Merge pull request #15292 from egregius313/egregius313/java/dataflow/common-sanitizers/uuid-and-date

egregius313 · web-flow · commit 4602f8933de3 · 2024-01-26T13:16:18.000-05:00
Java: Add `java.util.UUID` and `java.util.Date` to the `SimpleTypeSanitizer` class
diff --git a/java/ql/lib/change-notes/2024-01-23-add-uuid-and-date-to-simpletypesanitizer.md b/java/ql/lib/change-notes/2024-01-23-add-uuid-and-date-to-simpletypesanitizer.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added the `java.util.Date` and `java.util.UUID` classes to the list of types in the `SimpleTypeSanitizer` class in `semmle.code.java.security.Sanitizers`.
diff --git a/java/ql/lib/semmle/code/java/security/Sanitizers.qll b/java/ql/lib/semmle/code/java/security/Sanitizers.qll
@@ -4,12 +4,15 @@ import java
 private import semmle.code.java.dataflow.DataFlow
 
 /**
- * A node whose type is a simple type unlikely to carry taint, such as primitives or their boxed counterparts.
+ * A node whose type is a simple type unlikely to carry taint, such as primitives and their boxed counterparts,
+ * `java.util.UUID` and `java.util.Date`.
  */
 class SimpleTypeSanitizer extends DataFlow::Node {
   SimpleTypeSanitizer() {
     this.getType() instanceof PrimitiveType or
     this.getType() instanceof BoxedType or
-    this.getType() instanceof NumberType
+    this.getType() instanceof NumberType or
+    this.getType().(RefType).hasQualifiedName("java.util", "UUID") or
+    this.getType().(RefType).hasQualifiedName("java.util", "Date")
   }
 }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added the `java.util.Date` and `java.util.UUID` classes to the list of types in the `SimpleTypeSanitizer` class in `semmle.code.java.security.Sanitizers`.