hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7082 from bmuskalla/filterOutputStream

Browse Source 
Java: Model taint for `FilterOutputStream`
This commit is contained in:
Benjamin Muskalla
2021-11-09 15:06:15 +01:00
committed by GitHub
parent 1e31416049 bfe2e2e0b9
commit 40e47c0ea3
4 changed files with 15 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
View File

@@ -373,7 +373,11 @@ private predicate summaryModelCsv(string row) {
"java.io;StringReader;false;StringReader;;;Argument[0];Argument[-1];taint",
"java.io;CharArrayReader;false;CharArrayReader;;;Argument[0];Argument[-1];taint",
"java.io;BufferedReader;false;BufferedReader;;;Argument[0];Argument[-1];taint",
"java.io;InputStreamReader;false;InputStreamReader;;;Argument[0];Argument[-1];taint"
"java.io;InputStreamReader;false;InputStreamReader;;;Argument[0];Argument[-1];taint",
"java.io;OutputStream;true;write;(byte[]);;Argument[0];Argument[-1];taint",
"java.io;OutputStream;true;write;(byte[],int,int);;Argument[0];Argument[-1];taint",
"java.io;OutputStream;true;write;(int);;Argument[0];Argument[-1];taint",
"java.io;FilterOutputStream;true;FilterOutputStream;(OutputStream);;Argument[0];Argument[-1];taint"
]
}

7
java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
View File

@@ -376,13 +376,6 @@ private predicate argToQualifierStep(Expr tracked, Expr sink) {
* `arg` is the index of the argument.
*/
private predicate taintPreservingArgumentToQualifier(Method method, int arg) {
exists(Method write |
method.overrides*(write) and
write.hasName("write") and
arg = 0 and
write.getDeclaringType().hasQualifiedName("java.io", "OutputStream")
)
or
method.(TaintPreservingCallable).transfersTaint(arg, -1)
}

9
java/ql/test/library-tests/dataflow/taint/A.java
View File

@@ -72,4 +72,13 @@ public class A {
arrayWrite(taint(), b);
sink(b);
}
void testFilterOutputStream() throws IOException {
ByteArrayOutputStream bOutput = new ByteArrayOutputStream();
bOutput.write(taint());
FilterOutputStream filterOutput = new FilterOutputStream(bOutput) {
};
sink(filterOutput);
}
}

1
java/ql/test/library-tests/dataflow/taint/test.expected
View File

@@ -3,6 +3,7 @@
| A.java:33:23:33:29 | taint(...) | A.java:34:10:34:27 | toByteArray(...) |
| A.java:46:27:46:33 | taint(...) | A.java:47:10:47:30 | toByteArray(...) |
| A.java:55:58:55:64 | taint(...) | A.java:61:10:61:16 | dh.data |
| A.java:78:19:78:25 | taint(...) | A.java:81:10:81:21 | filterOutput |
| B.java:15:21:15:27 | taint(...) | B.java:18:10:18:16 | aaaargs |
| B.java:15:21:15:27 | taint(...) | B.java:21:10:21:10 | s |
| B.java:15:21:15:27 | taint(...) | B.java:24:10:24:15 | concat |