Merge branch 'main' into thirdpartyapitelemtry

java/ql/examples/qlpack.yml

@@ -1,3 +1,3 @@
 name: codeql-java-examples
 version: 0.0.0
-libraryPathDependencies: codeql-java
+libraryPathDependencies: codeql/java-all

java/ql/lib/qlpack.lock.yml

@@ -0,0 +1,4 @@
+---
+dependencies: {}
+compiled: false
+lockVersion: 1.0.0

java/ql/lib/qlpack.yml

@@ -0,0 +1,7 @@
+name: codeql/java-all
+version: 0.0.2
+dbscheme: config/semmlecode.dbscheme
+extractor: java
+library: true
+dependencies:
+    codeql/java-upgrades: 0.0.2

java/ql/lib/semmle/code/Location.qll

@@ -100,6 +100,11 @@ class Top extends @top {
   cached
   string toString() { hasName(this, result) }
 
+  /**
+   * Gets a comma-separated list of the names of the primary CodeQL classes to which this element belongs.
+   */
+  final string getPrimaryQlClasses() { result = concat(getAPrimaryQlClass(), ",") }
+
   /**
    * Gets the name of a primary CodeQL class to which this element belongs.
    *

java/ql/lib/semmle/code/java/JMX.qll

@@ -86,3 +86,20 @@ class JMXRegistrationMethod extends Method {
     )
   }
 }
+
+/** The class `javax.management.remote.JMXConnectorFactory`. */
+class TypeJMXConnectorFactory extends Class {
+  TypeJMXConnectorFactory() {
+    this.hasQualifiedName("javax.management.remote", "JMXConnectorFactory")
+  }
+}
+
+/** The class `javax.management.remote.JMXServiceURL`. */
+class TypeJMXServiceURL extends Class {
+  TypeJMXServiceURL() { this.hasQualifiedName("javax.management.remote", "JMXServiceURL") }
+}
+
+/** The class `javax.management.remote.rmi.RMIConnector`. */
+class TypeRMIConnector extends Class {
+  TypeRMIConnector() { this.hasQualifiedName("javax.management.remote.rmi", "RMIConnector") }
+}

java/ql/lib/semmle/code/java/Member.qll

@@ -183,14 +183,26 @@ class Callable extends StmtParent, Member, @callable {
   Type getParameterType(int n) { params(_, result, n, this, _) }
 
   /**
-   * Gets the signature of this callable, including its name and the types of all its parameters,
-   * identified by their simple (unqualified) names.
+   * Gets the signature of this callable, including its name and the types of all
+   * its parameters, identified by their simple (unqualified) names.
+   *
+   * The format of the string is `<name><params>`, where `<name>` is the result of
+   * the predicate `getName()` and `<params>` is the result of `paramsString()`.
+   * For example, the method `void printf(java.lang.String, java.lang.Object...)`
+   * has the string signature `printf(String, Object[])`.
    *
    * Use `getSignature` to obtain a signature including fully qualified type names.
    */
   string getStringSignature() { result = this.getName() + this.paramsString() }
 
-  /** Gets a parenthesized string containing all parameter types of this callable, separated by a comma. */
+  /**
+   * Gets a parenthesized string containing all parameter types of this callable,
+   * separated by a comma and space. For the parameter types the unqualified string
+   * representation is used. If this callable has no parameters, the result is `()`.
+   *
+   * For example, the method `void printf(java.lang.String, java.lang.Object...)`
+   * has the params string `(String, Object[])`.
+   */
   pragma[nomagic]
   string paramsString() {
     exists(int n | n = getNumberOfParameters() |
@@ -210,7 +222,12 @@ class Callable extends StmtParent, Member, @callable {
     n > 0 and result = paramUpTo(n - 1) + ", " + getParameterType(n)
   }
 
-  /** Holds if this callable has the specified string signature. */
+  /**
+   * Holds if this callable has the specified string signature.
+   *
+   * This predicate simply tests if `sig` is equal to the result of the
+   * `getStringSignature()` predicate.
+   */
   predicate hasStringSignature(string sig) { sig = this.getStringSignature() }
 
   /** Gets an exception that occurs in the `throws` clause of this callable. */
@@ -250,8 +267,10 @@ class Callable extends StmtParent, Member, @callable {
 
