Java: Validate all accesspaths except for Field.

2026-04-28 10:15:14 +02:00 · 2023-03-21 10:50:26 +01:00
parent 6c0c06c963
commit 46ef954d5c
3 changed files with 22 additions and 5 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -220,7 +220,7 @@ predicate modelCoverage(string package, int pkgs, string kind, string part, int
 /** Provides a query predicate to check the MaD models for validation errors. */
 module ModelValidation {
  private string getInvalidModelInput() {
-    exists(string pred, string input, string part |
+    exists(string pred, AccessPath input, AccessPathToken part |
      sinkModel(_, _, _, _, _, _, input, _, _) and pred = "sink"
      or
      summaryModel(_, _, _, _, _, _, input, _, _, _) and pred = "summary"
@@ -229,9 +229,10 @@ module ModelValidation {
        invalidSpecComponent(input, part) and
        not part = "" and
        not (part = "Argument" and pred = "sink") and
-        not parseArg(part, _)
+        not parseArg(part, _) and
+        not part.getName() = "Field"
        or
-        part = input.(AccessPath).getToken(0) and
+        part = input.getToken(0) and
        parseParam(part, _)
        or
        invalidIndexComponent(input, part)
@@ -241,7 +242,7 @@ module ModelValidation {
  }

  private string getInvalidModelOutput() {
-    exists(string pred, string output, string part |
+    exists(string pred, AccessPath output, AccessPathToken part |
      sourceModel(_, _, _, _, _, _, output, _, _) and pred = "source"
      or
      summaryModel(_, _, _, _, _, _, _, output, _, _) and pred = "summary"
@@ -249,7 +250,8 @@ module ModelValidation {
      (
        invalidSpecComponent(output, part) and
        not part = "" and
-        not (part = ["Argument", "Parameter"] and pred = "source")
+        not (part = ["Argument", "Parameter"] and pred = "source") and
+        not part.getName() = "Field"
        or
        invalidIndexComponent(output, part)
      ) and
--- a/java/ql/test/library-tests/dataflow/external-models/validatemodels.expected
+++ b/java/ql/test/library-tests/dataflow/external-models/validatemodels.expected
--- a/java/ql/test/library-tests/dataflow/external-models/validatemodels.ql
+++ b/java/ql/test/library-tests/dataflow/external-models/validatemodels.ql
@@ -0,0 +1,15 @@
+import java
+import semmle.code.java.dataflow.ExternalFlow
+import semmle.code.java.dataflow.internal.AccessPathSyntax
+import ModelValidation
+
+private predicate getRelevantAccessPath(string path) {
+  summaryModel(_, _, _, _, _, _, path, _, _, _) or
+  summaryModel(_, _, _, _, _, _, _, path, _, _) or
+  sinkModel(_, _, _, _, _, _, path, _, _) or
+  sourceModel(_, _, _, _, _, _, path, _, _)
+}
+
+private class AccessPathsExternal extends AccessPath::Range {
+  AccessPathsExternal() { getRelevantAccessPath(this) }
+}