Add MethodAccessSystemGetProperty predicate

2026-04-28 18:25:24 +02:00 · 2021-01-01 20:07:45 -05:00
parent 2bb96369f1
commit 54950c2f42
5 changed files with 51 additions and 1 deletions
--- a/java/ql/src/semmle/code/java/JDK.qll
+++ b/java/ql/src/semmle/code/java/JDK.qll
@@ -211,6 +211,21 @@ class MethodSystemGetProperty extends Method {
  }
 }

+/**
+ * Any method access to a method named `getProperty` on class `java.lang.System`.
+ */
+class MethodAccessSystemGetProperty extends MethodAccess {
+  MethodAccessSystemGetProperty() { getMethod() instanceof MethodSystemGetProperty }
+
+  /**
+   * Holds true if this is a compile-time constant call for the specified `propertyName`.
+   * Eg. `System.getProperty("user.dir")`.
+   */
+  predicate hasCompileTimeConstantGetPropertyName(string propertyName) {
+    this.getArgument(0).(CompileTimeConstantExpr).getStringValue() = propertyName
+  }
+}
+
 /**
 * Any method named `exit` on class `java.lang.Runtime` or `java.lang.System`.
 */
--- a/java/ql/src/semmle/code/java/PrintAst.ql
+++ b/java/ql/src/semmle/code/java/PrintAst.ql
@@ -16,5 +16,6 @@ class PrintAstConfigurationOverride extends PrintAstConfiguration {
  /**
   * TWEAK THIS PREDICATE AS NEEDED.
   */
-  override predicate shouldPrint(Element e, Location l) { super.shouldPrint(e, l) }
+  override predicate shouldPrint(Element e, Location l) { super.shouldPrint(e, l) and 
+    not l.getFile().getBaseName().matches("SystemGetPropertyCall.java") }
 }
--- a/java/ql/test/library-tests/JDK/SystemGetPropertyCall.expected
+++ b/java/ql/test/library-tests/JDK/SystemGetPropertyCall.expected
@@ -0,0 +1,3 @@
+| jdk/SystemGetPropertyCall.java:7:9:7:38 | getProperty(...) |
+| jdk/SystemGetPropertyCall.java:11:9:11:46 | getProperty(...) |
+| jdk/SystemGetPropertyCall.java:15:9:15:45 | getProperty(...) |
--- a/java/ql/test/library-tests/JDK/SystemGetPropertyCall.ql
+++ b/java/ql/test/library-tests/JDK/SystemGetPropertyCall.ql
@@ -0,0 +1,10 @@
+/**
+ * @name SystemCall
+ * @description Test the definition of System Get Property
+ */
+
+import default
+
+from MethodAccessSystemGetProperty ma
+where ma.hasCompileTimeConstantGetPropertyName("user.dir")
+select ma
--- a/java/ql/test/library-tests/JDK/jdk/SystemGetPropertyCall.java
+++ b/java/ql/test/library-tests/JDK/jdk/SystemGetPropertyCall.java
@@ -0,0 +1,21 @@
+package jdk;
+
+public class SystemGetPropertyCall {
+    private static final String USER_DIR_PROPERTY = "user.dir";
+
+    void a() {
+        System.getProperty("user.dir");
+    }
+
+    void b() {
+        System.getProperty("user.dir", "HOME");
+    }
+
+    void c() {
+        System.getProperty(USER_DIR_PROPERTY);
+    }
+
+    void d() {
+        System.getProperty("random.property");
+    }
+}