From c42d86d68f60cef3e0f8f68baf6d7b91fe18c7ab Mon Sep 17 00:00:00 2001 From: Kiro Agent <244629292+kiro-agent@users.noreply.github.com> Date: Wed, 10 Jun 2026 09:00:35 +0000 Subject: [PATCH] feat: use controlledString predicate in ExecUnescaped.ql to reduce false positives Replace the weak local saneString predicate with the comprehensive controlledString predicate from ControlledString.qll. This reduces false positives for expressions involving numeric types, enum constants, class names, and other programmer-controlled values. --- java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql | 9 ++------- .../2026-06-10-exec-unescaped-controlled-string.md | 4 ++++ 2 files changed, 6 insertions(+), 7 deletions(-) create mode 100644 java/ql/src/change-notes/2026-06-10-exec-unescaped-controlled-string.md diff --git a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql index afa675c7f7b2..5150ede6f9d6 100644 --- a/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql +++ b/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql @@ -14,6 +14,7 @@ import java import semmle.code.java.security.CommandLineQuery +import semmle.code.java.security.ControlledString import semmle.code.java.security.ExternalProcess /** @@ -22,13 +23,7 @@ import semmle.code.java.security.ExternalProcess * has in it. */ predicate saneString(Expr expr) { - expr instanceof StringLiteral - or - expr instanceof NullLiteral - or - exists(Variable var | var.getAnAccess() = expr and exists(var.getAnAssignedValue()) | - forall(Expr other | var.getAnAssignedValue() = other | saneString(other)) - ) + controlledString(expr) } predicate builtFromUncontrolledConcat(Expr expr) { diff --git a/java/ql/src/change-notes/2026-06-10-exec-unescaped-controlled-string.md b/java/ql/src/change-notes/2026-06-10-exec-unescaped-controlled-string.md new file mode 100644 index 000000000000..d22a0b9c3889 --- /dev/null +++ b/java/ql/src/change-notes/2026-06-10-exec-unescaped-controlled-string.md @@ -0,0 +1,4 @@ +--- +category: majorAnalysis +--- +* The `java/concatenated-command-line` query now uses the shared `controlledString` predicate to identify safe expressions in command-line concatenations, reducing false positives for expressions involving numeric types, enum constants, class names, and other programmer-controlled values.