Fix modelling of Stack.push

Stack.push(E) returns its argument, it does not propagate taint from the stack to the return value.
2026-05-01 11:45:14 +02:00 · 2020-07-09 15:00:59 +02:00
parent d3d58795f1
commit 0d33a77ee3
3 changed files with 7 additions and 4 deletions
--- a/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
@@ -127,7 +127,7 @@ private predicate taintPreservingQualifierToMethod(Method m) {
  m.(CollectionMethod).hasName(["elementAt", "elements", "firstElement", "lastElement"])
  or
  // java.util.Stack
-  m.(CollectionMethod).hasName(["peek", "pop", "push"])
+  m.(CollectionMethod).hasName(["peek", "pop"])
  or
  // java.util.Queue
  m.(CollectionMethod).hasName(["element", "poll"])
@@ -269,6 +269,9 @@ private predicate taintPreservingArgumentToQualifier(Method method, int arg) {
 * `arg`th argument is tainted.
 */
 private predicate taintPreservingArgumentToMethod(Method method, int arg) {
+  // java.util.Stack
+  method.(CollectionMethod).hasName("push") and arg = 0
+  or
  method.getDeclaringType().hasQualifiedName("java.util", "Collections") and
  (
    method
--- a/java/ql/test/library-tests/dataflow/collections/ContainterTest.java
+++ b/java/ql/test/library-tests/dataflow/collections/ContainterTest.java
@@ -88,8 +88,8 @@ class ContainerTest {
 		// java.util.Stack
 		sink(stack.peek());
 		sink(stack.pop());
-		stack.push("value"); // not tainted
-		sink(stack.push(source("value")));
+		sink(stack.push("value")); // not tainted
+		sink(new Stack().push(source("value")));
 		mkSink(Stack.class).push(source("value"));

 		// java.util.Queue
--- a/java/ql/test/library-tests/dataflow/collections/flow.expected
+++ b/java/ql/test/library-tests/dataflow/collections/flow.expected
@@ -21,7 +21,6 @@
 | ContainterTest.java:34:4:34:24 | vector | ContainterTest.java:86:19:86:40 | mkSink(...) [post update] |
 | ContainterTest.java:35:4:35:22 | stack | ContainterTest.java:89:8:89:19 | peek(...) |
 | ContainterTest.java:35:4:35:22 | stack | ContainterTest.java:90:8:90:18 | pop(...) |
-| ContainterTest.java:35:4:35:22 | stack | ContainterTest.java:92:8:92:34 | push(...) |
 | ContainterTest.java:36:4:36:22 | queue | ContainterTest.java:96:8:96:22 | element(...) |
 | ContainterTest.java:36:4:36:22 | queue | ContainterTest.java:97:8:97:19 | peek(...) |
 | ContainterTest.java:36:4:36:22 | queue | ContainterTest.java:98:8:98:19 | poll(...) |
@@ -104,6 +103,7 @@
 | ContainterTest.java:83:42:83:50 | "element" | ContainterTest.java:83:3:83:22 | mkSink(...) [post update] |
 | ContainterTest.java:84:47:84:55 | "element" | ContainterTest.java:84:3:84:22 | mkSink(...) [post update] |
 | ContainterTest.java:85:44:85:52 | "element" | ContainterTest.java:85:3:85:22 | mkSink(...) [post update] |
+| ContainterTest.java:92:32:92:38 | "value" | ContainterTest.java:92:8:92:40 | push(...) |
 | ContainterTest.java:93:35:93:41 | "value" | ContainterTest.java:93:3:93:21 | mkSink(...) [post update] |
 | ContainterTest.java:100:36:100:44 | "element" | ContainterTest.java:100:3:100:21 | mkSink(...) [post update] |
 | ContainterTest.java:111:39:111:45 | "value" | ContainterTest.java:111:3:111:21 | mkSink(...) [post update] |