Java: Explicitly list custom flow steps.

intrigus · intrigus · commit 6d09db6fd696 · 2021-06-25T16:47:23.000+02:00
diff --git a/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql b/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
@@ -123,7 +123,12 @@ private predicate isFlag(DataFlow::Node source) {
   )
 }
 
-/** Holds if there is flow from `node1` to `node2` either due to local flow or due to custom flow steps. */
+/**
+ * Holds if there is flow from `node1` to `node2` either due to local flow or due to custom flow steps:
+ * 1. `Boolean.parseBoolean(taintedValue)` taints the return value of `parseBoolean`.
+ * 2. A call to an `EnvReadMethod` such as `System.getProperty` where a tainted value is used as an argument.
+ *    The return value of such a method is then tainted.
+ */
 private predicate flagFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
   DataFlow::localFlowStep(node1, node2)
   or

Original file line number	Diff line number	Diff line change
`@@ -123,7 +123,12 @@ private predicate isFlag(DataFlow::Node source) {`
`123`	`123`	`)`
`124`	`124`	`}`
`125`	`125`
`126`		-/** Holds if there is flow from `node1` to `node2` either due to local flow or due to custom flow steps. */
	`126`	`+/**`
	`127`	+ * Holds if there is flow from `node1` to `node2` either due to local flow or due to custom flow steps:
	`128`	+ * 1. `Boolean.parseBoolean(taintedValue)` taints the return value of `parseBoolean`.
	`129`	+ * 2. A call to an `EnvReadMethod` such as `System.getProperty` where a tainted value is used as an argument.
	`130`	`+ * The return value of such a method is then tainted.`
	`131`	`+ */`
`127`	`132`	`private predicate flagFlowStep(DataFlow::Node node1, DataFlow::Node node2) {`
`128`	`133`	`DataFlow::localFlowStep(node1, node2)`
`129`	`134`	`or`