Merge pull request #16500 from aschackmull/java/static-field-side-effect

Java: Add support for flow through side-effects on static fields.

java/ql/lib/change-notes/2024-05-15-static-field-side-effect.md

@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Added support for data flow through side-effects on static fields. For example, when a static field containing an array is updated.

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll

@@ -40,8 +40,11 @@ private predicate fieldStep(Node node1, Node node2) {
   exists(Field f |
     // Taint fields through assigned values only if they're static
     f.isStatic() and
-    f.getAnAssignedValue() = node1.asExpr() and
     node2.(FieldValueNode).getField() = f
+  |
+    f.getAnAssignedValue() = node1.asExpr()
+    or
+    f.getAnAccess() = node1.(PostUpdateNode).getPreUpdateNode().asExpr()
   )
   or
   exists(Field f, FieldRead fr |

java/ql/test/library-tests/dataflow/fields/G.java

@@ -0,0 +1,21 @@
+public class G {
+  static Object[] f;
+
+  void sink(Object o) { }
+
+  void runsink() {
+    sink(f[0]);
+  }
+
+  void test1() {
+    f[0] = new Object();
+  }
+
+  void test2() {
+    addObj(f);
+  }
+
+  void addObj(Object[] xs) {
+    xs[0] = new Object();
+  }
+}

java/ql/test/library-tests/dataflow/fields/flow.expected

@@ -29,3 +29,5 @@
 | F.java:5:14:5:25 | new Object(...) | F.java:20:10:20:17 | f.Field1 |
 | F.java:10:16:10:27 | new Object(...) | F.java:15:10:15:17 | f.Field1 |
 | F.java:24:9:24:20 | new Object(...) | F.java:33:10:33:17 | f.Field1 |
+| G.java:11:12:11:23 | new Object(...) | G.java:7:10:7:13 | ...[...] |
+| G.java:19:13:19:24 | new Object(...) | G.java:7:10:7:13 | ...[...] |