Merge pull request #5637 from Marcono1234/marcono1234/toString-method

Java: Add ToStringMethod
2026-02-27 04:13:51 +01:00 · 2021-04-12 11:43:55 +02:00
parent 63f087a8e9 9349e6922d
commit e003b04061
9 changed files with 24 additions and 27 deletions
--- a/java/ql/src/semmle/code/java/JDK.qll
+++ b/java/ql/src/semmle/code/java/JDK.qll
@@ -353,7 +353,7 @@ class EqualsMethod extends Method {
 class HashCodeMethod extends Method {
  HashCodeMethod() {
    this.hasName("hashCode") and
-    this.getNumberOfParameters() = 0
+    this.hasNoParameters()
  }
 }

@@ -365,6 +365,14 @@ class CloneMethod extends Method {
  }
 }

+/** A method with the same signature as `java.lang.Object.toString`. */
+class ToStringMethod extends Method {
+  ToStringMethod() {
+    this.hasName("toString") and
+    this.hasNoParameters()
+  }
+}
+
 /**
 * The public static `main` method, with a single formal parameter
 * of type `String[]` and return type `void`.
--- a/java/ql/src/semmle/code/java/dispatch/ObjFlow.qll
+++ b/java/ql/src/semmle/code/java/dispatch/ObjFlow.qll
@@ -194,7 +194,7 @@ private predicate source(RefType t, ObjNode n) {
 private predicate sink(ObjNode n) {
  exists(MethodAccess toString |
    toString.getQualifier() = n.asExpr() and
-    toString.getMethod().hasName("toString")
+    toString.getMethod() instanceof ToStringMethod
  ) and
  n.getTypeBound().getErasure() instanceof TypeObject
 }
--- a/java/ql/src/semmle/code/java/security/ControlledString.qll
+++ b/java/ql/src/semmle/code/java/security/ControlledString.qll
@@ -8,7 +8,8 @@ import semmle.code.java.Expr
 import semmle.code.java.security.Validation

 /**
- * Holds if `method` is a `toString()` method on a boxed type. These never return special characters.
+ * Holds if `method` is a `toString()` method on a boxed type, with or without parameters.
+ * These never return special characters.
 */
 private predicate boxedToString(Method method) {
  method.getDeclaringType() instanceof BoxedType and
@@ -44,11 +45,9 @@ private predicate controlledStringProp(Expr src, Expr dest) {
  exists(AddExpr concatOp | concatOp = dest | src = concatOp.getAnOperand())
  or
  // `toString()` on a safe string is safe.
-  exists(MethodAccess toStringCall, Method toString |
+  exists(MethodAccess toStringCall |
    src = toStringCall.getQualifier() and
-    toString = toStringCall.getMethod() and
-    toString.hasName("toString") and
-    toString.getNumberOfParameters() = 0 and
+    toStringCall.getMethod() instanceof ToStringMethod and
    dest = toStringCall
  )
 }