fix: reject concrete type args against wildcard pattern

misonijnik · misonijnik · commit bf8e6e4838d4 · 2026-05-01T00:27:09.000+02:00
A pattern like `ResponseEntity&lt;?&gt;` previously matched concrete
parameterizations such as `ResponseEntity&lt;String&gt;` because wildcards
were lowered to an unconstrained "any class" matcher at the
type-argument slot. Introduce a dedicated wildcard representation —
`TypeNamePattern.WildcardType` in the query language and
`SerializedTypeNameMatcher.Wildcard` in the serialized matcher — so a
wildcard slot in the pattern matches only a `JIRUnboundWildcard` at the
same slot in code.
diff --git a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/SerializedTypeMatching.kt
@@ -30,6 +30,8 @@ fun SerializedTypeNameMatcher.matchType(
     type: JIRType,
     erasedMatch: SerializedTypeNameMatcher.(String) -> Boolean,
 ): Boolean = when {
+    this is SerializedTypeNameMatcher.Wildcard -> type is JIRUnboundWildcard
+
     this is SerializedTypeNameMatcher.ClassPattern && typeArgs.isEmpty() && type is JIRClassType ->
         erasedMatch(type.erasedName()) && type.isRawLike()
 
diff --git a/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt b/core/opentaint-configuration-rules/configuration-rules-jvm/src/main/kotlin/org/opentaint/dataflow/configuration/jvm/serialized/SerializedNameMatcher.kt
@@ -24,6 +24,14 @@ sealed interface SerializedTypeNameMatcher {
 
     @Serializable
     data class Array(val element: SerializedTypeNameMatcher) : SerializedTypeNameMatcher
+
+    /**
+     * Matches only an unbounded Java wildcard (`?`) at a type-argument slot.
+     * Distinct from an "any" [ClassPattern] so a pattern like `Foo<?>` does not
+     * match a concrete parameterization like `Foo<String>`.
+     */
+    @Serializable
+    data object Wildcard : SerializedTypeNameMatcher
 }
 
 @Serializable(with = SimpleNameMatcherSerializer::class)
diff --git a/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt b/core/opentaint-dataflow-core/opentaint-jvm-dataflow/src/main/kotlin/org/opentaint/dataflow/jvm/ap/ifds/taint/JIRBasicAtomEvaluator.kt
@@ -400,6 +400,9 @@ class JIRBasicAtomEvaluator(
             val nameWithout = name.removeSuffix("[]")
             name != nameWithout && element.matchErasedName(nameWithout)
         }
+        // A wildcard matcher is only meaningful at a type-argument slot; it has
+        // no erased-name projection to compare against a string.
+        is SerializedTypeNameMatcher.Wildcard -> false
     }
 
     private fun ConditionNameMatcher.match(name: String): Boolean = when (this) {
diff --git a/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithWildcardGeneric.java b/core/opentaint-java-querylang/samples/src/main/java/example/RuleWithWildcardGeneric.java
@@ -32,11 +32,10 @@ public void entrypoint() {
     }
 
     /**
-     * ResponseEntity&lt;String&gt; is a concrete parameterized form. In many
-     * semgrep engines a wildcard <?> is considered to match any concrete
-     * type; keeping this as a Positive documents current engine behavior.
+     * ResponseEntity&lt;String&gt; is a concrete parameterized form and must not
+     * match a wildcard &lt;?&gt; type argument in the rule pattern.
      */
-    final static class PositiveConcreteAlsoMatches extends RuleWithWildcardGeneric {
+    final static class NegativeConcreteDoesNotMatch extends RuleWithWildcardGeneric {
         @Override
         public void entrypoint() {
             String data = "tainted";
diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/ParamCondition.kt
@@ -30,6 +30,16 @@ sealed interface TypeNamePattern {
         override fun toString(): String = "*"
     }
 
+    /**
+     * Java unbounded wildcard `?` as a type argument. Unlike [AnyType], which
+     * is an unconstrained matcher that subsumes any type, [WildcardType] only
+     * matches an unbounded wildcard at the corresponding type-argument slot.
+     */
+    @Serializable
+    data object WildcardType : TypeNamePattern {
+        override fun toString(): String = "?"
+    }
+
     @Serializable
     data class ArrayType(val element: TypeNamePattern) : TypeNamePattern {
         override fun toString(): String = "${element}[]"
diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/PatternToActionListConverter.kt
@@ -219,7 +219,7 @@ class PatternToActionListConverter: ActionListBuilder {
             val elementTypePattern = transformTypeName(typeName.elementType)
             TypeNamePattern.ArrayType(elementTypePattern)
         }
-        is TypeName.WildcardTypeName -> TypeNamePattern.AnyType
+        is TypeName.WildcardTypeName -> TypeNamePattern.WildcardType
     }
 
