Track taint for String.valueOf(..)

2025-12-21 11:16:30 +01:00 · 2021-07-29 09:10:38 +02:00
parent d900fcaf42
commit b7b74b51a3
3 changed files with 30 additions and 26 deletions
--- a/java/ql/src/semmle/code/java/dataflow/FlowSteps.qll
+++ b/java/ql/src/semmle/code/java/dataflow/FlowSteps.qll
@@ -111,14 +111,14 @@ private class StringTaintPreservingMethod extends TaintPreservingCallable {
    this.hasName([
        "concat", "copyValueOf", "endsWith", "format", "formatted", "getBytes", "indent", "intern",
        "join", "repeat", "split", "strip", "stripIndent", "stripLeading", "stripTrailing",
-        "substring", "toCharArray", "toLowerCase", "toString", "toUpperCase", "trim"
+        "substring", "toCharArray", "toLowerCase", "toString", "toUpperCase", "trim", "valueOf"
      ])
  }

  override predicate returnsTaintFrom(int arg) {
    arg = -1 and not this.isStatic()
    or
-    this.hasName(["concat", "copyValueOf"]) and arg = 0
+    this.hasName(["concat", "copyValueOf", "valueOf"]) and arg = 0
    or
    this.hasName(["format", "formatted", "join"]) and arg = [0 .. getNumberOfParameters()]
  }