Use MapMutation instead of MethodCall

egregius313 · egregius313 · commit a528db89588a · 2024-01-08T09:39:05.000-05:00
diff --git a/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll
@@ -5,23 +5,14 @@ private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.Maps
 private import semmle.code.java.JDK
 
-private class MapUpdateWithKeyOrValue extends MethodCall {
-  MapUpdateWithKeyOrValue() {
-    this.getMethod() instanceof MapMethod and
-    this.getMethod().getName().matches(["put%", "remove", "replace"])
-  }
-}
-
 private module ProcessBuilderEnvironmentConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
     exists(MethodCall mc | mc = source.asExpr() |
       mc.getMethod().hasQualifiedName("java.lang", "ProcessBuilder", "environment")
     )
   }
 
-  predicate isSink(DataFlow::Node sink) {
-    sink.asExpr() = any(MapUpdateWithKeyOrValue mm).getQualifier()
-  }
+  predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(MapMutation mm).getQualifier() }
 }
 
 private module ProcessBuilderEnvironmentFlow = DataFlow::Global<ProcessBuilderEnvironmentConfig>;
@@ -43,7 +34,7 @@ module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {
     sinkNode(sink, "environment-injection")
     or
     // sink is a key or value added to a `ProcessBuilder::environment` map.
-    exists(MapUpdateWithKeyOrValue mm | mm.getAnArgument() = sink.asExpr() |
+    exists(MapMutation mm | mm.getAnArgument() = sink.asExpr() |
       ProcessBuilderEnvironmentFlow::flowToExpr(mm.getQualifier())
     )
   }
