hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: Convert support for fluent interfaces.

Browse Source
This commit is contained in:
Anders Schack-Mulligen
2021-04-15 16:12:40 +02:00
parent 579c955892
commit 39862740e0
2 changed files with 8 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
View File

@@ -150,6 +150,14 @@ predicate simpleLocalFlowStep(Node node1, Node node2) {
)
or
FlowSummaryImpl::Private::Steps::summaryLocalStep(node1, node2, true)
or
// If flow through a method updates a parameter from some input A, and that
// parameter also is returned through B, then we'd like a combined flow from A
// to B as well. As an example, this simplifies modeling of fluent methods:
// for `StringBuilder.append(x)` with a specified value flow from qualifier to
// return value and taint flow from argument 0 to the qualifier, then this
// allows the inferral of taint flow from argument 0 to the return value.
node1.(SummaryNode).(PostUpdateNode).getPreUpdateNode().(ParameterNode) = node2
}
/**

26
java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
View File

@@ -46,12 +46,6 @@ predicate localTaintStep(DataFlow::Node src, DataFlow::Node sink) {
* different objects.
*/
predicate localAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
localAdditionalBasicTaintStep(src, sink)
or
composedValueAndTaintModelStep(src, sink)
}
private predicate localAdditionalBasicTaintStep(DataFlow::Node src, DataFlow::Node sink) {
localAdditionalTaintExprStep(src.asExpr(), sink.asExpr())
or
localAdditionalTaintUpdateStep(src.asExpr(),
@@ -67,26 +61,6 @@ private predicate localAdditionalBasicTaintStep(DataFlow::Node src, DataFlow::No
not FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, true)
}
/**
* Holds if an additional step from `src` to `sink` through a call can be inferred from the
* combination of a value-preserving step providing an alias between an input and the output
* and a taint step from `src` to one the aliased nodes. For example, if we know that `f(a, b)` returns
* the exact value of `a` and also propagates taint from `b` to `a`, then we also know that
* the return value is tainted after `f` completes.
*/
private predicate composedValueAndTaintModelStep(ArgumentNode src, DataFlow::Node sink) {
exists(Call call, ArgumentNode valueSource, DataFlow::PostUpdateNode valueSourcePost |
src.argumentOf(call, _) and
valueSource.argumentOf(call, _) and
src != valueSource and
valueSourcePost.getPreUpdateNode() = valueSource and
// in-x -value-> out-y and in-z -taint-> in-x ==> in-z -taint-> out-y
localAdditionalBasicTaintStep(src, valueSourcePost) and
DataFlow::localFlowStep(valueSource, DataFlow::exprNode(call)) and
sink = DataFlow::exprNode(call)
)
}
/**
* Holds if the additional step from `src` to `sink` should be included in all
* global taint flow configurations.