Use TypeString

edvraa · edvraa · commit 9774b24c4e29 · 2021-04-22T09:44:07.000+03:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql b/java/ql/src/experimental/Security/CWE/CWE-730/RegexInjection.ql
@@ -24,7 +24,7 @@ class RegexSink extends DataFlow::ExprNode {
   RegexSink() {
     exists(MethodAccess ma, Method m | m = ma.getMethod() |
       (
-        m.getDeclaringType().hasQualifiedName("java.lang", "String") and
+        m.getDeclaringType() instanceof TypeString and
         (
           ma.getArgument(0) = this.asExpr() and
           (
@@ -47,7 +47,7 @@ class RegexSink extends DataFlow::ExprNode {
         m.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "RegExUtils") and
         (
           ma.getArgument(1) = this.asExpr() and
-          m.getParameterType(1).(Class).hasQualifiedName("java.lang", "String") and
+          m.getParameterType(1).(Class) instanceof TypeString and
           (
             m.hasName("removeAll") or
             m.hasName("removeFirst") or

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ class RegexSink extends DataFlow::ExprNode {`
`24`	`24`	`RegexSink() {`
`25`	`25`	`exists(MethodAccess ma, Method m \| m = ma.getMethod() \|`
`26`	`26`	`(`
`27`		`- m.getDeclaringType().hasQualifiedName("java.lang", "String") and`
	`27`	`+ m.getDeclaringType() instanceof TypeString and`
`28`	`28`	`(`
`29`	`29`	`ma.getArgument(0) = this.asExpr() and`
`30`	`30`	`(`
`@@ -47,7 +47,7 @@ class RegexSink extends DataFlow::ExprNode {`
`47`	`47`	`m.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "RegExUtils") and`
`48`	`48`	`(`
`49`	`49`	`ma.getArgument(1) = this.asExpr() and`
`50`		`- m.getParameterType(1).(Class).hasQualifiedName("java.lang", "String") and`
	`50`	`+ m.getParameterType(1).(Class) instanceof TypeString and`
`51`	`51`	`(`
`52`	`52`	`m.hasName("removeAll") or`
`53`	`53`	`m.hasName("removeFirst") or`