQualifier(Method method, int arg) {
 * `arg`th argument is tainted.
 */
 private predicate taintPreservingArgumentToMethod(Method method, int arg) {
-  // java.util.Stack
-  method.(CollectionMethod).hasName("push") and arg = 0
-  or
  method.getDeclaringType().hasQualifiedName("java.util", "Collections") and
  (
    method
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
@@ -413,6 +413,18 @@ predicate simpleLocalFlowStep(Node node1, Node node2) {
      m.hasName("toString") and node1.asExpr() = ma.getArgument(1)
    )
  )
+  or
+  exists(MethodAccess ma, Method m |
+    ma = node2.asExpr() and
+    m = ma.getMethod() and
+    m
+        .getDeclaringType()
+        .getSourceDeclaration()
+        .getASourceSupertype*()
+        .hasQualifiedName("java.util", "Stack") and
+    m.hasName("push") and
+    node1.asExpr() = ma.getArgument(0)
+  )
 }

 /**