Merge pull request github#6029 from atorralba/atorralba/tainted-key-read-steps

aschackmull · web-flow · commit f24565738b6f · 2021-06-11T13:14:18.000+02:00
Java: Add Map key-read-steps as local additional taint steps
diff --git a/java/change-notes/2021-06-11-tainted-key-read-steps.md b/java/change-notes/2021-06-11-tainted-key-read-steps.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Data flow now propagates taint from tainted Maps to read steps of their keys (e.g. `tainted.keySet()`).
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -69,6 +69,7 @@ private module Cached {
     |
       f instanceof ArrayContent or
       f instanceof CollectionContent or
+      f instanceof MapKeyContent or
       f instanceof MapValueContent
     )
     or

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* Data flow now propagates taint from tainted Maps to read steps of their keys (e.g. `tainted.keySet()`).
Original file line number	Diff line number	Diff line change
`@@ -69,6 +69,7 @@ private module Cached {`
`69`	`69`	`\|`
`70`	`70`	`f instanceof ArrayContent or`
`71`	`71`	`f instanceof CollectionContent or`
	`72`	`+ f instanceof MapKeyContent or`
`72`	`73`	`f instanceof MapValueContent`
`73`	`74`	`)`
`74`	`75`	`or`