Java: Taint tracking through String.replace(all)?

lcartey · lcartey · commit c59042f9c392 · 2020-06-16T09:50:34.000+01:00
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -387,6 +387,8 @@ private predicate taintPreservingQualifierToMethod(Method m) {
     m.getName().regexpMatch("get|toArray|subList|spliterator|set|iterator|listIterator") or
     (m.getName().regexpMatch("remove") and not m.getReturnType() instanceof BooleanType)
   )
+  or
+  m instanceof StringReplaceMethod
 }
 
 private class StringReplaceMethod extends Method {

Original file line number	Diff line number	Diff line change
`@@ -387,6 +387,8 @@ private predicate taintPreservingQualifierToMethod(Method m) {`
`387`	`387`	`m.getName().regexpMatch("get\|toArray\|subList\|spliterator\|set\|iterator\|listIterator") or`
`388`	`388`	`(m.getName().regexpMatch("remove") and not m.getReturnType() instanceof BooleanType)`
`389`	`389`	`)`
	`390`	`+ or`
	`391`	`+ m instanceof StringReplaceMethod`
`390`	`392`	`}`
`391`	`393`
`392`	`394`	`private class StringReplaceMethod extends Method {`