Merge pull request #10533 from pwntester/main

Java: Add support for java.util.StringJoiner
2026-04-24 08:15:14 +02:00 · 2023-04-26 16:18:35 +02:00
parent 3c1456bd02 5d80f0818c
commit 12d181143f
5 changed files with 116 additions and 3 deletions
--- a/java/ql/lib/change-notes/2022-09-22-stringjoiner-summaries.md
+++ b/java/ql/lib/change-notes/2022-09-22-stringjoiner-summaries.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added new flow steps for `java.util.StringJoiner`.
--- a/java/ql/lib/ext/java.util.model.yml
+++ b/java/ql/lib/ext/java.util.model.yml
@@ -338,8 +338,14 @@ extensions:
      - ["java.util", "Stack", True, "peek", "()", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
      - ["java.util", "Stack", True, "pop", "()", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
      - ["java.util", "Stack", True, "push", "(Object)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
-      - ["java.util", "StringJoiner", False, "add", "(CharSequence)", "", "Argument[this]", "ReturnValue", "taint", "manual"]
-      - ["java.util", "StringJoiner", False, "add", "(CharSequence)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["java.util", "StringJoiner", False, "StringJoiner", "", "", "Argument[0..2]", "Argument[this]", "taint", "manual"]
+      - ["java.util", "StringJoiner", False, "add", "(CharSequence)", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["java.util", "StringJoiner", False, "add", "(CharSequence)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["java.util", "StringJoiner", False, "merge", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["java.util", "StringJoiner", False, "merge", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["java.util", "StringJoiner", False, "setEmptyValue", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
+      - ["java.util", "StringJoiner", False, "setEmptyValue", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
+      - ["java.util", "StringJoiner", False, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["java.util", "StringTokenizer", False, "StringTokenizer", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
      - ["java.util", "StringTokenizer", False, "nextElement", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
      - ["java.util", "StringTokenizer", False, "nextToken", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
--- a/java/ql/test/ext/TestModels/Test.java
+++ b/java/ql/test/ext/TestModels/Test.java
@@ -93,7 +93,7 @@ public class Test {
            sink(sj1.add((CharSequence)source())); // $hasTaintFlow

            StringJoiner sj2 = (StringJoiner)source();
-            sink(sj2.add("test")); // $hasTaintFlow
+            sink(sj2.add("test")); // $hasValueFlow
        }

