Java: Add taint step to flow through Spring tainted user data class

lcartey · lcartey · commit 93c28d4c03a1 · 2020-06-16T09:50:36.000+01:00
getters.
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -389,6 +389,10 @@ private predicate taintPreservingQualifierToMethod(Method m) {
   )
   or
   m instanceof StringReplaceMethod
+  or
+  exists(SpringUntrustedDataType dt |
+    m.(GetterMethod) = dt.getAMethod()
+  )
 }
 
 private class StringReplaceMethod extends Method {

Original file line number	Diff line number	Diff line change
`@@ -389,6 +389,10 @@ private predicate taintPreservingQualifierToMethod(Method m) {`
`389`	`389`	`)`
`390`	`390`	`or`
`391`	`391`	`m instanceof StringReplaceMethod`
	`392`	`+ or`
	`393`	`+ exists(SpringUntrustedDataType dt \|`
	`394`	`+ m.(GetterMethod) = dt.getAMethod()`
	`395`	`+ )`
`392`	`396`	`}`
`393`	`397`
`394`	`398`	`private class StringReplaceMethod extends Method {`