Java: Introduce index validation.

2026-04-29 10:45:15 +02:00 · 2023-03-17 14:04:57 +01:00
parent 9a3c2d3fbe
commit 0ec56203f9
2 changed files with 19 additions and 3 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -233,6 +233,8 @@ module ModelValidation {
        or
        part = input.(AccessPath).getToken(0) and
        parseParam(part, _)
+        or
+        invalidIndexComponent(input, part)
      ) and
      result = "Unrecognized input specification \"" + part + "\" in " + pred + " model."
    )
@@ -244,9 +246,13 @@ module ModelValidation {
      or
      summaryModel(_, _, _, _, _, _, _, output, _, _) and pred = "summary"
    |
-      invalidSpecComponent(output, part) and
-      not part = "" and
-      not (part = ["Argument", "Parameter"] and pred = "source") and
+      (
+        invalidSpecComponent(output, part) and
+        not part = "" and
+        not (part = ["Argument", "Parameter"] and pred = "source")
+        or
+        invalidIndexComponent(output, part)
+      ) and
      result = "Unrecognized output specification \"" + part + "\" in " + pred + " model."
    )
  }
--- a/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
@@ -1050,6 +1050,16 @@ module Private {
      not exists(interpretComponent(c))
    }

+    /**
+     * Holds if token `part` of specification `spec` has an invalid index.
+     * E.g., `Argument[-1]`.
+     */
+    predicate invalidIndexComponent(AccessPath spec, AccessPathToken part) {
+      part = spec.getToken(_) and
+      part.getName() = ["Parameter", "Argument"] and
+      AccessPath::parseInt(part.getArgumentList()) < 0
+    }
+
    private predicate inputNeedsReference(AccessPathToken c) {
      c.getName() = "Argument" or
      inputNeedsReferenceSpecific(c)