   /**
    * Gets the signature of this callable, where all types in the signature have a fully-qualified name.
+   * The parameter types are only separated by a comma (without space). If this callable has
+   * no parameters, the callable name is followed by `()`.
    *
-   * For example, method `void m(String s)` has the signature `m(java.lang.String)`.
+   * For example, method `void m(String s, int i)` has the signature `m(java.lang.String,int)`.
    */
   string getSignature() {
     constrs(this, _, result, _, _, _) or
@@ -581,12 +600,13 @@ class Field extends Member, ExprParent, @field, Variable {
 
   /** Gets the initializer expression of this field, if any. */
   override Expr getInitializer() {
-    exists(AssignExpr e, InitializerMethod im |
+    exists(AssignExpr e, InitializerMethod im, ExprStmt exprStmt |
       e.getDest() = this.getAnAccess() and
       e.getSource() = result and
-      pragma[only_bind_out](result).getEnclosingCallable() = im and
-      // This rules out updates in explicit initializer blocks as they are nested inside the compiler generated initializer blocks.
-      pragma[only_bind_out](e.getEnclosingStmt().getParent()) = pragma[only_bind_out](im.getBody())
+      exprStmt.getExpr() = e and
+      // This check also rules out assignments in explicit initializer blocks
+      // (CodeQL models explicit initializer blocks as BlockStmt in initializer methods)
+      exprStmt.getParent() = im.getBody()
     )
   }
 

java/ql/lib/semmle/code/java/PrintAst.qll

@@ -89,7 +89,7 @@ private predicate duplicateMetadata(Field f) {
  * Retrieves the canonical QL class(es) for entity `el`
  */
 private string getQlClass(Top el) {
-  result = "[" + concat(el.getAPrimaryQlClass(), ",") + "] "
+  result = "[" + el.getPrimaryQlClasses() + "] "
   // Alternative implementation -- do not delete. It is useful for QL class discovery.
   // result = "[" + concat(el.getAQlClass(), ",") + "] "
 }

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -85,6 +85,8 @@ private module Frameworks {
   private import semmle.code.java.frameworks.jackson.JacksonSerializability
   private import semmle.code.java.frameworks.JavaxJson
   private import semmle.code.java.frameworks.JaxWS
+  private import semmle.code.java.frameworks.JoddJson
+  private import semmle.code.java.frameworks.JsonJava
   private import semmle.code.java.frameworks.Optional
   private import semmle.code.java.frameworks.spring.SpringCache
   private import semmle.code.java.frameworks.spring.SpringHttp
@@ -94,11 +96,15 @@ private module Frameworks {
   private import semmle.code.java.frameworks.spring.SpringWebClient
   private import semmle.code.java.frameworks.spring.SpringBeans
   private import semmle.code.java.frameworks.spring.SpringWebMultipart
+  private import semmle.code.java.frameworks.spring.SpringWebUtil
   private import semmle.code.java.security.ResponseSplitting
   private import semmle.code.java.security.InformationLeak
+  private import semmle.code.java.security.GroovyInjection
   private import semmle.code.java.security.JexlInjectionSinkModels
+  private import semmle.code.java.security.JndiInjection
   private import semmle.code.java.security.LdapInjection
   private import semmle.code.java.security.MvelInjection
+  private import semmle.code.java.security.OgnlInjection
   private import semmle.code.java.security.XPath
   private import semmle.code.java.frameworks.android.SQLite
   private import semmle.code.java.frameworks.Jdbc
@@ -264,11 +270,15 @@ private predicate summaryModelCsv(string row) {
       // qualifier to arg
       "java.io;InputStream;true;read;(byte[]);;Argument[-1];Argument[0];taint",
       "java.io;InputStream;true;read;(byte[],int,int);;Argument[-1];Argument[0];taint",
+      "java.io;InputStream;true;readNBytes;(byte[],int,int);;Argument[-1];Argument[0];taint",
+      "java.io;InputStream;true;transferTo;(OutputStream);;Argument[-1];Argument[0];taint",
       "java.io;ByteArrayOutputStream;false;writeTo;;;Argument[-1];Argument[0];taint",
       "java.io;Reader;true;read;;;Argument[-1];Argument[0];taint",
       // qualifier to return
       "java.io;ByteArrayOutputStream;false;toByteArray;;;Argument[-1];ReturnValue;taint",
       "java.io;ByteArrayOutputStream;false;toString;;;Argument[-1];ReturnValue;taint",
+      "java.io;InputStream;true;readAllBytes;;;Argument[-1];ReturnValue;taint",
+      "java.io;InputStream;true;readNBytes;(int);;Argument[-1];ReturnValue;taint",
       "java.util;StringTokenizer;false;nextElement;();;Argument[-1];ReturnValue;taint",
       "java.util;StringTokenizer;false;nextToken;;;Argument[-1];ReturnValue;taint",
       "javax.xml.transform.sax;SAXSource;false;getInputSource;;;Argument[-1];ReturnValue;taint",
@@ -279,10 +289,12 @@ private predicate summaryModelCsv(string row) {
       "java.net;URI;false;toAsciiString;;;Argument[-1];ReturnValue;taint",
       "java.io;File;false;toURI;;;Argument[-1];ReturnValue;taint",
       "java.io;File;false;toPath;;;Argument[-1];ReturnValue;taint",
+      "java.nio;ByteBuffer;false;array;();;Argument[-1];ReturnValue;taint",
       "java.nio.file;Path;false;toFile;;;Argument[-1];ReturnValue;taint",
       "java.io;BufferedReader;true;readLine;;;Argument[-1];ReturnValue;taint",
       "java.io;Reader;true;read;();;Argument[-1];ReturnValue;taint",
       // arg to return
+      "java.nio;ByteBuffer;false;wrap;(byte[]);;Argument[0];ReturnValue;taint",
       "java.util;Base64$Encoder;false;encode;(byte[]);;Argument[0];ReturnValue;taint",
       "java.util;Base64$Encoder;false;encode;(ByteBuffer);;Argument[0];ReturnValue;taint",
       "java.util;Base64$Encoder;false;encodeToString;(byte[]);;Argument[0];ReturnValue;taint",
@@ -328,6 +340,7 @@ private predicate summaryModelCsv(string row) {
       "java.io;File;false;File;;;Argument[0];Argument[-1];taint",
       "java.io;File;false;File;;;Argument[1];Argument[-1];taint",
       "java.net;URI;false;URI;(String);;Argument[0];Argument[-1];taint",
+      "java.net;URL;false;URL;(String);;Argument[0];Argument[-1];taint",
       "javax.xml.transform.stream;StreamSource;false;StreamSource;;;Argument[0];Argument[-1];taint",
       "javax.xml.transform.sax;SAXSource;false;SAXSource;(InputSource);;Argument[0];Argument[-1];taint",
       "javax.xml.transform.sax;SAXSource;false;SAXSource;(XMLReader,InputSource);;Argument[1];Argument[-1];taint",

