Java: Add String.format as default taint step.

aschackmull · aschackmull · commit ee3af0a24792 · 2020-02-07T13:43:35.000+01:00
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -380,6 +380,14 @@ private predicate argToMethodStep(Expr tracked, MethodAccess sink) {
     taintPreservingArgumentToMethod(m, i) and
     tracked = sink.(MethodAccess).getArgument(i)
   )
+  or
+  exists(Method m, MethodAccess ma |
+    ma.getMethod() = m and
+    m.getDeclaringType() instanceof TypeString and
+    m.hasName("format") and
+    tracked = ma.getAnArgument() and
+    sink = ma
+  )
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -380,6 +380,14 @@ private predicate argToMethodStep(Expr tracked, MethodAccess sink) {`
`380`	`380`	`taintPreservingArgumentToMethod(m, i) and`
`381`	`381`	`tracked = sink.(MethodAccess).getArgument(i)`
`382`	`382`	`)`
	`383`	`+ or`
	`384`	`+ exists(Method m, MethodAccess ma \|`
	`385`	`+ ma.getMethod() = m and`
	`386`	`+ m.getDeclaringType() instanceof TypeString and`
	`387`	`+ m.hasName("format") and`
	`388`	`+ tracked = ma.getAnArgument() and`
	`389`	`+ sink = ma`
	`390`	`+ )`
`383`	`391`	`}`
`384`	`392`
`385`	`393`	`/**`