Fix dataflow for kotlin.Array.iterator()

2026-05-03 20:58:03 +02:00 · 2022-04-27 11:12:23 +02:00
parent 776322bac2
commit 538e05995a
4 changed files with 20 additions and 0 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -143,6 +143,7 @@ private module Frameworks {
  private import semmle.code.java.frameworks.JMS
  private import semmle.code.java.frameworks.RabbitMQ
  private import semmle.code.java.regex.RegexFlowModels
+  private import semmle.code.java.frameworks.KotlinStdLib
 }

 private predicate sourceModelCsv(string row) {
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
@@ -205,6 +205,11 @@ private predicate canContainBool(Type t) {
  any(BooleanType b).(RefType).getASourceSupertype+() = t
 }

+private predicate isArray(Type t) {
+  t instanceof Array or
+  t.(RefType).getSourceDeclaration().hasQualifiedName("kotlin", "Array")
+}
+
 /**
 * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
 * a node of type `t1` to a node of type `t2`.
@@ -221,6 +226,9 @@ predicate compatibleTypes(Type t1, Type t2) {
    erasedHaveIntersection(e1, e2)
    or
    canContainBool(e1) and canContainBool(e2)
+    or
+    // Make java array and `kotlin.Array` types compatible.
+    isArray(e1) and isArray(e2)
  )
 }

--- a/java/ql/lib/semmle/code/java/frameworks/KotlinStdLib.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/KotlinStdLib.qll
@@ -0,0 +1,10 @@
+/** Definitions of taint steps in the KotlinStdLib framework */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+private class KotlinStdLibSummaryCsv extends SummaryModelCsv {
+  override predicate row(string row) {
+    row = ["kotlin;Array;false;iterator;();;Argument[-1].ArrayElement;ReturnValue.Element;value"]
+  }
+}