Merge pull request #17579 from aschackmull/java/type-sanitizers

Java: Add more type-based sanitizers.
github · Sep 30, 2024 · a017f92 · a017f92
2 parents 8a1b450 + aaecb9b
commit a017f92
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/java/ql/lib/semmle/code/java/security/Sanitizers.qll b/java/ql/lib/semmle/code/java/security/Sanitizers.qll
@@ -13,6 +13,16 @@ class SimpleTypeSanitizer extends DataFlow::Node {
     this.getType() instanceof BoxedType or
     this.getType() instanceof NumberType or
     this.getType().(RefType).hasQualifiedName("java.util", "UUID") or
-    this.getType().(RefType).hasQualifiedName("java.util", "Date")
+    this.getType().(RefType).getASourceSupertype*().hasQualifiedName("java.util", "Date") or
+    this.getType().(RefType).hasQualifiedName("java.util", "Calendar") or
+    this.getType().(RefType).hasQualifiedName("java.util", "BitSet") or
+    this.getType()
+        .(RefType)
+        .getASourceSupertype*()
+        .hasQualifiedName("java.time.temporal", "TemporalAmount") or
+    this.getType()
+        .(RefType)
+        .getASourceSupertype*()
+        .hasQualifiedName("java.time.temporal", "TemporalAccessor")
   }
 }