Merge pull request #3105 from aschackmull/java/postupdate-jump

Java: Fix missing jump step from PostUpdate to capture.
2026-04-30 11:15:13 +02:00 · 2020-03-25 22:05:30 -04:00
parent e6cdbb9bd2 d8edae96df
commit 0f70da2258
4 changed files with 86 additions and 1 deletions
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
@@ -113,7 +113,8 @@ private predicate variableCaptureStep(Node node1, ExprNode node2) {
 */
 predicate jumpStep(Node node1, Node node2) {
  staticFieldStep(node1, node2) or
-  variableCaptureStep(node1, node2)
+  variableCaptureStep(node1, node2) or
+  variableCaptureStep(node1.(PostUpdateNode).getPreUpdateNode(), node2)
 }

 /**
--- a/java/ql/test/library-tests/dataflow/capture/A.java
+++ b/java/ql/test/library-tests/dataflow/capture/A.java
@@ -0,0 +1,41 @@
+public class A {
+  static class Box {
+    String elem;
+    Box(String e) { elem = e; }
+    void setElem(String e) { elem = e; }
+    String getElem() { return elem; }
+  }
+
+  String get() {
+    return null;
+  }
+
+  void f1(int i) {
+    A a = f2("A", i);
+    String x = a.get();
+  }
+
+  A f2(String p, int i) {
+    String s;
+    if (i == 0) {
+      s = "B";
+    } else {
+      s = "C";
+    }
+    Box b1 = new Box("D");
+    Box b2 = new Box(null);
+    b2.setElem("E");
+    A a = new A() {
+      @Override
+      String get() {
+        switch (i) {
+          case 0: return p;
+          case 1: return s;
+          case 2: return b1.getElem();
+          case 3: return b2.getElem();
+        }
+      }
+    };
+    return a;
+  }
+}
--- a/java/ql/test/library-tests/dataflow/capture/test.expected
+++ b/java/ql/test/library-tests/dataflow/capture/test.expected
@@ -0,0 +1,26 @@
+| A.java:14:14:14:16 | "A" | A.java:14:14:14:16 | "A" |
+| A.java:14:14:14:16 | "A" | A.java:15:16:15:22 | get(...) |
+| A.java:14:14:14:16 | "A" | A.java:18:8:18:15 | p |
+| A.java:14:14:14:16 | "A" | A.java:32:26:32:26 | p |
+| A.java:21:11:21:13 | "B" | A.java:15:16:15:22 | get(...) |
+| A.java:21:11:21:13 | "B" | A.java:21:7:21:13 | ...=... |
+| A.java:21:11:21:13 | "B" | A.java:21:11:21:13 | "B" |
+| A.java:21:11:21:13 | "B" | A.java:33:26:33:26 | s |
+| A.java:23:11:23:13 | "C" | A.java:15:16:15:22 | get(...) |
+| A.java:23:11:23:13 | "C" | A.java:23:7:23:13 | ...=... |
+| A.java:23:11:23:13 | "C" | A.java:23:11:23:13 | "C" |
+| A.java:23:11:23:13 | "C" | A.java:33:26:33:26 | s |
+| A.java:25:22:25:24 | "D" | A.java:4:9:4:16 | e |
+| A.java:25:22:25:24 | "D" | A.java:4:21:4:28 | ...=... |
+| A.java:25:22:25:24 | "D" | A.java:4:28:4:28 | e |
+| A.java:25:22:25:24 | "D" | A.java:6:31:6:34 | elem |
+| A.java:25:22:25:24 | "D" | A.java:15:16:15:22 | get(...) |
+| A.java:25:22:25:24 | "D" | A.java:25:22:25:24 | "D" |
+| A.java:25:22:25:24 | "D" | A.java:34:26:34:37 | getElem(...) |
+| A.java:27:16:27:18 | "E" | A.java:5:18:5:25 | e |
+| A.java:27:16:27:18 | "E" | A.java:5:30:5:37 | ...=... |
+| A.java:27:16:27:18 | "E" | A.java:5:37:5:37 | e |
+| A.java:27:16:27:18 | "E" | A.java:6:31:6:34 | elem |
+| A.java:27:16:27:18 | "E" | A.java:15:16:15:22 | get(...) |
+| A.java:27:16:27:18 | "E" | A.java:27:16:27:18 | "E" |
+| A.java:27:16:27:18 | "E" | A.java:35:26:35:37 | getElem(...) |
--- a/java/ql/test/library-tests/dataflow/capture/test.ql
+++ b/java/ql/test/library-tests/dataflow/capture/test.ql
@@ -0,0 +1,17 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+import DataFlow
+
+StringLiteral src() { result.getCompilationUnit().fromSource() }
+
+class Conf extends Configuration {
+  Conf() { this = "qq capture" }
+
+  override predicate isSource(Node n) { n.asExpr() = src() }
+
+  override predicate isSink(Node n) { any() }
+}
+
+from Node src, Node sink, Conf conf
+where conf.hasFlow(src, sink)
+select src, sink