hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-18 13:34:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix Gson's JsonArray.add models

Browse Source 
When the type of the argument isn't JsonElement, the summary must be taint flow instead of value flow
This commit is contained in:
Tony Torralba
2023-06-07 14:12:20 +02:00
parent 6ba7f9a238
commit 35b4c438ff
2 changed files with 18 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
java/ql/lib/ext/com.google.gson.model.yml
View File

@@ -26,7 +26,12 @@ extensions:
- ["com.google.gson", "JsonElement", True, "getAsJsonPrimitive", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.gson", "JsonElement", True, "getAsString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.gson", "JsonElement", True, "toString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
- ["com.google.gson", "JsonArray", True, "add", "", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["com.google.gson", "JsonArray", True, "add", "(Boolean)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"]
- ["com.google.gson", "JsonArray", True, "add", "(Character)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"]
- ["com.google.gson", "JsonArray", True, "add", "(JsonElement)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
- ["com.google.gson", "JsonArray", True, "add", "(Number)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"]
- ["com.google.gson", "JsonArray", True, "add", "(String)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"]
- ["com.google.gson", "JsonArray", True, "add", "(JsonArray)", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
- ["com.google.gson", "JsonArray", True, "asList", "", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
- ["com.google.gson", "JsonArray", True, "get", "", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
- ["com.google.gson", "JsonArray", True, "set", "", "", "Argument[1]", "Argument[this].Element", "value", "manual"]

24
java/ql/test/library-tests/frameworks/gson/Test.java
View File

@@ -25,7 +25,7 @@ public class Test {
<K> K getMapKeyDefault(Map.Entry<K,?> container) { return container.getKey(); }
JsonElement getMapValueDefault(JsonObject container) { return container.get(null); }
<V> V getMapValueDefault(Map.Entry<?,V> container) { return container.getValue(); }
JsonArray newWithElementDefault(String element) { JsonArray a = new JsonArray(); a.add(element); return a; }
JsonArray newWithElementDefault(JsonElement element) { JsonArray a = new JsonArray(); a.add(element); return a; }
JsonObject newWithMapKeyDefault(String key) { JsonObject o = new JsonObject(); o.add(key, (JsonElement) null); return o; }
JsonObject newWithMapValueDefault(JsonElement element) { JsonObject o = new JsonObject(); o.add(null, element); return o; }
Object source() { return null; }
@@ -232,51 +232,51 @@ public class Test {
sink(out); // $ hasTaintFlow
}
{
// "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"
// "com.google.gson;JsonArray;true;add;(Boolean);;Argument[0];Argument[this].Element;taint;manual"
JsonArray out = null;
Boolean in = (Boolean)source();
out.add(in);
sink(getElement(out)); // $ hasValueFlow
sink(getElement(out)); // $ hasTaintFlow
}
{
// "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"
// "com.google.gson;JsonArray;true;add;(Character);;Argument[0];Argument[this].Element;taint;manual"
JsonArray out = null;
Character in = (Character)source();
out.add(in);
sink(getElement(out)); // $ hasValueFlow
sink(getElement(out)); // $ hasTaintFlow
}
{
// "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"
// "com.google.gson;JsonArray;true;add;(JsonElement);;Argument[0];Argument[this].Element;value;manual"
JsonArray out = null;
JsonElement in = (JsonElement)source();
out.add(in);
sink(getElement(out)); // $ hasValueFlow
}
{
// "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"
// "com.google.gson;JsonArray;true;add;(Number);;Argument[0];Argument[this].Element;taint;manual"
JsonArray out = null;
Number in = (Number)source();
out.add(in);
sink(getElement(out)); // $ hasValueFlow
sink(getElement(out)); // $ hasTaintFlow
}
{
// "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"
// "com.google.gson;JsonArray;true;add;(JsonArray);;Argument[0].Element;Argument[this].Element;value;manual"
JsonArray out = null;
String in = (String)source();
JsonElement in = (JsonElement)source();
out.add(in);
sink(getElement(out)); // $ hasValueFlow
}
{
// "com.google.gson;JsonArray;true;asList;;;Argument[this].Element;ReturnValue.Element;value;manual"
List out = null;
JsonArray in = (JsonArray)newWithElementDefault((String) source());
JsonArray in = (JsonArray)newWithElementDefault((JsonElement) source());
out = in.asList();
sink(getElement(out)); // $ hasValueFlow
}
{
// "com.google.gson;JsonArray;true;get;;;Argument[this].Element;ReturnValue;value;manual"
JsonElement out = null;
JsonArray in = (JsonArray)newWithElementDefault((String) source());
JsonArray in = (JsonArray)newWithElementDefault((JsonElement) source());
out = in.get(0);
sink(out); // $ hasValueFlow
}