     private fun transformSimpleTypeName(typeName: TypeName.SimpleTypeName): TypeNamePattern {
diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/AutomataToTaintRuleConversion.kt
@@ -628,6 +628,10 @@ private fun TaintRuleGenerationCtx.evaluateFormulaSignature(
             is Pattern -> {
                 TODO("Signature class name pattern")
             }
+
+            is SerializedTypeNameMatcher.Wildcard -> {
+                TODO("Signature class is a wildcard")
+            }
         }
 
         builders.mapTo(buildersWithClass) { builder ->
@@ -899,6 +903,10 @@ private fun TaintRuleGenerationCtx.typeMatcher(
 
         is TypeNamePattern.AnyType -> null
 
+        is TypeNamePattern.WildcardType -> MetaVarConstraintFormula.Constraint(
+            SerializedTypeNameMatcher.Wildcard
+        )
+
         is TypeNamePattern.MetaVar -> {
             val constraints = metaVarInfo.constraints[typeName.metaVar]
             val constraint = when (constraints) {
diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/MethodFormulaSimplifier.kt
@@ -794,13 +794,18 @@ private fun unifyTypeName(
     when (left) {
         TypeNamePattern.AnyType -> return right
 
+        // WildcardType only unifies with itself (already handled by the
+        // `left == right` short-circuit above). Anything else is incompatible.
+        TypeNamePattern.WildcardType -> return null
+
         is TypeNamePattern.PrimitiveName -> return null
 
         is TypeNamePattern.ClassName -> when (right) {
             TypeNamePattern.AnyType -> return left
 
             is TypeNamePattern.ArrayType,
-            is TypeNamePattern.PrimitiveName -> return null
+            is TypeNamePattern.PrimitiveName,
+            TypeNamePattern.WildcardType -> return null
 
             is TypeNamePattern.ClassName -> {
                 if (left.name != right.name) return null
@@ -826,7 +831,8 @@ private fun unifyTypeName(
             TypeNamePattern.AnyType -> return left
 
             is TypeNamePattern.ArrayType,
-            is TypeNamePattern.PrimitiveName -> return null
+            is TypeNamePattern.PrimitiveName,
+            TypeNamePattern.WildcardType -> return null
 
             is TypeNamePattern.ClassName -> {
                 if (left.name.endsWith(right.name)) {
@@ -853,7 +859,8 @@ private fun unifyTypeName(
             TypeNamePattern.AnyType -> return left
 
             is TypeNamePattern.ArrayType,
-            is TypeNamePattern.PrimitiveName -> return null
+            is TypeNamePattern.PrimitiveName,
+            TypeNamePattern.WildcardType -> return null
 
             is TypeNamePattern.ClassName -> {
                 if (!stringMatches(right.name, metaVarInfo.metaVarConstraints[left.metaVar])) return null
@@ -885,7 +892,8 @@ private fun unifyTypeName(
             is TypeNamePattern.ClassName,
             is TypeNamePattern.FullyQualified,
             is TypeNamePattern.MetaVar,
-            is TypeNamePattern.PrimitiveName -> return null
+            is TypeNamePattern.PrimitiveName,
+            TypeNamePattern.WildcardType -> return null
         }
     }
 }
diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintAutomataGeneration.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintAutomataGeneration.kt
@@ -995,7 +995,8 @@ private fun EdgeCondition.isDummyCondition(metaVarInfo: ResolvedMetaVarInfo): Bo
             is TypeNamePattern.ArrayType,
             is TypeNamePattern.ClassName,
             is TypeNamePattern.FullyQualified,
-            is TypeNamePattern.PrimitiveName -> return false
+            is TypeNamePattern.PrimitiveName,
+            TypeNamePattern.WildcardType -> return false
         }
     }
 
diff --git a/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintEdgesGeneration.kt b/core/opentaint-java-querylang/src/main/kotlin/org/opentaint/semgrep/pattern/conversion/taint/TaintEdgesGeneration.kt
@@ -363,6 +363,7 @@ private fun MetaVarCtx.typeNameMetaVars(typeName: TypeNamePattern, metaVars: Bit
         }
 
         TypeNamePattern.AnyType,
+        TypeNamePattern.WildcardType,
         is TypeNamePattern.PrimitiveName -> {
             // no metavars
         }
diff --git a/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt b/core/opentaint-java-querylang/src/test/kotlin/org/opentaint/semgrep/TypeAwarePatternTest.kt
@@ -40,8 +40,8 @@ class TypeAwarePatternTest : SampleBasedTest() {
     @Test
     fun `A4 - two-arg generic Map of K V in parameter`() = runTest<example.RuleWithTwoArgGeneric>()
 
