Skip to content

Java: Improve saneString in java/concatenated-command-line using controlledString + test exclusion#12

Open
mrigankpawagi wants to merge 1 commit into
mainfrom
improve-java-exec-unescaped-consolidated
Open

Java: Improve saneString in java/concatenated-command-line using controlledString + test exclusion#12
mrigankpawagi wants to merge 1 commit into
mainfrom
improve-java-exec-unescaped-consolidated

Conversation

@mrigankpawagi

@mrigankpawagi mrigankpawagi commented Jun 15, 2026

Copy link
Copy Markdown
Owner

Summary

This PR consolidates and supersedes PRs #5 and #10, combining the best of both approaches to improve the java/concatenated-command-line query (ExecUnescaped.ql).

Problem

The existing saneString predicate was overly simplistic — it only recognized StringLiteral, NullLiteral, and variables assigned from those. This caused many false positives for expressions that are clearly programmer-controlled.

Changes (consolidated from #5 and #10)

From PR #5: Use shared controlledString predicate

Replaced the ad-hoc saneString body with controlledString(expr) from semmle.code.java.security.ControlledString. This is the same predicate already used by SqlConcatenated.ql and covers:

  • String/null literals
  • Enum constants
  • Primitive/boxed types
  • Class name methods (.getName(), .getSimpleName())
  • Boxed type .toString()
  • Validated variable accesses
  • Propagation through method parameters and concatenation

From PR #10: CompileTimeConstantExpr + test exclusion

  • Added expr instanceof CompileTimeConstantExpr since this is NOT covered by controlledString but captures static final fields and other compile-time constants
  • Added not isInTestFile(argument.getFile()) to exclude test files where command concatenation is used for test setup

Why this consolidation is better than either PR alone

Feature PR #5 PR #10 This PR
Reuses shared library predicate
Covers CompileTimeConstantExpr
Covers class name methods
Covers validated variables
Propagation through params
Excludes test files

Supersedes: #5, #10

@kiro-agent
feat: consolidate saneString improvements using controlledString + te…
fb40914 
…st exclusion

Replace the saneString predicate body with controlledString (from the
ControlledString library) and CompileTimeConstantExpr to reduce false
positives. Also exclude results in test files using isInTestFile from
ModelExclusions.

This consolidates the approaches from PRs #5 and #10 into a single
coherent change.
@github-actions github-actions Bot added documentation Improvements or additions to documentation Java labels Jun 15, 2026
This was referenced Jun 15, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation Java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mrigankpawagi @kiro-agent