Model basic channel APIs

2026-04-30 03:05:15 +02:00 · 2022-01-18 10:40:39 +01:00
parent a4429d01a3
commit 8e6a15640f
3 changed files with 29 additions and 6 deletions
--- a/java/ql/lib/semmle/code/java/frameworks/JavaIo.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/JavaIo.qll
@@ -11,7 +11,10 @@ private class JavaIoSummaryCsv extends SummaryModelCsv {
        "java.lang;Appendable;true;append;;;Argument[0];Argument[-1];taint",
        "java.lang;Appendable;true;append;;;Argument[-1];ReturnValue;taint",
        "java.io;Writer;true;write;;;Argument[0];Argument[-1];taint",
-        "java.io;StringWriter;false;toString;;;Argument[-1];ReturnValue;taint"
+        "java.io;Writer;true;toString;;;Argument[-1];ReturnValue;taint",
+        "java.io;CharArrayWriter;true;toCharArray;;;Argument[-1];ReturnValue;taint",
+        "java.nio.channels;ReadableByteChannel;true;read;(ByteBuffer);;Argument[-1];Argument[0];taint",
+        "java.nio.channels;Channels;false;newChannel;(InputStream);;Argument[0];ReturnValue;taint"
      ]
  }
 }
--- a/java/ql/test/library-tests/dataflow/taint/JavaIo.java
+++ b/java/ql/test/library-tests/dataflow/taint/JavaIo.java
@@ -1,4 +1,7 @@
 import java.io.*;
+import java.nio.ByteBuffer;
+import java.nio.channels.Channels;
+import java.nio.channels.ReadableByteChannel;

 public class JavaIo {
  public static String taint() { return "tainted"; }
@@ -15,11 +18,27 @@ public class JavaIo {
  }

  void testAppendingToWriter() throws IOException {
-    StringWriter w = new StringWriter();
+    Writer w = new StringWriter();
    CharSequence seq = taint();
    sink(w.toString());
-    w.append(seq);
+    w.append("harmless").append(seq);
    sink(w.toString());
  }
+  
+  void testCharArrayWriter() throws IOException {
+    CharArrayWriter w = new CharArrayWriter();
+    CharSequence seq = taint();
+    sink(w.toCharArray());
+    w.append("harmless").append(seq);
+    sink(w.toCharArray());
+  }
+
+  void testByteChannelToBuffer() throws IOException {
+    ReadableByteChannel c = Channels.newChannel(new ByteArrayInputStream(taint().getBytes()));
+    ByteBuffer buf = ByteBuffer.allocate(10);
+    sink(buf);
+    c.read(buf);
+    sink(buf);
+  }

 }
--- a/java/ql/test/library-tests/dataflow/taint/test.expected
+++ b/java/ql/test/library-tests/dataflow/taint/test.expected
@@ -44,9 +44,10 @@
 | CharSeq.java:7:26:7:32 | taint(...) | CharSeq.java:8:12:8:14 | seq |
 | CharSeq.java:7:26:7:32 | taint(...) | CharSeq.java:11:12:11:21 | seqFromSeq |
 | CharSeq.java:7:26:7:32 | taint(...) | CharSeq.java:14:12:14:24 | stringFromSeq |
-| JavaIo.java:10:20:10:26 | taint(...) | JavaIo.java:13:10:13:21 | toString(...) |
-| JavaIo.java:10:20:10:26 | taint(...) | JavaIo.java:14:10:14:33 | toString(...) |
-| JavaIo.java:19:24:19:30 | taint(...) | JavaIo.java:22:10:22:21 | toString(...) |
+| JavaIo.java:13:20:13:26 | taint(...) | JavaIo.java:16:10:16:21 | toString(...) |
+| JavaIo.java:13:20:13:26 | taint(...) | JavaIo.java:17:10:17:33 | toString(...) |
+| JavaIo.java:30:24:30:30 | taint(...) | JavaIo.java:33:10:33:24 | toCharArray(...) |
+| JavaIo.java:37:74:37:80 | taint(...) | JavaIo.java:41:10:41:12 | buf |
 | MethodFlow.java:7:22:7:28 | taint(...) | MethodFlow.java:8:10:8:16 | tainted |
 | MethodFlow.java:9:31:9:37 | taint(...) | MethodFlow.java:10:10:10:17 | tainted2 |
 | MethodFlow.java:11:35:11:41 | taint(...) | MethodFlow.java:12:10:12:17 | tainted3 |