Java: ArithmeticTainted

d10c · d10c · commit 21e04a342170 · 2025-07-07T17:51:33.000+02:00
diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll
@@ -15,15 +15,11 @@ module ArithmeticOverflowConfig implements DataFlow::ConfigSig {
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 
   predicate observeDiffInformedIncrementalMode() {
-    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 28 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@35:8:35:10), Column 5 does not select a source or sink originating from the flow call on line 28 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@37:3:37:18)
-  }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) {
-    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 28 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@35:8:35:10), Column 5 does not select a source or sink originating from the flow call on line 28 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@37:3:37:18)
+    any() // merged with ArithmeticUnderflow in ArithmeticTainted.ql
   }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 28 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@35:8:35:10), Column 5 does not select a source or sink originating from the flow call on line 28 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@37:3:37:18)
+    exists(ArithExpr exp | result = exp.getLocation() | overflowSink(exp, sink.asExpr()))
   }
 }
 
@@ -43,15 +39,11 @@ module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 
   predicate observeDiffInformedIncrementalMode() {
-    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 32 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@35:8:35:10), Column 5 does not select a source or sink originating from the flow call on line 32 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@37:3:37:18)
-  }
-
-  Location getASelectedSourceLocation(DataFlow::Node source) {
-    none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 32 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@35:8:35:10), Column 5 does not select a source or sink originating from the flow call on line 32 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@37:3:37:18)
+    any() // merged with ArithmeticOverflow in ArithmeticTainted.ql
   }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 32 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@35:8:35:10), Column 5 does not select a source or sink originating from the flow call on line 32 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@37:3:37:18)
+    exists(ArithExpr exp | result = exp.getLocation() | underflowSink(exp, sink.asExpr()))
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -15,15 +15,11 @@ module ArithmeticOverflowConfig implements DataFlow::ConfigSig {`
`15`	`15`	`predicate isBarrierIn(DataFlow::Node node) { isSource(node) }`
`16`	`16`
`17`	`17`	`predicate observeDiffInformedIncrementalMode() {`
`18`		`- any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 28 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@35:8:35:10), Column 5 does not select a source or sink originating from the flow call on line 28 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@37:3:37:18)`
`19`		`- }`
`20`		`-`
`21`		`- Location getASelectedSourceLocation(DataFlow::Node source) {`
`22`		`- none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 28 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@35:8:35:10), Column 5 does not select a source or sink originating from the flow call on line 28 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@37:3:37:18)`
	`18`	`+ any() // merged with ArithmeticUnderflow in ArithmeticTainted.ql`
`23`	`19`	`}`
`24`	`20`
`25`	`21`	`Location getASelectedSinkLocation(DataFlow::Node sink) {`
`26`		`- none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 28 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@35:8:35:10), Column 5 does not select a source or sink originating from the flow call on line 28 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@37:3:37:18)`
	`22`	`+ exists(ArithExpr exp \| result = exp.getLocation() \| overflowSink(exp, sink.asExpr()))`
`27`	`23`	`}`
`28`	`24`	`}`
`29`	`25`
`@@ -43,15 +39,11 @@ module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {`
`43`	`39`	`predicate isBarrierIn(DataFlow::Node node) { isSource(node) }`
`44`	`40`
`45`	`41`	`predicate observeDiffInformedIncrementalMode() {`
`46`		`- any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 32 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@35:8:35:10), Column 5 does not select a source or sink originating from the flow call on line 32 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@37:3:37:18)`
`47`		`- }`
`48`		`-`
`49`		`- Location getASelectedSourceLocation(DataFlow::Node source) {`
`50`		`- none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 32 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@35:8:35:10), Column 5 does not select a source or sink originating from the flow call on line 32 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@37:3:37:18)`
	`42`	`+ any() // merged with ArithmeticOverflow in ArithmeticTainted.ql`
`51`	`43`	`}`
`52`	`44`
`53`	`45`	`Location getASelectedSinkLocation(DataFlow::Node sink) {`
`54`		`- none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 32 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@35:8:35:10), Column 5 does not select a source or sink originating from the flow call on line 32 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql@37:3:37:18)`
	`46`	`+ exists(ArithExpr exp \| result = exp.getLocation() \| underflowSink(exp, sink.asExpr()))`
`55`	`47`	`}`
`56`	`48`	`}`
`57`	`49`