Add org.apache.commons.lang.RandomStringUtils as a source

2026-04-23 07:45:17 +02:00 · 2023-07-11 17:18:31 -04:00
parent 1daa83bf46
commit bf0123d6ae
1 changed files with 15 additions and 0 deletions
--- a/java/ql/lib/semmle/code/java/security/WeakRandomnessQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/WeakRandomnessQuery.qll
@@ -29,6 +29,21 @@ private class JavaRandomSource extends WeakRandomnessSource {
  }
 }

+private class ApacheRandomStringUtilsMethodAccessSource extends WeakRandomnessSource {
+  ApacheRandomStringUtilsMethodAccessSource() {
+    exists(MethodAccess ma | this.asExpr() = ma |
+      ma.getMethod()
+          .hasName([
+              "random", "randomAlphabetic", "randomAlphanumeric", "randomAscii", "randomGraph",
+              "randomNumeric", "randomPrint"
+            ]) and
+      ma.getMethod()
+          .getDeclaringType()
+          .hasQualifiedName("org.apache.commons.lang", "RandomStringUtils")
+    )
+  }
+}
+
 /**
 * The `random` method of `java.lang.Math`.
 */