From 11665bea0abe8ec1bc08b0fbbea0396f5f68e212 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 7 Oct 2025 10:10:02 +0200 Subject: [PATCH 1/3] Java: Allow taint-read-steps for array sources. --- .../semmle/code/java/dataflow/internal/TaintTrackingUtil.qll | 2 ++ 1 file changed, 2 insertions(+) diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll index b5e7fd53c9fd..5f1d6b66af56 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll @@ -655,6 +655,8 @@ private SrcRefType entrypointType() { ) or result = entrypointType().getAField().getType().(RefType).getSourceDeclaration() + or + result = entrypointType().(Array).getElementType().(RefType).getSourceDeclaration() } private predicate entrypointFieldStep(DataFlow::Node src, DataFlow::Node sink) { From f0bfd7053e1d4a67c6c31514e6f62a8dbbfde7b4 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 7 Oct 2025 13:40:44 +0200 Subject: [PATCH 2/3] Java: Add test case. --- .../dataflow/entrypoint-types/EntryPointTypesTest.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.java b/java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.java index 983cb72ffb26..52d26974373d 100644 --- a/java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.java +++ b/java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.java @@ -41,6 +41,10 @@ class UnrelatedObject { public String safeField; } + static class ArrayElemObject { + public String field; + } + private static void sink(String sink) {} public static void test(TestObject source) { @@ -70,4 +74,8 @@ public static void testSubtype(ParameterizedTestObject source) { UnrelatedObject unrelated = (UnrelatedObject) subtypeSource.getField8(); sink(unrelated.safeField); // Safe } + + public static void testArray(ArrayElemObject[] source) { + sink(source[0].field); // $hasTaintFlow + } } From 7dadbc43fba32819a61684acae02dcb74b7e63e4 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Tue, 7 Oct 2025 13:51:49 +0200 Subject: [PATCH 3/3] Java: Add change note. --- java/ql/lib/change-notes/2025-10-07-array-entrypointtype.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 java/ql/lib/change-notes/2025-10-07-array-entrypointtype.md diff --git a/java/ql/lib/change-notes/2025-10-07-array-entrypointtype.md b/java/ql/lib/change-notes/2025-10-07-array-entrypointtype.md new file mode 100644 index 000000000000..45b898b6b2a6 --- /dev/null +++ b/java/ql/lib/change-notes/2025-10-07-array-entrypointtype.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Fields of certain objects are considered tainted if the object is tainted. This holds, for example, for objects that occur directly as sources in the active threat model (for instance, a remote flow source). This has now been amended to also include array types, such that if an array like `MyPojo[]` is a source, then fields of a tainted `MyPojo` are now also considered tainted.