Java: Sync files and model generator and tests.

2026-04-29 18:55:14 +02:00 · 2022-08-03 16:13:34 +02:00
parent 5255e16816
commit 120fb25702
7 changed files with 177 additions and 78 deletions
--- a/java/ql/src/utils/model-generator/CaptureNegativeSummaryModels.ql
+++ b/java/ql/src/utils/model-generator/CaptureNegativeSummaryModels.ql
@@ -0,0 +1,14 @@
+/**
+ * @name Capture negative summary models.
+ * @description Finds negative summary models to be used by other queries.
+ * @kind diagnostic
+ * @id java/utils/model-generator/negative-summary-models
+ * @tags model-generator
+ */
+
+private import internal.CaptureModels
+private import internal.CaptureSummaryFlow
+
+from TargetApi api, string noflow
+where noflow = captureNoFlow(api)
+select noflow order by noflow
--- a/java/ql/src/utils/model-generator/CaptureSummaryModels.ql
+++ b/java/ql/src/utils/model-generator/CaptureSummaryModels.ql
@@ -7,78 +7,7 @@
 */

 private import internal.CaptureModels
-
-/**
- * Capture fluent APIs that return `this`.
- * Example of a fluent API:
- * ```java
- * public class Foo {
- *   public Foo someAPI() {
- *    // some side-effect
- *    return this;
- *  }
- * }
- * ```
- *
- * Capture APIs that transfer taint from an input parameter to an output return
- * value or parameter.
- * Allows a sequence of read steps followed by a sequence of store steps.
- *
- * Examples:
- *
- * ```java
- * public class Foo {
- *   private String tainted;
- *
- *   public String returnsTainted() {
- *     return tainted;
- *   }
- *
- *   public void putsTaintIntoParameter(List<String> foo) {
- *     foo.add(tainted);
- *   }
- * }
- * ```
- * Captured Models:
- * ```
- * p;Foo;true;returnsTainted;;Argument[-1];ReturnValue;taint
- * p;Foo;true;putsTaintIntoParameter;(List);Argument[-1];Argument[0];taint
- * ```
- *
- * ```java
- * public class Foo {
- *  private String tainted;
- *  public void doSomething(String input) {
- *    tainted = input;
- *  }
- * ```
- * Captured Model:
- * ```p;Foo;true;doSomething;(String);Argument[0];Argument[-1];taint```
- *
- * ```java
- * public class Foo {
- *   public String returnData(String tainted) {
- *     return tainted.substring(0,10)
- *   }
- * }
- * ```
- * Captured Model:
- * ```p;Foo;true;returnData;;Argument[0];ReturnValue;taint```
- *
- * ```java
- * public class Foo {
- *   public void addToList(String tainted, List<String> foo) {
- *     foo.add(tainted);
- *   }
- * }
- * ```
- * Captured Model:
- * ```p;Foo;true;addToList;;Argument[0];Argument[1];taint```
- */
-string captureFlow(TargetApi api) {
-  result = captureQualifierFlow(api) or
-  result = captureThroughFlow(api)
-}
+private import internal.CaptureSummaryFlow

 from TargetApi api, string flow
 where flow = captureFlow(api)
--- a/java/ql/src/utils/model-generator/internal/CaptureModels.qll
+++ b/java/ql/src/utils/model-generator/internal/CaptureModels.qll
@@ -48,6 +48,10 @@ private string asSummaryModel(TargetApi api, string input, string output, string
      + "generated"
 }

+string asNegativeSummaryModel(TargetApi api) { result = asPartialNegativeModel(api) + "generated" }
+
+predicate partialNegativeModel = asPartialNegativeModel/1;
+
 /**
 * Gets the value summary model for `api` with `input` and `output`.
 */
--- a/java/ql/src/utils/model-generator/internal/CaptureModelsSpecific.qll
+++ b/java/ql/src/utils/model-generator/internal/CaptureModelsSpecific.qll
@@ -98,16 +98,38 @@ private string typeAsSummaryModel(TargetApiSpecific api) {
  result = typeAsModel(bestTypeForModel(api))
 }

