Merge pull request #1344 from aschackmull/java/validatedvariable

Java: Replace ValidatedVariable with guarded accesses.

java/ql/src/semmle/code/java/dataflow/TaintTracking.qll

@@ -59,7 +59,7 @@ module TaintTracking {
       isSanitizer(node) or
       // Ignore paths through test code.
       node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass or
-      exists(ValidatedVariable var | node.asExpr() = var.getAnAccess())
+      node.asExpr() instanceof ValidatedVariableAccess
     }
 
     /** Holds if the edge from `node1` to `node2` is a taint sanitizer. */
@@ -131,7 +131,7 @@ module TaintTracking {
       isSanitizer(node) or
       // Ignore paths through test code.
       node.getEnclosingCallable().getDeclaringType() instanceof NonSecurityTestClass or
-      exists(ValidatedVariable var | node.asExpr() = var.getAnAccess())
+      node.asExpr() instanceof ValidatedVariableAccess
     }
 
     /** Holds if the edge from `node1` to `node2` is a taint sanitizer. */

java/ql/src/semmle/code/java/security/ControlledString.qll

@@ -1,4 +1,4 @@
-/*
+/**
  * Controlled strings are the opposite of tainted strings.
  * There is positive evidence that they are fully controlled by
  * the program source code.
@@ -90,7 +90,7 @@ predicate controlledString(Expr expr) {
       boxedToString(method)
     )
     or
-    exists(ValidatedVariable var | var.getAnAccess() = expr)
+    expr instanceof ValidatedVariableAccess
     or
     forex(Expr other | controlledStringLimitedProp(other, expr) | controlledString(other))
   ) and

java/ql/src/semmle/code/java/security/Validation.qll

@@ -1,4 +1,6 @@
 import semmle.code.java.Expr
+import semmle.code.java.dataflow.SSA
+import semmle.code.java.controlflow.Guards
 
 bindingset[result, i]
 private int unbindInt(int i) { i <= result and i >= result }
@@ -25,8 +27,49 @@ predicate validationMethod(Method method, int arg) {
   )
 }
 
-/** A variable that is ever passed to a string verification method. */
-class ValidatedVariable extends Variable {
+private predicate validationCall(MethodAccess ma, VarAccess va) {
+  exists(int arg | validationMethod(ma.getMethod(), arg) and ma.getArgument(arg) = va)
+}
+
+private predicate validatedAccess(VarAccess va) {
+  exists(SsaVariable v, MethodAccess guardcall |
+    va = v.getAUse() and
+    validationCall(guardcall, v.getAUse())
+  |
+    guardcall.(Guard).controls(va.getBasicBlock(), _)
+    or
+    exists(ControlFlowNode node |
+      guardcall.getMethod().getReturnType() instanceof VoidType and
+      guardcall.getControlFlowNode() = node
+    |
+      exists(BasicBlock succ |
+        succ = node.getANormalSuccessor() and
+        dominatingEdge(node.getBasicBlock(), succ) and
+        succ.bbDominates(va.getBasicBlock())
+      )
+      or
+      exists(BasicBlock bb, int i |
+        bb.getNode(i) = node and
+        bb.getNode(i + 1) = node.getANormalSuccessor()
+      |
+        bb.bbStrictlyDominates(va.getBasicBlock()) or
+        bb.getNode(any(int j | j > i)) = va
+      )
+    )
+  )
+}
+
+/** A variable access that is guarded by a string verification method. */
+class ValidatedVariableAccess extends VarAccess {
+  ValidatedVariableAccess() { validatedAccess(this) }
+}
+
+/**
+ * DEPRECATED: Use ValidatedVariableAccess instead.
+ *
+ * A variable that is ever passed to a string verification method.
+ */
+deprecated class ValidatedVariable extends Variable {
   ValidatedVariable() {
     exists(MethodAccess call, int arg, VarAccess access |
       validationMethod(call.getMethod(), arg) and