Refactor EnvInput to MaD

2025-12-17 01:03:14 +01:00 · 2023-09-02 13:23:48 -04:00
parent d258f69ab0
commit 655470f3da
4 changed files with 21 additions and 8 deletions
--- a/java/ql/lib/ext/java.io.model.yml
+++ b/java/ql/lib/ext/java.io.model.yml
@@ -128,3 +128,8 @@ extensions:
      # sink neutrals
      - ["java.io", "File", "compareTo", "", "sink", "hq-manual"]
      - ["java.io", "File", "exists", "()", "sink", "hq-manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["java.io", "FileInputStream", True, "FileInputStream", "", "", "Argument[this]", "file", "manual"]
--- a/java/ql/lib/ext/java.lang.model.yml
+++ b/java/ql/lib/ext/java.lang.model.yml
@@ -40,6 +40,13 @@ extensions:
      - ["java.lang", "System$Logger", True, "log", "(System$Logger$Level,String,Supplier)", "", "Argument[1..2]", "log-injection", "manual"]
      - ["java.lang", "System$Logger", True, "log", "(System$Logger$Level,String,Supplier,Throwable)", "", "Argument[1..2]", "log-injection", "manual"]
      - ["java.lang", "System$Logger", True, "log", "(System$Logger$Level,String,Throwable)", "", "Argument[1]", "log-injection", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["java.lang", "System", False, "getenv", "", "", "ReturnValue", "environment", "manual"]
+      - ["java.lang", "System", False, "getProperties", "", "", "ReturnValue", "environment", "manual"]
+      - ["java.lang", "System", False, "getProperty", "", "", "ReturnValue", "environment", "manual"]
  - addsTo:
      pack: codeql/java-all
      extensible: summaryModel
--- a/java/ql/lib/ext/java.util.model.yml
+++ b/java/ql/lib/ext/java.util.model.yml
@@ -1,4 +1,11 @@
 extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["java.util", "Properties", True, "get", "", "", "ReturnValue", "environment", "manual"]
+      - ["java.util", "Properties", True, "getProperty", "", "", "ReturnValue", "environment", "manual"]
+
  - addsTo:
      pack: codeql/java-all
      extensible: summaryModel
--- a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
@@ -233,10 +233,7 @@ deprecated class EnvInput extends DataFlow::Node {
 * environment variables.
 */
 private class EnvironmentInput extends LocalUserInput {
-  EnvironmentInput() {
-    // Results from various specific methods.
-    this.asExpr().(MethodAccess).getMethod() instanceof EnvReadMethod
-  }
+  EnvironmentInput() { sourceNode(this, "environment") }

  override string getThreatModel() { result = "environment" }
 }
@@ -268,10 +265,7 @@ private class CliInput extends LocalUserInput {
 private class FileInput extends LocalUserInput {
  FileInput() {
    // Access to files.
-    this.asExpr()
-        .(ConstructorCall)
-        .getConstructedType()
-        .hasQualifiedName("java.io", "FileInputStream")
+    sourceNode(this, "file")
  }

  override string getThreatModel() { result = "file" }