@@ -229,11 +229,37 @@ private MethodAccess getNextAppend(MethodAccess append) {
229229 result = any ( StringBuilderVar sbv ) .getNextAppend ( append )
230230}
231231
232+ private Expr getQualifier ( MethodAccess e ) { result = e .getQualifier ( ) }
233+
234+ private MethodAccess getAChainedAppend ( Expr e ) {
235+ (
236+ result .getQualifier ( ) = e
237+ or
238+ result .getQualifier ( ) = getAChainedAppend ( e )
239+ ) and
240+ result .getCallee ( ) .getDeclaringType ( ) instanceof StringBuildingType and
241+ result .getCallee ( ) .getName ( ) = "append"
242+ }
243+
232244class HostnameSanitizedExpr extends Expr {
233245 HostnameSanitizedExpr ( ) {
234246 // Sanitize expressions that come after a sanitizing prefix in a tree of string additions:
235247 this = getASanitizedAddOperand ( )
236248 or
249+ // Sanitize all appends to a StringBuilder that is initialized with a sanitizing prefix:
250+ // (note imprecision: if the same StringBuilder/StringBuffer has more than one constructor call,
251+ // this sanitizes all of its append calls, not just those that may follow the constructor).
252+ exists ( StringBuilderVar sbv , ConstructorCall constructor , Expr initializer |
253+ initializer = sbv .getAnAssignedValue ( ) and
254+ constructor = getQualifier * ( initializer ) and
255+ constructor .getArgument ( 0 ) instanceof HostnameSanitzingPrefix and
256+ (
257+ this = sbv .getAnAppend ( ) .getArgument ( 0 )
258+ or
259+ this = getAChainedAppend ( constructor ) .getArgument ( 0 )
260+ )
261+ )
262+ or
237263 // Sanitize expressions that come after a sanitizing prefix in a sequence of StringBuilder operations:
238264 exists ( MethodAccess appendSanitizingConstant , MethodAccess subsequentAppend |
239265 appendSanitizingConstant .getArgument ( 0 ) instanceof HostnameSanitzingPrefix and
0 commit comments