@@ -38,7 +38,7 @@ private MethodAccess getSystemPropertyFromSystemGetProperties(string propertyNam
3838 result .getMethod ( ) = getMethod
3939 ) and
4040 result .getArgument ( 0 ) .( CompileTimeConstantExpr ) .getStringValue ( ) = propertyName and
41- DataFlow :: localExprFlow ( any ( MethodAccess m |
41+ localExprFlowPlusInitializers ( any ( MethodAccess m |
4242 m .getMethod ( ) .getDeclaringType ( ) instanceof TypeSystem and
4343 m .getMethod ( ) .hasName ( "getProperties" )
4444 ) , result .getQualifier ( ) )
@@ -248,3 +248,25 @@ private MethodAccess getSystemPropertyFromSpringProperties(string propertyName)
248248 ) and
249249 result .getArgument ( 0 ) .( CompileTimeConstantExpr ) .getStringValue ( ) = propertyName
250250}
251+
252+ /**
253+ * Holds if data can flow from `e1` to `e2` in zero or more
254+ * local (intra-procedural) steps or via local variable intializers
255+ * for final variables.
256+ */
257+ private predicate localExprFlowPlusInitializers ( Expr e1 , Expr e2 ) {
258+ localFlowPlusInitializers ( DataFlow:: exprNode ( e1 ) , DataFlow:: exprNode ( e2 ) )
259+ }
260+
261+ /**
262+ * Holds if data can flow from `node1` to `node2` in zero or more
263+ * local (intra-procedural) steps or via local variable intializers
264+ * for final variables.
265+ */
266+ private predicate localFlowPlusInitializers ( DataFlow:: Node pred , DataFlow:: Node succ ) {
267+ exists ( Variable v | v .isFinal ( ) and pred .asExpr ( ) = v .getInitializer ( ) |
268+ DataFlow:: localFlow ( DataFlow:: exprNode ( v .getAnAccess ( ) ) , succ )
269+ )
270+ or
271+ DataFlow:: localFlow ( pred , succ )
272+ }
0 commit comments