Convert strings to summary model

2026-04-28 18:25:24 +02:00 · 2021-08-16 10:41:27 +02:00
parent e0d978fd58
commit 5df5805d36
4 changed files with 43 additions and 82 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -89,6 +89,7 @@ private module Frameworks {
  private import semmle.code.java.frameworks.JsonJava
  private import semmle.code.java.frameworks.Objects
  private import semmle.code.java.frameworks.Optional
+  private import semmle.code.java.frameworks.Strings
  private import semmle.code.java.frameworks.spring.SpringCache
  private import semmle.code.java.frameworks.spring.SpringHttp
  private import semmle.code.java.frameworks.spring.SpringUtil
--- a/java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll
@@ -10,7 +10,6 @@ private import semmle.code.java.dataflow.DataFlow
 * ensuring that they are visible to the taint tracking library.
 */
 private module Frameworks {
-  private import semmle.code.java.Strings
  private import semmle.code.java.frameworks.jackson.JacksonSerializability
  private import semmle.code.java.frameworks.android.Intent
  private import semmle.code.java.frameworks.android.SQLite
@@ -85,30 +84,6 @@ abstract class TaintPreservingCallable extends Callable {
  predicate transfersTaint(int src, int sink) { none() }
 }

-private class StringTaintPreservingMethod extends TaintPreservingCallable {
-  StringTaintPreservingMethod() {
-    this.getDeclaringType() instanceof TypeString and
-    (
-      this.hasName([
-          "concat", "copyValueOf", "endsWith", "format", "formatted", "getBytes", "indent",
-          "intern", "join", "repeat", "split", "strip", "stripIndent", "stripLeading",
-          "stripTrailing", "substring", "toCharArray", "toLowerCase", "toString", "toUpperCase",
-          "trim"
-        ])
-      or
-      this.hasName("valueOf") and this.getParameterType(0) instanceof Array
-    )
-  }
-
-  override predicate returnsTaintFrom(int arg) {
-    arg = -1 and not this.isStatic()
-    or
-    this.hasName(["concat", "copyValueOf", "valueOf"]) and arg = 0
-    or
-    this.hasName(["format", "formatted", "join"]) and arg = [0 .. getNumberOfParameters()]
-  }
-}
-
 private class NumberTaintPreservingCallable extends TaintPreservingCallable {
  int argument;

@@ -128,46 +103,3 @@ private class NumberTaintPreservingCallable extends TaintPreservingCallable {

  override predicate returnsTaintFrom(int arg) { arg = argument }
 }
-
-/** Holds for the types `StringBuilder`, `StringBuffer`, and `StringWriter`. */
-private predicate stringBuilderType(RefType t) {
-  t instanceof StringBuildingType or
-  t.hasQualifiedName("java.io", "StringWriter")
-}
-
-private class StringBuilderTaintPreservingCallable extends TaintPreservingCallable {
-  StringBuilderTaintPreservingCallable() {
-    exists(Method m |
-      this.(Method).overrides*(m) and
-      stringBuilderType(m.getDeclaringType()) and
-      m.hasName(["append", "insert", "replace", "toString", "write"])
-    )
-    or
-    this.(Constructor).getParameterType(0) instanceof RefType and
-    stringBuilderType(this.getDeclaringType())
-  }
-
-  override predicate returnsTaintFrom(int arg) {
-    arg = -1 and
-    not this instanceof Constructor
-    or
-    this instanceof Constructor and arg = 0
-    or
-    this.hasName("append") and arg = 0
-    or
-    this.hasName("insert") and arg = 1
-    or
-    this.hasName("replace") and arg = 2
-  }
-
-  override predicate transfersTaint(int src, int sink) {
-    returnsTaintFrom(src) and
-    sink = -1 and
-    src != -1 and
-    not this instanceof Constructor
-    or
-    this.hasName("write") and
-    src = 0 and
-    sink = -1
-  }
-}
--- a/java/ql/src/semmle/code/java/Strings.qll
+++ b/java/ql/src/semmle/code/java/Strings.qll
@@ -1,14 +0,0 @@
-/** Definitions of taint steps in String and String-related classes of the JDK */
-
-import java
-private import semmle.code.java.dataflow.ExternalFlow
-
-private class StringSummaryCsv extends SummaryModelCsv {
-  override predicate row(string row) {
-    row =
-      [
-        //`namespace; type; subtypes; name; signature; ext; input; output; kind`
-        "java.lang;String;false;String;;;Argument[0];Argument[-1];taint"
-      ]
-  }
-}
--- a/java/ql/src/semmle/code/java/frameworks/Strings.qll
+++ b/java/ql/src/semmle/code/java/frameworks/Strings.qll
@@ -0,0 +1,42 @@
+/** Definitions of taint steps in String and String-related classes of the JDK */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+private class StringSummaryCsv extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //`namespace; type; subtypes; name; signature; ext; input; output; kind`
+        "java.lang;String;false;concat;(String);;Argument[0];ReturnValue;taint",
+        "java.lang;String;false;copyValueOf;;;Argument[0];ReturnValue;taint",
+        "java.lang;String;false;endsWith;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;format;(Locale,String,Object[]);;Argument[1];ReturnValue;taint",
+        "java.lang;String;false;format;(Locale,String,Object[]);;ArrayElement of Argument[2];ReturnValue;taint",
+        "java.lang;String;false;format;(String,Object[]);;Argument[0];ReturnValue;taint",
+        "java.lang;String;false;format;(String,Object[]);;ArrayElement of Argument[1];ReturnValue;taint",
+        "java.lang;String;false;formatted;(Object[]);;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;formatted;(Object[]);;ArrayElement of Argument[0];ReturnValue;taint",
+        "java.lang;String;false;getBytes;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;indent;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;intern;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;join;;;Argument[0..1];ReturnValue;taint",
+        "java.lang;String;false;repeat;(int);;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;split;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;String;;;Argument[0];Argument[-1];value",
+        "java.lang;String;false;strip;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;stripIndent;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;stripLeading;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;stripTrailing;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;substring;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;toCharArray;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;toLowerCase;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;toString;;;Argument[-1];ReturnValue;value",
+        "java.lang;String;false;toUpperCase;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;trim;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;valueOf;(char);;Argument[0];ReturnValue;taint",
+        "java.lang;String;false;valueOf;(char[],int,int);;Argument[0];ReturnValue;taint",
+        "java.lang;String;false;valueOf;(char[]);;Argument[0];ReturnValue;taint"
+      ]
+  }
+}