From 33f5620782479ea2f449e44faa8857e6eaa59bc5 Mon Sep 17 00:00:00 2001 From: Tony Torralba Date: Tue, 26 Jul 2022 11:06:11 +0200 Subject: [PATCH] Add more models --- .../java/dataflow/internal/ContainerFlow.qll | 16 +- java/ql/test/library-tests/scanner/Test.java | 229 ++++++++++++++---- 2 files changed, 201 insertions(+), 44 deletions(-) diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/ContainerFlow.qll b/java/ql/lib/semmle/code/java/dataflow/internal/ContainerFlow.qll index 3acb3291911..6c4a369527c 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/ContainerFlow.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/ContainerFlow.qll @@ -245,8 +245,20 @@ private class ContainerFlowSummaries extends SummaryModelCsv { "java.util;Properties;true;getProperty;(String,String);;Argument[-1].MapValue;ReturnValue;value;manual", "java.util;Properties;true;getProperty;(String,String);;Argument[1];ReturnValue;value;manual", "java.util;Scanner;true;Scanner;;;Argument[0];Argument[-1];taint;manual", - "java.util;Scanner;true;next;(Pattern);;Argument[-1];ReturnValue;taint;manual", - "java.util;Scanner;true;next;(String);;Argument[-1];ReturnValue;taint;manual", + "java.util;Scanner;true;findInLine;;;Argument[-1];ReturnValue;taint;manual", + "java.util;Scanner;true;findWithinHorizon;;;Argument[-1];ReturnValue;taint;manual", + "java.util;Scanner;true;findWithinHorizon;;;Argument[-1];ReturnValue;taint;manual", + "java.util;Scanner;true;next;;;Argument[-1];ReturnValue;taint;manual", + "java.util;Scanner;true;nextBigDecimal;;;Argument[-1];ReturnValue;taint;manual", + "java.util;Scanner;true;nextBigInteger;;;Argument[-1];ReturnValue;taint;manual", + "java.util;Scanner;true;nextBoolean;;;Argument[-1];ReturnValue;taint;manual", + "java.util;Scanner;true;nextByte;;;Argument[-1];ReturnValue;taint;manual", + "java.util;Scanner;true;nextDouble;;;Argument[-1];ReturnValue;taint;manual", + "java.util;Scanner;true;nextFloat;;;Argument[-1];ReturnValue;taint;manual", + "java.util;Scanner;true;nextInt;;;Argument[-1];ReturnValue;taint;manual", + "java.util;Scanner;true;nextLine;;;Argument[-1];ReturnValue;taint;manual", + "java.util;Scanner;true;nextLong;;;Argument[-1];ReturnValue;taint;manual", + "java.util;Scanner;true;nextShort;;;Argument[-1];ReturnValue;taint;manual", "java.util;Scanner;true;reset;;;Argument[-1];ReturnValue;value;manual", "java.util;Scanner;true;skip;;;Argument[-1];ReturnValue;value;manual", "java.util;Scanner;true;useDelimiter;;;Argument[-1];ReturnValue;value;manual", diff --git a/java/ql/test/library-tests/scanner/Test.java b/java/ql/test/library-tests/scanner/Test.java index d5bd778fe1b..05f5b497215 100644 --- a/java/ql/test/library-tests/scanner/Test.java +++ b/java/ql/test/library-tests/scanner/Test.java @@ -2,6 +2,8 @@ package generatedtest; import java.io.File; import java.io.InputStream; +import java.math.BigDecimal; +import java.math.BigInteger; import java.nio.channels.ReadableByteChannel; import java.nio.charset.Charset; import java.nio.file.Path; @@ -11,173 +13,316 @@ import java.util.regex.Pattern; // Test case generated by GenerateFlowTestCase.ql public class Test { - Object source() { return null; } - void sink(Object o) { } + Object source() { + return null; + } + + void sink(Object o) {} public void test() throws Exception { { // "java.util;Scanner;true;Scanner;;;Argument[0];Argument[-1];taint;manual" Scanner