Java: TaintTrackingUtil.qll ObjectInputStream.read% taint is faulty

github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security

https://codeql.github.com

MIT License

7.53k stars 1.5k forks source link

Java: TaintTrackingUtil.qll ObjectInputStream.read% taint is faulty #4591

Open Marcono1234 opened 3 years ago

Marcono1234 commented 3 years ago

TraintTrackingUtil.qll currently models that all ObjectInputStream read% methods preserve tainted data: https://github.com/github/codeql/blob/cb527cae738e59d8b601c0f51302cd6247ff31ca/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll#L323-L324

As pointed out in https://github.com/github/codeql/pull/4582#discussion_r515676147, this logic is likely faulty because read(byte[], int, int) returns the number of read bytes which therefore should not represent tainted data.

github-actions[bot] commented 3 years ago

This issue is stale because it has been open 14 days with no activity. Comment or remove the stale label in order to avoid having this issue closed in 7 days.