From 2c41c5b0e23dc98b2f93ba874e2caea69164f251 Mon Sep 17 00:00:00 2001 From: Tony Torralba Date: Tue, 9 May 2023 17:27:16 +0200 Subject: [PATCH 1/4] Make inputStreamWrapper consider supertypes transitively --- .../semmle/code/java/dataflow/internal/TaintTrackingUtil.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll index 874c08bdaba..044b250e473 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll @@ -256,7 +256,7 @@ private class BulkData extends RefType { */ private predicate inputStreamWrapper(Constructor c, int argi) { c.getParameterType(argi) instanceof BulkData and - c.getDeclaringType().getASourceSupertype().hasQualifiedName("java.io", "InputStream") + c.getDeclaringType().getASourceSupertype*().hasQualifiedName("java.io", "InputStream") } /** An object construction that preserves the data flow status of any of its arguments. */ From aa14105e1c7301dea3660cf47729423885e529ca Mon Sep 17 00:00:00 2001 From: Tony Torralba Date: Wed, 10 May 2023 16:45:07 +0200 Subject: [PATCH 2/4] Don't use the reflexive transitive closure, so that the predicate becomes a little more efficient --- .../semmle/code/java/dataflow/internal/TaintTrackingUtil.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll index 044b250e473..b275c381150 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll @@ -256,7 +256,7 @@ private class BulkData extends RefType { */ private predicate inputStreamWrapper(Constructor c, int argi) { c.getParameterType(argi) instanceof BulkData and - c.getDeclaringType().getASourceSupertype*().hasQualifiedName("java.io", "InputStream") + c.getDeclaringType().getASourceSupertype+().hasQualifiedName("java.io", "InputStream") } /** An object construction that preserves the data flow status of any of its arguments. */ From 549fa7e288fd72a57c43d6175837df7a461388d0 Mon Sep 17 00:00:00 2001 From: Tony Torralba Date: Fri, 12 May 2023 15:43:27 +0200 Subject: [PATCH 3/4] Java: make inputStreamWrapper only act on constructors from outside of source --- .../lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll | 1 + 1 file changed, 1 insertion(+) diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll index b275c381150..af8f2273cbe 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll @@ -255,6 +255,7 @@ private class BulkData extends RefType { * status of its argument. */ private predicate inputStreamWrapper(Constructor c, int argi) { + not c.fromSource() and c.getParameterType(argi) instanceof BulkData and c.getDeclaringType().getASourceSupertype+().hasQualifiedName("java.io", "InputStream") } From 183915410d71ddf36201ea12b8f7023d627140af Mon Sep 17 00:00:00 2001 From: Tony Torralba Date: Mon, 22 May 2023 15:01:25 +0200 Subject: [PATCH 4/4] Add change note --- .../change-notes/2023-05-22-inputstreamwrapper-transitive.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 java/ql/lib/change-notes/2023-05-22-inputstreamwrapper-transitive.md diff --git a/java/ql/lib/change-notes/2023-05-22-inputstreamwrapper-transitive.md b/java/ql/lib/change-notes/2023-05-22-inputstreamwrapper-transitive.md new file mode 100644 index 00000000000..bba77d98d89 --- /dev/null +++ b/java/ql/lib/change-notes/2023-05-22-inputstreamwrapper-transitive.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Dataflow analysis has a new flow step through constructors of transitive subtypes of `java.io.InputStream` that wrap an underlying data source. Previously, the step only existed for direct subtypes of `java.io.InputStream`.