out = null; - File in = (File)source(); + File in = (File) source(); out = new Scanner(in); sink(out); // $ hasTaintFlow } { // "java.util;Scanner;true;Scanner;;;Argument[0];Argument[-1];taint;manual" Scanner out = null; - File in = (File)source(); - out = new Scanner(in, (Charset)null); + File in = (File) source(); + out = new Scanner(in, (Charset) null); sink(out); // $ hasTaintFlow } { // "java.util;Scanner;true;Scanner;;;Argument[0];Argument[-1];taint;manual" Scanner out = null; - File in = (File)source(); - out = new Scanner(in, (String)null); + File in = (File) source(); + out = new Scanner(in, (String) null); sink(out); // $ hasTaintFlow } { // "java.util;Scanner;true;Scanner;;;Argument[0];Argument[-1];taint;manual" Scanner out = null; - InputStream in = (InputStream)source(); + InputStream in = (InputStream) source(); out = new Scanner(in); sink(out); // $ hasTaintFlow } { // "java.util;Scanner;true;Scanner;;;Argument[0];Argument[-1];taint;manual" Scanner out = null; - InputStream in = (InputStream)source(); - out = new Scanner(in, (Charset)null); + InputStream in = (InputStream) source(); + out = new Scanner(in, (Charset) null); sink(out); // $ hasTaintFlow } { // "java.util;Scanner;true;Scanner;;;Argument[0];Argument[-1];taint;manual" Scanner out = null; - InputStream in = (InputStream)source(); - out = new Scanner(in, (String)null); + InputStream in = (InputStream) source(); + out = new Scanner(in, (String) null); sink(out); // $ hasTaintFlow } { // "java.util;Scanner;true;Scanner;;;Argument[0];Argument[-1];taint;manual" Scanner out = null; - Path in = (Path)source(); + Path in = (Path) source(); out = new Scanner(in); sink(out); // $ hasTaintFlow } { // "java.util;Scanner;true;Scanner;;;Argument[0];Argument[-1];taint;manual" Scanner out = null; - Path in = (Path)source(); - out = new Scanner(in, (Charset)null); + Path in = (Path) source(); + out = new Scanner(in, (Charset) null); sink(out); // $ hasTaintFlow } { // "java.util;Scanner;true;Scanner;;;Argument[0];Argument[-1];taint;manual" Scanner out = null; - Path in = (Path)source(); - out = new Scanner(in, (String)null); + Path in = (Path) source(); + out = new Scanner(in, (String) null); sink(out); // $ hasTaintFlow } { // "java.util;Scanner;true;Scanner;;;Argument[0];Argument[-1];taint;manual" Scanner out = null; - Readable in = (Readable)source(); + Readable in = (Readable) source(); out = new Scanner(in); sink(out); // $ hasTaintFlow } { // "java.util;Scanner;true;Scanner;;;Argument[0];Argument[-1];taint;manual" Scanner out = null; - ReadableByteChannel in = (ReadableByteChannel)source(); + ReadableByteChannel in = (ReadableByteChannel) source(); out = new Scanner(in); sink(out); // $ hasTaintFlow } { // "java.util;Scanner;true;Scanner;;;Argument[0];Argument[-1];taint;manual" Scanner out = null; - ReadableByteChannel in = (ReadableByteChannel)source(); - out = new Scanner(in, (Charset)null); + ReadableByteChannel in = (ReadableByteChannel) source(); + out = new Scanner(in, (Charset) null); sink(out); // $ hasTaintFlow } { // "java.util;Scanner;true;Scanner;;;Argument[0];Argument[-1];taint;manual" Scanner out = null; - ReadableByteChannel in = (ReadableByteChannel)source(); - out = new Scanner(in, (String)null); + ReadableByteChannel in = (ReadableByteChannel) source(); + out = new Scanner(in, (String) null); sink(out); // $ hasTaintFlow } { // "java.util;Scanner;true;Scanner;;;Argument[0];Argument[-1];taint;manual" Scanner out = null; - String in = (String)source(); + String in = (String) source(); out = new Scanner(in); sink(out); // $ hasTaintFlow } { - // "java.util;Scanner;true;next;(Pattern);;Argument[-1];ReturnValue;taint;manual" + // "java.util;Scanner;true;findInLine;;;Argument[-1];ReturnValue;taint;manual" String out = null; - Scanner in = (Scanner)source(); - out = in.next((Pattern)null); + Scanner in = (Scanner) source(); + out = in.findInLine((Pattern) null); sink(out); // $ hasTaintFlow } { - // "java.util;Scanner;true;next;(String);;Argument[-1];ReturnValue;taint;manual" + // "java.util;Scanner;true;findInLine;;;Argument[-1];ReturnValue;taint;manual" String out = null; - Scanner in = (Scanner)source(); - out = in.next((String)null); + Scanner in = (Scanner) source(); + out = in.findInLine((String) null); + sink(out); // $ hasTaintFlow + } + { + // "java.util;Scanner;true;findWithinHorizon;;;Argument[-1];ReturnValue;taint;manual" + String out = null; + Scanner in = (Scanner) source(); + out = in.findWithinHorizon((Pattern) null, 0); + sink(out); // $ hasTaintFlow + } + { + // "java.util;Scanner;true;findWithinHorizon;;;Argument[-1];ReturnValue;taint;manual" + String out = null; + Scanner in = (Scanner) source(); + out = in.findWithinHorizon((String) null, 0); + sink(out); // $ hasTaintFlow + } + { + // "java.util;Scanner;true;next;;;Argument[-1];ReturnValue;taint;manual" + String out = null; + Scanner in = (Scanner) source(); + out = in.next((Pattern) null); + sink(out); // $ hasTaintFlow + } + { + // "java.util;Scanner;true;next;;;Argument[-1];ReturnValue;taint;manual" + String out = null; + Scanner in = (Scanner) source(); + out = in.next((String) null); + sink(out); // $ hasTaintFlow + } + { + // "java.util;Scanner;true;next;;;Argument[-1];ReturnValue;taint;manual" + String out = null; + Scanner in = (Scanner) source(); + out = in.next(); + sink(out); // $ hasTaintFlow + } + { + // "java.util;Scanner;true;nextBigDecimal;;;Argument[-1];ReturnValue;taint;manual" + BigDecimal out = null; + Scanner in = (Scanner) source(); + out = in.nextBigDecimal(); + sink(out); // $ hasTaintFlow + } + { + // "java.util;Scanner;true;nextBigInteger;;;Argument[-1];ReturnValue;taint;manual" + BigInteger out = null; + Scanner in = (Scanner) source(); + out = in.nextBigInteger(); + sink(out); // $ hasTaintFlow + } + { + // "java.util;Scanner;true;nextBigInteger;;;Argument[-1];ReturnValue;taint;manual" + BigInteger out = null; + Scanner in = (Scanner) source(); + out = in.nextBigInteger(0); + sink(out); // $ hasTaintFlow + } + { + // "java.util;Scanner;true;nextBoolean;;;Argument[-1];ReturnValue;taint;manual" + boolean out = false; + Scanner in = (Scanner) source(); + out = in.nextBoolean(); + sink(out); // $ hasTaintFlow + } + { + // "java.util;Scanner;true;nextByte;;;Argument[-1];ReturnValue;taint;manual" + byte out = 0; + Scanner in = (Scanner) source(); + out = in.nextByte(); + sink(out); // $ hasTaintFlow + } + { + // "java.util;Scanner;true;nextByte;;;Argument[-1];ReturnValue;taint;manual" + byte out = 0; + Scanner in = (Scanner) source(); + out = in.nextByte(0); + sink(out); // $ hasTaintFlow + } + { + // "java.util;Scanner;true;nextDouble;;;Argument[-1];ReturnValue;taint;manual" + double out = 0; + Scanner in = (Scanner) source(); + out = in.nextDouble(); + sink(out); // $ hasTaintFlow + } + { + // "java.util;Scanner;true;nextFloat;;;Argument[-1];ReturnValue;taint;manual" + float out = 0; + Scanner in = (Scanner) source(); + out = in.nextFloat(); + sink(out); // $ hasTaintFlow + } + { + // "java.util;Scanner;true;nextInt;;;Argument[-1];ReturnValue;taint;manual" + int out = 0; + Scanner in = (Scanner) source(); + out = in.nextInt(); + sink(out); // $ hasTaintFlow + } + { + // "java.util;Scanner;true;nextInt;;;Argument[-1];ReturnValue;taint;manual" + int out = 0; + Scanner in = (Scanner) source(); + out = in.nextInt(0); + sink(out); // $ hasTaintFlow + } + { + // "java.util;Scanner;true;nextLine;;;Argument[-1];ReturnValue;taint;manual" + String out = null; + Scanner in = (Scanner) source(); + out = in.nextLine(); + sink(out); // $ hasTaintFlow + } + { + // "java.util;Scanner;true;nextLong;;;Argument[-1];ReturnValue;taint;manual" + long out = 0; + Scanner in = (Scanner) source(); + out = in.nextLong(); + sink(out); // $ hasTaintFlow + } + { + // "java.util;Scanner;true;nextLong;;;Argument[-1];ReturnValue;taint;manual" + long out = 0; + Scanner in = (Scanner) source(); + out = in.nextLong(0); + sink(out); // $ hasTaintFlow + } + { + // "java.util;Scanner;true;nextShort;;;Argument[-1];ReturnValue;taint;manual" + short out = 0; + Scanner in = (Scanner) source(); + out = in.nextShort(); + sink(out); // $ hasTaintFlow + } + { + // "java.util;Scanner;true;nextShort;;;Argument[-1];ReturnValue;taint;manual" + short out = 0; + Scanner in = (Scanner) source(); + out = in.nextShort(0); sink(out); // $ hasTaintFlow } { // "java.util;Scanner;true;reset;;;Argument[-1];ReturnValue;value;manual" Scanner out = null; - Scanner in = (Scanner)source(); + Scanner in = (Scanner) source(); out = in.reset(); sink(out); // $ hasValueFlow } { // "java.util;Scanner;true;skip;;;Argument[-1];ReturnValue;value;manual" Scanner out = null; - Scanner in = (Scanner)source(); - out = in.skip((Pattern)null); + Scanner in = (Scanner) source(); + out = in.skip((Pattern) null); sink(out); // $ hasValueFlow } { // "java.util;Scanner;true;skip;;;Argument[-1];ReturnValue;value;manual" Scanner out = null; - Scanner in = (Scanner)source(); - out = in.skip((String)null); + Scanner in = (Scanner) source(); + out = in.skip((String) null); sink(out); // $ hasValueFlow } { // "java.util;Scanner;true;useDelimiter;;;Argument[-1];ReturnValue;value;manual" Scanner out = null; - Scanner in = (Scanner)source(); - out = in.useDelimiter((Pattern)null); + Scanner in = (Scanner) source(); + out = in.useDelimiter((Pattern) null); sink(out); // $ hasValueFlow } { // "java.util;Scanner;true;useDelimiter;;;Argument[-1];ReturnValue;value;manual" Scanner out = null; - Scanner in = (Scanner)source(); - out = in.useDelimiter((String)null); + Scanner in = (Scanner) source(); + out = in.useDelimiter((String) null); sink(out); // $ hasValueFlow } { // "java.util;Scanner;true;useLocale;;;Argument[-1];ReturnValue;value;manual" Scanner out = null; - Scanner in = (Scanner)source(); + Scanner in = (Scanner) source(); out = in.useLocale(null); sink(out); // $ hasValueFlow } { // "java.util;Scanner;true;useRadix;;;Argument[-1];ReturnValue;value;manual" Scanner out = null; - Scanner in = (Scanner)source(); + Scanner in = (Scanner) source(); out = in.useRadix(0); sink(out); // $ hasValueFlow } } -} \ No newline at end of file +}