+private predicate partialModel(TargetApiSpecific api, string type, string name, string parameters) {
+  type = typeAsSummaryModel(api) and
+  name = api.getName() and
+  parameters = ExternalFlow::paramsString(api)
+}
+
 /**
 * Computes the first 6 columns for CSV rows.
 */
 string asPartialModel(TargetApiSpecific api) {
-  result =
-    typeAsSummaryModel(api) + ";" //
-      + isExtensible(bestTypeForModel(api)) + ";" //
-      + api.getName() + ";" //
-      + ExternalFlow::paramsString(api) + ";" //
-      + /* ext + */ ";" //
+  exists(string type, string name, string parameters |
+    partialModel(api, type, name, parameters) and
+    result =
+      type + ";" //
+        + isExtensible(bestTypeForModel(api)) + ";" //
+        + name + ";" //
+        + parameters + ";" //
+        + /* ext + */ ";" //
+  )
+}
+
+/**
+ * Computes the first 4 columns for negative CSV rows.
+ */
+string asPartialNegativeModel(TargetApiSpecific api) {
+  exists(string type, string name, string parameters |
+    partialModel(api, type, name, parameters) and
+    result =
+      type + ";" //
+        + name + ";" //
+        + parameters + ";" //
+  )
 }

 private predicate isPrimitiveTypeUsedForBulkData(J::Type t) {
--- a/java/ql/src/utils/model-generator/internal/CaptureSummaryFlow.qll
+++ b/java/ql/src/utils/model-generator/internal/CaptureSummaryFlow.qll
@@ -0,0 +1,86 @@
+private import CaptureModels
+
+/**
+ * Capture fluent APIs that return `this`.
+ * Example of a fluent API:
+ * ```java
+ * public class Foo {
+ *   public Foo someAPI() {
+ *    // some side-effect
+ *    return this;
+ *  }
+ * }
+ * ```
+ *
+ * Capture APIs that transfer taint from an input parameter to an output return
+ * value or parameter.
+ * Allows a sequence of read steps followed by a sequence of store steps.
+ *
+ * Examples:
+ *
+ * ```java
+ * public class Foo {
+ *   private String tainted;
+ *
+ *   public String returnsTainted() {
+ *     return tainted;
+ *   }
+ *
+ *   public void putsTaintIntoParameter(List<String> foo) {
+ *     foo.add(tainted);
+ *   }
+ * }
+ * ```
+ * Captured Models:
+ * ```
+ * p;Foo;true;returnsTainted;;Argument[-1];ReturnValue;taint
+ * p;Foo;true;putsTaintIntoParameter;(List);Argument[-1];Argument[0];taint
+ * ```
+ *
+ * ```java
+ * public class Foo {
+ *  private String tainted;
+ *  public void doSomething(String input) {
+ *    tainted = input;
+ *  }
+ * ```
+ * Captured Model:
+ * ```p;Foo;true;doSomething;(String);Argument[0];Argument[-1];taint```
+ *
+ * ```java
+ * public class Foo {
+ *   public String returnData(String tainted) {
+ *     return tainted.substring(0,10)
+ *   }
+ * }
+ * ```
+ * Captured Model:
+ * ```p;Foo;true;returnData;;Argument[0];ReturnValue;taint```
+ *
+ * ```java
+ * public class Foo {
+ *   public void addToList(String tainted, List<String> foo) {
+ *     foo.add(tainted);
+ *   }
+ * }
+ * ```
+ * Captured Model:
+ * ```p;Foo;true;addToList;;Argument[0];Argument[1];taint```
+ */
+string captureFlow(TargetApi api) {
+  result = captureQualifierFlow(api) or