-    // A5. Wildcard type argument: ResponseEntity<?>. Documents current engine
-    // behavior; both concrete and wildcard-typed methods match today.
+    // A5. Wildcard type argument: ResponseEntity<?>. A concrete type argument
+    // (ResponseEntity<String>) must not match a wildcard pattern.
     @Test
     fun `A5 - wildcard type argument ResponseEntity of question mark`() =
         runTest<example.RuleWithWildcardGeneric>()
diff --git a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/ClassNameUtils.kt b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/ClassNameUtils.kt
@@ -16,6 +16,7 @@ fun SerializedTypeNameMatcher.normalizeAnyName(): SerializedTypeNameMatcher = wh
     is SerializedSimpleNameMatcher -> normalizeAnyName()
     is ClassPattern -> ClassPattern(`package`.normalizeAnyName(), `class`.normalizeAnyName(), typeArgs.map { it.normalizeAnyName() })
     is SerializedTypeNameMatcher.Array -> SerializedTypeNameMatcher.Array(element.normalizeAnyName())
+    is SerializedTypeNameMatcher.Wildcard -> this
 }
 
 fun SerializedSimpleNameMatcher.normalizeAnyName(): SerializedSimpleNameMatcher = when (this) {
diff --git a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TaintConfiguration.kt
@@ -258,6 +258,10 @@ class TaintConfiguration(private val cp: JIRClasspath) {
             val nameWithoutArrayModifier = name.removeSuffix("[]")
             name != nameWithoutArrayModifier && element.matchNormalizedTypeName(nameWithoutArrayModifier)
         }
+
+        // A wildcard matcher is only meaningful at a type-argument position
+        // and is never compared against a class-name string.
+        is SerializedTypeNameMatcher.Wildcard -> false
     }
 
     private fun SerializedTypeNameMatcher.matchType(type: JIRType): Boolean =
diff --git a/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TypeMatcherCondition.kt b/core/opentaint-jvm-sast-dataflow/src/main/kotlin/org/opentaint/jvm/sast/dataflow/rules/TypeMatcherCondition.kt
@@ -37,6 +37,10 @@ fun SerializedTypeNameMatcher.toConditionNameMatcher(patternManager: PatternMana
         is SerializedTypeNameMatcher.Array -> {
             element.toConditionNameMatcher(patternManager)?.addSuffix("[]", patternManager)
         }
+
+        // A wildcard matcher has no erased-name projection; there is no
+        // meaningful class-name `ConditionNameMatcher` to produce.
+        is SerializedTypeNameMatcher.Wildcard -> null
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -400,6 +400,9 @@ class JIRBasicAtomEvaluator(`
`400`	`400`	`val nameWithout = name.removeSuffix("[]")`
`401`	`401`	`name != nameWithout && element.matchErasedName(nameWithout)`
`402`	`402`	`}`
	`403`	`+ // A wildcard matcher is only meaningful at a type-argument slot; it has`
	`404`	`+ // no erased-name projection to compare against a string.`
	`405`	`+ is SerializedTypeNameMatcher.Wildcard -> false`
`403`	`406`	`}`
`404`	`407`
`405`	`408`	`private fun ConditionNameMatcher.match(name: String): Boolean = when (this) {`
Original file line number	Diff line number	Diff line change
`@@ -219,7 +219,7 @@ class PatternToActionListConverter: ActionListBuilder {`
`219`	`219`	`val elementTypePattern = transformTypeName(typeName.elementType)`
`220`	`220`	`TypeNamePattern.ArrayType(elementTypePattern)`
`221`	`221`	`}`
`222`		`- is TypeName.WildcardTypeName -> TypeNamePattern.AnyType`
	`222`	`+ is TypeName.WildcardTypeName -> TypeNamePattern.WildcardType`
`223`	`223`	`}`
`224`	`224`
`225`	`225`	`private fun transformSimpleTypeName(typeName: TypeName.SimpleTypeName): TypeNamePattern {`
Original file line number	Diff line number	Diff line change
`@@ -995,7 +995,8 @@ private fun EdgeCondition.isDummyCondition(metaVarInfo: ResolvedMetaVarInfo): Bo`
`995`	`995`	`is TypeNamePattern.ArrayType,`
`996`	`996`	`is TypeNamePattern.ClassName,`
`997`	`997`	`is TypeNamePattern.FullyQualified,`
`998`		`- is TypeNamePattern.PrimitiveName -> return false`
	`998`	`+ is TypeNamePattern.PrimitiveName,`
	`999`	`+ TypeNamePattern.WildcardType -> return false`
`999`	`1000`	`}`
`1000`	`1001`	`}`
`1001`	`1002`
Original file line number	Diff line number	Diff line change
`@@ -363,6 +363,7 @@ private fun MetaVarCtx.typeNameMetaVars(typeName: TypeNamePattern, metaVars: Bit`
`363`	`363`	`}`
`364`	`364`
`365`	`365`	`TypeNamePattern.AnyType,`
	`366`	`+ TypeNamePattern.WildcardType,`
`366`	`367`	`is TypeNamePattern.PrimitiveName -> {`
`367`	`368`	`// no metavars`
`368`	`369`	`}`