hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Java: use AdditionalTaintStep

Browse Source
This commit is contained in:
Jami Cogswell
2025-02-14 13:52:43 -05:00
parent d21c8d789b
commit c0ebeb9c7b
3 changed files with 21 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
java/ql/lib/ext/java.io.model.yml
View File

@@ -88,7 +88,10 @@ extensions:
- ["java.io", "DataInput", True, "readUTF", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.io", "DataInputStream", False, "DataInputStream", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["java.io", "File", False, "File", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
- ["java.io", "File", False, "File", "", "", "Argument[1]", "Argument[this]", "taint", "manual"]
# We model this taint step in QL as `FileConstructorChildArgumentStep` in the `PathSanitizer` library
# since we need to sanitize the use of this argument but not later uses of the same SSA variable,
# which is not currently possible in Java with a standard sanitizer due to use-use flow.
# - ["java.io", "File", False, "File", "", "", "Argument[1]", "Argument[this]", "taint", "manual"]
- ["java.io", "File", True, "getAbsoluteFile", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.io", "File", True, "getAbsolutePath", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["java.io", "File", True, "getCanonicalFile", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]