hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 19:55:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Model Appenable and Writer

Browse Source 
This allows us to track taint carried through all kind of writers.
This commit is contained in:
Benjamin Muskalla
2022-01-13 13:44:11 +01:00
parent 68385dfab5
commit 37ca6a5e41
3 changed files with 17 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
View File

@@ -91,6 +91,7 @@ private module Frameworks {
private import semmle.code.java.frameworks.guava.Guava
private import semmle.code.java.frameworks.jackson.JacksonSerializability
private import semmle.code.java.frameworks.javaee.jsf.JSFRenderer
private import semmle.code.java.frameworks.JavaIo
private import semmle.code.java.frameworks.JavaxJson
private import semmle.code.java.frameworks.JaxWS
private import semmle.code.java.frameworks.JoddJson

16
java/ql/lib/semmle/code/java/frameworks/JavaIo.qll Normal file
View File

@@ -0,0 +1,16 @@
/** Definitions of taint steps in Objects class of the JDK */
import java
private import semmle.code.java.dataflow.ExternalFlow
private class ObjectsSummaryCsv extends SummaryModelCsv {
override predicate row(string row) {
row =
[
//`namespace; type; subtypes; name; signature; ext; input; output; kind`
"java.lang;Appendable;false;append;;;Argument[0];Argument[-1];value",
"java.lang;Appendable;false;append;;;Argument[-1];ReturnValue;value",
"java.io;Writer;false;write;;;Argument[0];Argument[-1];value"
]
}
}

3
java/ql/lib/semmle/code/java/frameworks/Strings.qll
View File

@@ -40,9 +40,6 @@ private class StringSummaryCsv extends SummaryModelCsv {
"java.lang;String;false;valueOf;(char);;Argument[0];ReturnValue;taint",
"java.lang;String;false;valueOf;(char[],int,int);;Argument[0];ReturnValue;taint",
"java.lang;String;false;valueOf;(char[]);;Argument[0];ReturnValue;taint",
"java.io;StringWriter;true;append;;;Argument[0];Argument[-1];taint",
"java.io;StringWriter;true;append;;;Argument[-1];ReturnValue;value",
"java.io;StringWriter;true;write;;;Argument[0];Argument[-1];taint",
"java.lang;AbstractStringBuilder;true;AbstractStringBuilder;(String);;Argument[0];Argument[-1];taint",
"java.lang;AbstractStringBuilder;true;append;;;Argument[0];Argument[-1];taint",
"java.lang;AbstractStringBuilder;true;append;;;Argument[-1];ReturnValue;value",