java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll

@@ -108,17 +108,22 @@ abstract class TaintPreservingCallable extends Callable {
 private class StringTaintPreservingMethod extends TaintPreservingCallable {
   StringTaintPreservingMethod() {
     this.getDeclaringType() instanceof TypeString and
-    this.hasName([
-        "concat", "copyValueOf", "endsWith", "format", "formatted", "getBytes", "indent", "intern",
-        "join", "repeat", "split", "strip", "stripIndent", "stripLeading", "stripTrailing",
-        "substring", "toCharArray", "toLowerCase", "toString", "toUpperCase", "trim"
-      ])
+    (
+      this.hasName([
+          "concat", "copyValueOf", "endsWith", "format", "formatted", "getBytes", "indent",
+          "intern", "join", "repeat", "split", "strip", "stripIndent", "stripLeading",
+          "stripTrailing", "substring", "toCharArray", "toLowerCase", "toString", "toUpperCase",
+          "trim"
+        ])
+      or
+      this.hasName("valueOf") and this.getParameterType(0) instanceof Array
+    )
   }
 
   override predicate returnsTaintFrom(int arg) {
     arg = -1 and not this.isStatic()
     or
-    this.hasName(["concat", "copyValueOf"]) and arg = 0
+    this.hasName(["concat", "copyValueOf", "valueOf"]) and arg = 0
     or
     this.hasName(["format", "formatted", "join"]) and arg = [0 .. getNumberOfParameters()]
   }

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowForSerializability.qll

@@ -0,0 +1,19 @@
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) data flow analyses (for internal use only).
+ *
+ * This copy of the library is exclusively for use by `Serializability.qll` and
+ * related libraries. Configurations computed using this instance of the library
+ * are in scope whenever `java.qll` is imported, and are used to compute among
+ * other things `AdditionalTaintStep`.
+ */
+
+import java
+
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) data flow analyses (for internal use only).
+ */
+module DataFlowForSerializability {
+  import semmle.code.java.dataflow.internal.DataFlowImplForSerializability
+}