From aaecb9bb7a15ddb8a490439ca7c4fc99397ced69 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Wed, 25 Sep 2024 10:03:55 +0200
Subject: [PATCH] Java: Add more type-based sanitizers.

---
 java/ql/lib/semmle/code/java/security/Sanitizers.qll | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/java/ql/lib/semmle/code/java/security/Sanitizers.qll b/java/ql/lib/semmle/code/java/security/Sanitizers.qll
index 8d399b8feea2..6035b068bd04 100644
--- a/java/ql/lib/semmle/code/java/security/Sanitizers.qll
+++ b/java/ql/lib/semmle/code/java/security/Sanitizers.qll
@@ -13,6 +13,16 @@ class SimpleTypeSanitizer extends DataFlow::Node {
     this.getType() instanceof BoxedType or
     this.getType() instanceof NumberType or
     this.getType().(RefType).hasQualifiedName("java.util", "UUID") or
-    this.getType().(RefType).hasQualifiedName("java.util", "Date")
+    this.getType().(RefType).getASourceSupertype*().hasQualifiedName("java.util", "Date") or
+    this.getType().(RefType).hasQualifiedName("java.util", "Calendar") or
+    this.getType().(RefType).hasQualifiedName("java.util", "BitSet") or
+    this.getType()
+        .(RefType)
+        .getASourceSupertype*()
+        .hasQualifiedName("java.time.temporal", "TemporalAmount") or
+    this.getType()
+        .(RefType)
+        .getASourceSupertype*()
+        .hasQualifiedName("java.time.temporal", "TemporalAccessor")
   }
 }