From 715d3725721c3016bf116f90af85532a77eb1e3f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz=20Sanchez?= <alvaro@pwntester.com>
Date: Wed, 12 Jan 2022 10:54:27 +0100
Subject: [PATCH 1/2] Add models for
 AbstractStringBuilder.substring,subsequence,getChars

---
 java/ql/lib/semmle/code/java/frameworks/Strings.qll | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/java/ql/lib/semmle/code/java/frameworks/Strings.qll b/java/ql/lib/semmle/code/java/frameworks/Strings.qll
index 4eca6eec4b2..512d9e80aad 100644
--- a/java/ql/lib/semmle/code/java/frameworks/Strings.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/Strings.qll
@@ -46,11 +46,14 @@ private class StringSummaryCsv extends SummaryModelCsv {
         "java.lang;AbstractStringBuilder;true;AbstractStringBuilder;(String);;Argument[0];Argument[-1];taint",
         "java.lang;AbstractStringBuilder;true;append;;;Argument[0];Argument[-1];taint",
         "java.lang;AbstractStringBuilder;true;append;;;Argument[-1];ReturnValue;value",
+        "java.lang;AbstractStringBuilder;true;getChars;;;Argument[-1];Argument[2];taint",
         "java.lang;AbstractStringBuilder;true;insert;;;Argument[1];Argument[-1];taint",
         "java.lang;AbstractStringBuilder;true;insert;;;Argument[-1];ReturnValue;value",
         "java.lang;AbstractStringBuilder;true;replace;;;Argument[-1];ReturnValue;value",
         "java.lang;AbstractStringBuilder;true;replace;;;Argument[2];Argument[-1];taint",
         "java.lang;AbstractStringBuilder;true;reverse;;;Argument[-1];ReturnValue;value",
+        "java.lang;AbstractStringBuilder;true;subSequence;;;Argument[-1];ReturnValue;taint",
+        "java.lang;AbstractStringBuilder;true;substring;;;Argument[-1];ReturnValue;taint",
         "java.lang;AbstractStringBuilder;true;toString;;;Argument[-1];ReturnValue;taint",
         "java.lang;StringBuffer;true;StringBuffer;(CharSequence);;Argument[0];Argument[-1];taint",
         "java.lang;StringBuffer;true;StringBuffer;(String);;Argument[0];Argument[-1];taint",

From c2105e506bd64dd8874896cdeb7174997f6d693a Mon Sep 17 00:00:00 2001
From: Tony Torralba <atorralba@users.noreply.github.com>
Date: Wed, 12 Jan 2022 11:06:58 +0100
Subject: [PATCH 2/2] Added test cases

---
 .../dataflow/taint/StringBuilderTests.java    | 23 +++++++++++++++++++
 .../dataflow/taint/test.expected              |  3 +++
 2 files changed, 26 insertions(+)

diff --git a/java/ql/test/library-tests/dataflow/taint/StringBuilderTests.java b/java/ql/test/library-tests/dataflow/taint/StringBuilderTests.java
index 5b5d2429a0e..1e8ae38ce13 100644
--- a/java/ql/test/library-tests/dataflow/taint/StringBuilderTests.java
+++ b/java/ql/test/library-tests/dataflow/taint/StringBuilderTests.java
@@ -63,4 +63,27 @@ public class StringBuilderTests {
     sb.insert(45, taint());
     sink(sb.toString());
   }
+
+  static void stringBuilderGetCharsBad() {
+    StringBuilder sb = new StringBuilder();
+    sb.append("from preferences select locale where user=''");
+    sb.append(taint());
+    char[] chars = null;
+    sb.getChars(0, 0, chars, 0);
+    sink(new String(chars));
+  }
+
+  static void stringBuilderSubSequenceBad() {
+    StringBuilder sb = new StringBuilder();
+    sb.append("from preferences select locale where user=''");
+    sb.append(taint());
+    sink(sb.subSequence(0, 0).toString());
+  }
+
+  static void stringBuilderSubstringBad() {
+    StringBuilder sb = new StringBuilder();
+    sb.append("from preferences select locale where user=''");
+    sb.append(taint());
+    sink(sb.substring(0, 0));
+  }
 }
diff --git a/java/ql/test/library-tests/dataflow/taint/test.expected b/java/ql/test/library-tests/dataflow/taint/test.expected
index e6ef721109d..4bddb7a1c62 100644
--- a/java/ql/test/library-tests/dataflow/taint/test.expected
+++ b/java/ql/test/library-tests/dataflow/taint/test.expected
@@ -56,6 +56,9 @@
 | StringBuilderTests.java:48:69:48:75 | taint(...) | StringBuilderTests.java:50:10:50:22 | toString(...) |
 | StringBuilderTests.java:56:24:56:30 | taint(...) | StringBuilderTests.java:57:10:57:22 | toString(...) |
 | StringBuilderTests.java:63:19:63:25 | taint(...) | StringBuilderTests.java:64:10:64:22 | toString(...) |
+| StringBuilderTests.java:70:15:70:21 | taint(...) | StringBuilderTests.java:73:10:73:26 | new String(...) |
+| StringBuilderTests.java:79:15:79:21 | taint(...) | StringBuilderTests.java:80:10:80:40 | toString(...) |
+| StringBuilderTests.java:86:15:86:21 | taint(...) | StringBuilderTests.java:87:10:87:27 | substring(...) |
 | Varargs.java:7:8:7:14 | taint(...) | Varargs.java:14:10:14:10 | s |
 | Varargs.java:8:8:8:14 | taint(...) | Varargs.java:19:10:19:10 | s |
 | Varargs.java:8:17:8:23 | taint(...) | Varargs.java:19:10:19:10 | s |