+  result = captureThroughFlow(api)
+}
+
+/**
+ * Gets the negative summary for `api`, if any.
+ * A negative summary is generated, if there does not exist any positive flow that
+ * shares the same summary prefix - otherwise these models will be indistinguishable.
+ */
+string captureNoFlow(TargetApi api) {
+  not exists(TargetApi other, string flow |
+    flow = captureFlow(other) and
+    partialNegativeModel(other) = partialNegativeModel(api)
+  ) and
+  result = asNegativeSummaryModel(api)
+}
--- a/java/ql/test/utils/model-generator/CaptureNegativeSummaryModels.expected
+++ b/java/ql/test/utils/model-generator/CaptureNegativeSummaryModels.expected
@@ -0,0 +1,43 @@
+| p;AbstractImplOfExternalSPI;AbstractImplOfExternalSPI;();generated |
+| p;Factory;getIntValue;();generated |
+| p;FinalClass;FinalClass;();generated |
+| p;FinalClass;returnsConstant;();generated |
+| p;FluentAPI$Inner;Inner;();generated |
+| p;FluentAPI$Inner;notThis;(String);generated |
+| p;FluentAPI;FluentAPI;();generated |
+| p;ImmutablePojo;getX;();generated |
+| p;ImplOfExternalSPI;ImplOfExternalSPI;();generated |
+| p;InnerClasses$CaptureMe;CaptureMe;();generated |
+| p;InnerClasses;InnerClasses;();generated |
+| p;InnerHolder;InnerHolder;();generated |
+| p;Joiner;length;();generated |
+| p;MultipleImpls$Strat1;Strat1;();generated |
+| p;MultipleImpls$Strat2;Strat2;();generated |
+| p;MultipleImpls$Strat3;Strat3;();generated |
+| p;MultipleImpls;MultipleImpls;();generated |
+| p;ParamFlow;ParamFlow;();generated |
+| p;ParamFlow;ignorePrimitiveReturnValue;(String);generated |
+| p;ParamFlow;mapType;(Class);generated |
+| p;Pojo;Pojo;();generated |
+| p;Pojo;doNotSetValue;(String);generated |
+| p;Pojo;getBigDecimal;();generated |
+| p;Pojo;getBigInt;();generated |
+| p;Pojo;getBoxedArray;();generated |
+| p;Pojo;getBoxedCollection;();generated |
+| p;Pojo;getBoxedValue;();generated |
+| p;Pojo;getFloatArray;();generated |
+| p;Pojo;getIntValue;();generated |
+| p;Pojo;getPrimitiveArray;();generated |
+| p;PrivateFlowViaPublicInterface$SPI;openStream;();generated |
+| p;PrivateFlowViaPublicInterface$SPI;openStreamNone;();generated |
+| p;PrivateFlowViaPublicInterface;PrivateFlowViaPublicInterface;();generated |
+| p;PrivateFlowViaPublicInterface;createAnSPIWithoutTrackingFile;(File);generated |
+| p;Sinks;Sinks;();generated |
+| p;Sinks;copyFileToDirectory;(Path,Path,CopyOption[]);generated |
+| p;Sinks;propagate;(String);generated |
+| p;Sinks;readUrl;(URL,Charset);generated |
+| p;Sources;Sources;();generated |
+| p;Sources;readUrl;(URL);generated |
+| p;Sources;socketStream;();generated |
+| p;Sources;sourceToParameter;(InputStream[],List);generated |
+| p;Sources;wrappedSocketStream;();generated |
--- a/java/ql/test/utils/model-generator/CaptureNegativeSummaryModels.qlref
+++ b/java/ql/test/utils/model-generator/CaptureNegativeSummaryModels.qlref
@@ -0,0 +1 @@
+utils/model-generator/CaptureNegativeSummaryModels.ql
				`@@ -0,0 +1 @@`
				`utils/model-generator/CaptureNegativeSummaryModels.ql`