Merge pull request #19260 from smowton/smowton/feature/sanitize-enum-types

smowton · web-flow · commit cc379b543cb6 · 2025-04-09T16:05:13.000+01:00
Java: Add EnumType to SimpleTypeSanitizer
diff --git a/java/ql/lib/change-notes/2025-04-09-enum-type-exclusion.md b/java/ql/lib/change-notes/2025-04-09-enum-type-exclusion.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Enum-typed values are now assumed to be safe by most queries. This means that queries may return fewer results where an enum value is used in a sensitive context, e.g. pasted into a query string.
diff --git a/java/ql/lib/semmle/code/java/security/Sanitizers.qll b/java/ql/lib/semmle/code/java/security/Sanitizers.qll
@@ -23,6 +23,7 @@ class SimpleTypeSanitizer extends DataFlow::Node {
     this.getType()
         .(RefType)
         .getASourceSupertype*()
-        .hasQualifiedName("java.time.temporal", "TemporalAccessor")
+        .hasQualifiedName("java.time.temporal", "TemporalAccessor") or
+    this.getType() instanceof EnumType
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@ class SimpleTypeSanitizer extends DataFlow::Node {`
`23`	`23`	`this.getType()`
`24`	`24`	`.(RefType)`
`25`	`25`	`.getASourceSupertype*()`
`26`		`- .hasQualifiedName("java.time.temporal", "TemporalAccessor")`
	`26`	`+ .hasQualifiedName("java.time.temporal", "TemporalAccessor") or`
	`27`	`+ this.getType() instanceof EnumType`
`27`	`28`	`}`
`28`	`29`	`}`