mirror of
https://github.com/github/codeql.git
synced 2026-04-24 16:25:15 +02:00
Java: Fix more broken performance.
This commit is contained in:
@@ -278,21 +278,23 @@ private predicate inputStreamWrapper(Constructor c, int argi) {
|
||||
|
||||
/** An object construction that preserves the data flow status of any of its arguments. */
|
||||
private predicate constructorStep(Expr tracked, ConstructorCall sink, string model) {
|
||||
exists(int argi | sink.getArgument(argi) = tracked |
|
||||
exists(int argi | sink.getArgument(pragma[only_bind_into](argi)) = tracked |
|
||||
// wrappers constructed by extension
|
||||
exists(Constructor c, Parameter p, SuperConstructorInvocationStmt sup |
|
||||
c = sink.getConstructor() and
|
||||
p = c.getParameter(argi) and
|
||||
p = c.getParameter(pragma[only_bind_into](argi)) and
|
||||
sup.getEnclosingCallable() = c and
|
||||
constructorStep(p.getAnAccess(), sup, model)
|
||||
)
|
||||
or
|
||||
// a custom InputStream that wraps a tainted data source is tainted
|
||||
model = "inputStreamWrapper" and
|
||||
inputStreamWrapper(sink.getConstructor(), argi)
|
||||
inputStreamWrapper(sink.getConstructor(), pragma[only_bind_into](argi))
|
||||
or
|
||||
model = "TaintPreservingCallable" and
|
||||
sink.getConstructor().(TaintPreservingCallable).returnsTaintFrom(argToParam(sink, argi))
|
||||
sink.getConstructor()
|
||||
.(TaintPreservingCallable)
|
||||
.returnsTaintFrom(argToParam(sink, pragma[only_bind_into](argi)))
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -20,8 +20,10 @@ private predicate externalStorageFlowStep(DataFlow::Node node1, DataFlow::Node n
|
||||
node2.asExpr().(FieldRead).getField().getInitializer() = node1.asExpr()
|
||||
}
|
||||
|
||||
private predicate externalStorageFlow(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
externalStorageFlowStep*(node1, node2)
|
||||
private predicate externalStorageDirFlowsTo(DataFlow::Node n) {
|
||||
sourceNode(n, "android-external-storage-dir")
|
||||
or
|
||||
exists(DataFlow::Node mid | externalStorageDirFlowsTo(mid) and externalStorageFlowStep(mid, n))
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -29,9 +31,8 @@ private predicate externalStorageFlow(DataFlow::Node node1, DataFlow::Node node2
|
||||
* This is controllable by third-party applications, so is treated as a remote flow source.
|
||||
*/
|
||||
predicate androidExternalStorageSource(DataFlow::Node n) {
|
||||
exists(DataFlow::Node externalDir, DirectFileReadExpr read |
|
||||
sourceNode(externalDir, "android-external-storage-dir") and
|
||||
exists(DirectFileReadExpr read |
|
||||
n.asExpr() = read and
|
||||
externalStorageFlow(externalDir, DataFlow::exprNode(read.getFileExpr()))
|
||||
externalStorageDirFlowsTo(DataFlow::exprNode(read.getFileExpr()))
|
||||
)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user