github · aschackmull · Oct 7, 2025 · Oct 7, 2025 · Oct 7, 2025 · Oct 7, 2025
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fields of certain objects are considered tainted if the object is tainted. This holds, for example, for objects that occur directly as sources in the active threat model (for instance, a remote flow source). This has now been amended to also include array types, such that if an array like `MyPojo[]` is a source, then fields of a tainted `MyPojo` are now also considered tainted.
@@ -655,6 +655,8 @@ private SrcRefType entrypointType() {
   )
   or
   result = entrypointType().getAField().getType().(RefType).getSourceDeclaration()
+  or
+  result = entrypointType().(Array).getElementType().(RefType).getSourceDeclaration()
 }
 
 private predicate entrypointFieldStep(DataFlow::Node src, DataFlow::Node sink) {

@@ -41,6 +41,10 @@ class UnrelatedObject {
         public String safeField;
     }
 
+    static class ArrayElemObject {
+        public String field;
+    }
+
     private static void sink(String sink) {}
 
     public static void test(TestObject source) {
@@ -70,4 +74,8 @@ public static void testSubtype(ParameterizedTestObject<?, ?> source) {
         UnrelatedObject unrelated = (UnrelatedObject) subtypeSource.getField8();
         sink(unrelated.safeField); // Safe
     }
+
+    public static void testArray(ArrayElemObject[] source) {
+        sink(source[0].field); // $hasTaintFlow
+    }
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -655,6 +655,8 @@ private SrcRefType entrypointType() { @@
       )
       or
       result = entrypointType().getAField().getType().(RefType).getSourceDeclaration()
+      or
+      result = entrypointType().(Array).getElementType().(RefType).getSourceDeclaration()
     }
     private predicate entrypointFieldStep(DataFlow::Node src, DataFlow::Node sink) {
@@ Expand Down @@