Kotlin: Track Kotlin's Array.set when tracking taint

igfoo · igfoo · commit babf1d66488d · 2023-12-05T14:42:45.000Z
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/ContainerFlow.qll b/java/ql/lib/semmle/code/java/dataflow/internal/ContainerFlow.qll
@@ -450,6 +450,14 @@ predicate arrayStoreStep(Node node1, Node node2) {
   exists(Assignment assign | assign.getSource() = node1.asExpr() |
     node2.(PostUpdateNode).getPreUpdateNode().asExpr() = assign.getDest().(ArrayAccess).getArray()
   )
+  or
+  exists(Expr arr, Call call |
+    arr = node2.asExpr() and
+    call.getArgument(1) = node1.asExpr() and
+    call.getQualifier() = arr and
+    arr.getType() instanceof ArrayType and
+    call.getCallee().getName() = "set"
+  )
 }
 
 private predicate enhancedForStmtStep(Node node1, Node node2, Type containerType) {

Original file line number	Diff line number	Diff line change
`@@ -450,6 +450,14 @@ predicate arrayStoreStep(Node node1, Node node2) {`
`450`	`450`	`exists(Assignment assign \| assign.getSource() = node1.asExpr() \|`
`451`	`451`	`node2.(PostUpdateNode).getPreUpdateNode().asExpr() = assign.getDest().(ArrayAccess).getArray()`
`452`	`452`	`)`
	`453`	`+ or`
	`454`	`+ exists(Expr arr, Call call \|`
	`455`	`+ arr = node2.asExpr() and`
	`456`	`+ call.getArgument(1) = node1.asExpr() and`
	`457`	`+ call.getQualifier() = arr and`
	`458`	`+ arr.getType() instanceof ArrayType and`
	`459`	`+ call.getCallee().getName() = "set"`
	`460`	`+ )`
`453`	`461`	`}`
`454`	`462`
`455`	`463`	`private predicate enhancedForStmtStep(Node node1, Node node2, Type containerType) {`