Missing TaintStep for String.format() #2786
Description
Hi,
I found a False Negative caused by missing taintflow through String.format(). The following taint step made the issue to be reported but should probably be improved (maybe check n1 reaching type is a string?):
class StringFormaTaintStep extends TaintTracking::AdditionalTaintStep {
override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
exists(MethodAccess ma, Method m |
ma.getMethod() = m and
m.getDeclaringType().hasQualifiedName("java.lang", "String") and
m.getName() = "format" and
n1.asExpr() = ma.getAnArgument() and
n2.asExpr() = ma
)
}
}