Open Marcono1234 opened 3 years ago
TraintTrackingUtil.qll currently models that all ObjectInputStream read% methods preserve tainted data: https://github.com/github/codeql/blob/cb527cae738e59d8b601c0f51302cd6247ff31ca/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll#L323-L324
TraintTrackingUtil.qll
ObjectInputStream
read%
As pointed out in https://github.com/github/codeql/pull/4582#discussion_r515676147, this logic is likely faulty because read(byte[], int, int) returns the number of read bytes which therefore should not represent tainted data.
read(byte[], int, int)
This issue is stale because it has been open 14 days with no activity. Comment or remove the stale label in order to avoid having this issue closed in 7 days.
stale
TraintTrackingUtil.qll
currently models that allObjectInputStream
read%
methods preserve tainted data: https://github.com/github/codeql/blob/cb527cae738e59d8b601c0f51302cd6247ff31ca/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll#L323-L324As pointed out in https://github.com/github/codeql/pull/4582#discussion_r515676147, this logic is likely faulty because
read(byte[], int, int)
returns the number of read bytes which therefore should not represent tainted data.