        // top 300-500 JDK APIs tests
--- a/java/ql/test/library-tests/dataflow/taint/StringJoinerTests.java
+++ b/java/ql/test/library-tests/dataflow/taint/StringJoinerTests.java
@@ -0,0 +1,92 @@
+import java.util.StringJoiner;
+
+public class StringJoinerTests {
+
+	Object taint() {
+		return null;
+	}
+
+	void sink(Object o) {}
+
+	public void test() throws Exception {
+		{
+			// "java.util;StringJoiner;false;StringJoiner;(CharSequence);;Argument[0];Argument[-1];taint;manual"
+			StringJoiner out = null;
+			CharSequence in = (CharSequence) taint();
+			out = new StringJoiner(in);
+			sink(out);
+		}
+		{
+			// "java.util;StringJoiner;false;StringJoiner;(CharSequence,CharSequence,CharSequence);;Argument[0];Argument[-1];taint;manual"
+			StringJoiner out = null;
+			CharSequence in = (CharSequence) taint();
+			out = new StringJoiner(in, null, null);
+			sink(out);
+		}
+		{
+			// "java.util;StringJoiner;false;StringJoiner;(CharSequence,CharSequence,CharSequence);;Argument[1];Argument[-1];taint;manual"
+			StringJoiner out = null;
+			CharSequence in = (CharSequence) taint();
+			out = new StringJoiner(null, in, null);
+			sink(out);
+		}
+		{
+			// "java.util;StringJoiner;false;StringJoiner;(CharSequence,CharSequence,CharSequence);;Argument[2];Argument[-1];taint;manual"
+			StringJoiner out = null;
+			CharSequence in = (CharSequence) taint();
+			out = new StringJoiner(null, null, in);
+			sink(out);
+		}
+		{
+			// "java.util;StringJoiner;false;add;;;Argument[-1];ReturnValue;value;manual"
+			StringJoiner out = null;
+			StringJoiner in = (StringJoiner) taint();
+			out = in.add(null);
+			sink(out);
+		}
+		{
+			// "java.util;StringJoiner;false;add;;;Argument[0];Argument[-1];taint;manual"
+			StringJoiner out = null;
+			CharSequence in = (CharSequence) taint();
+			out.add(in);
+			sink(out);
+		}
+		{
+			// "java.util;StringJoiner;false;merge;;;Argument[-1];ReturnValue;value;manual"
+			StringJoiner out = null;
+			StringJoiner in = (StringJoiner) taint();
+			out = in.merge(null);
+			sink(out);
+		}
+		{
+			// "java.util;StringJoiner;false;merge;;;Argument[0];Argument[-1];taint;manual"
+			StringJoiner out = null;
+			StringJoiner in = (StringJoiner) taint();
+			out.merge(in);
+			sink(out);
+		}
+		{
+			// "java.util;StringJoiner;false;setEmptyValue;;;Argument[-1];ReturnValue;taint;manual"
+			StringJoiner out = null;
+			StringJoiner in = (StringJoiner) taint();
+			out = in.setEmptyValue(null);
+			sink(out);
+		}
+		{
+			// "java.util;StringJoiner;false;setEmptyValue;;;Argument[0];Argument[-1];taint;manual"
+			StringJoiner out = null;
+			CharSequence in = (CharSequence) taint();
+			out.setEmptyValue(in);
+			sink(out);
+		}
+		{
+			// "java.util;StringJoiner;false;toString;;;Argument[-1];ReturnValue;taint;manual"
+			String out = null;
+			StringJoiner in = (StringJoiner) taint();
+			out = in.toString();
+			sink(out);
+		}
+
+	}
+
+}
--- a/java/ql/test/library-tests/dataflow/taint/test.expected
+++ b/java/ql/test/library-tests/dataflow/taint/test.expected
@@ -71,6 +71,17 @@
 | StringBuilderTests.java:70:15:70:21 | taint(...) | StringBuilderTests.java:73:10:73:26 | new String(...) |
 | StringBuilderTests.java:79:15:79:21 | taint(...) | StringBuilderTests.java:80:10:80:40 | toString(...) |
 | StringBuilderTests.java:86:15:86:21 | taint(...) | StringBuilderTests.java:87:10:87:27 | substring(...) |
+| StringJoinerTests.java:15:37:15:43 | taint(...) | StringJoinerTests.java:17:9:17:11 | out |
+| StringJoinerTests.java:22:37:22:43 | taint(...) | StringJoinerTests.java:24:9:24:11 | out |
+| StringJoinerTests.java:29:37:29:43 | taint(...) | StringJoinerTests.java:31:9:31:11 | out |
+| StringJoinerTests.java:36:37:36:43 | taint(...) | StringJoinerTests.java:38:9:38:11 | out |
+| StringJoinerTests.java:43:37:43:43 | taint(...) | StringJoinerTests.java:45:9:45:11 | out |
+| StringJoinerTests.java:50:37:50:43 | taint(...) | StringJoinerTests.java:52:9:52:11 | out |
+| StringJoinerTests.java:57:37:57:43 | taint(...) | StringJoinerTests.java:59:9:59:11 | out |
+| StringJoinerTests.java:64:37:64:43 | taint(...) | StringJoinerTests.java:66:9:66:11 | out |
+| StringJoinerTests.java:71:37:71:43 | taint(...) | StringJoinerTests.java:73:9:73:11 | out |
+| StringJoinerTests.java:78:37:78:43 | taint(...) | StringJoinerTests.java:80:9:80:11 | out |
+| StringJoinerTests.java:85:37:85:43 | taint(...) | StringJoinerTests.java:87:9:87:11 | out |
 | Varargs.java:7:8:7:14 | taint(...) | Varargs.java:14:10:14:10 | s |
 | Varargs.java:8:8:8:14 | taint(...) | Varargs.java:19:10:19:10 | s |
 | Varargs.java:8:17:8:23 | taint(...) | Varargs.java:19:10:19:10 | s |