Merge branch 'main' into jcogs33/add-toByteArray-summaries

2026-04-28 10:15:14 +02:00 · 2024-07-16 10:46:36 -04:00
parent 8f6d4be256 f293b77bce
commit a73170df49
146 changed files with 2697 additions and 3506 deletions
--- a/java/ql/lib/ext/java.lang.model.yml
+++ b/java/ql/lib/ext/java.lang.model.yml
@@ -91,9 +91,6 @@ extensions:
      - ["java.lang", "Iterable", True, "iterator", "()", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
      - ["java.lang", "Iterable", True, "spliterator", "()", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
      - ["java.lang", "NullPointerException", False, "NullPointerException", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
-      - ["java.lang", "Object", True, "clone", "", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
-      - ["java.lang", "Object", True, "clone", "", "", "Argument[this].MapKey", "ReturnValue.MapKey", "value", "manual"]
-      - ["java.lang", "Object", True, "clone", "", "", "Argument[this].MapValue", "ReturnValue.MapValue", "value", "manual"]
      - ["java.lang", "RuntimeException", False, "RuntimeException", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
      - ["java.lang", "RuntimeException", False, "RuntimeException", "(String,Throwable)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
      - ["java.lang", "RuntimeException", False, "RuntimeException", "(String,Throwable)", "", "Argument[1]", "Argument[this].SyntheticField[java.lang.Throwable.cause]", "value", "manual"]
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplSpecific.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplSpecific.qll
@@ -22,6 +22,8 @@ module JavaDataFlow implements InputSig<Location> {

  predicate getSecondLevelScope = Private::getSecondLevelScope/1;

+  predicate validParameterAliasStep = Private::validParameterAliasStep/2;
+
  predicate mayBenefitFromCallContext = Private::mayBenefitFromCallContext/1;

  predicate viableImplInCallContext = Private::viableImplInCallContext/2;
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
@@ -400,21 +400,18 @@ class CastNode extends ExprNode {
  }
 }

-private predicate id_member(Member x, Member y) { x = y }
-
-private predicate idOf_member(Member x, int y) = equivalenceRelation(id_member/2)(x, y)
-
-private int summarizedCallableId(SummarizedCallable c) {
-  c =
-    rank[result](SummarizedCallable c0, int b, int i, string s |
-      b = 0 and idOf_member(c0.asCallable(), i) and s = ""
-      or
-      b = 1 and i = 0 and s = c0.asSyntheticCallable()
-    |
-      c0 order by b, i, s
-    )
+/** Holds if `n1` is the qualifier of a call to `clone()` and `n2` is the result. */
+predicate cloneStep(Node n1, Node n2) {
+  exists(MethodCall mc |
+    mc.getMethod() instanceof CloneMethod and
+    n1 = getInstanceArgument(mc) and
+    n2.asExpr() = mc
+  )
 }

+bindingset[node1, node2]
+predicate validParameterAliasStep(Node node1, Node node2) { not cloneStep(node1, node2) }
+
 private newtype TDataFlowCallable =
  TSrcCallable(Callable c) or
  TSummarizedCallable(SummarizedCallable c) or
@@ -448,28 +445,10 @@ class DataFlowCallable extends TDataFlowCallable {
    result = this.asSummarizedCallable().getLocation() or
    result = this.asFieldScope().getLocation()
  }
-
-  /** Gets a best-effort total ordering. */
-  int totalorder() {
-    this =
-      rank[result](DataFlowCallable c, int b, int i |
-        b = 0 and idOf_member(c.asCallable(), i)
-        or
-        b = 1 and i = summarizedCallableId(c.asSummarizedCallable())
-        or
-        b = 2 and idOf_member(c.asFieldScope(), i)
-      |
-        c order by b, i
-      )
-  }
 }

 class DataFlowExpr = Expr;

-private predicate id_call(Call x, Call y) { x = y }
-
-private predicate idOf_call(Call x, int y) = equivalenceRelation(id_call/2)(x, y)
-
 private newtype TDataFlowCall =
  TCall(Call c) or
  TSummaryCall(SummarizedCallable c, FlowSummaryImpl::Private::SummaryNode receiver) {
@@ -502,19 +481,6 @@ class DataFlowCall extends TDataFlowCall {
  ) {
    this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
  }
-
-  /** Gets a best-effort total ordering. */
-  int totalorder() {
-    this =
-      rank[result](DataFlowCall c, int b, int i |
-        b = 0 and idOf_call(c.asCall(), i)
-        or
-        b = 1 and // not guaranteed to be total
-        exists(SummarizedCallable sc | c = TSummaryCall(sc, _) and i = summarizedCallableId(sc))
-      |
-        c order by b, i
-      )
-  }
 }

 /** A source call, that is, a `Call`. */
@@ -549,16 +515,10 @@ class SummaryCall extends DataFlowCall, TSummaryCall {
  override Location getLocation() { result = c.getLocation() }
 }

-private predicate id(BasicBlock x, BasicBlock y) { x = y }
-
-private predicate idOf(BasicBlock x, int y) = equivalenceRelation(id/2)(x, y)
-
 class NodeRegion instanceof BasicBlock {
  string toString() { result = "NodeRegion" }

  predicate contains(Node n) { n.asExpr().getBasicBlock() = this }
-
-  int totalOrder() { idOf(this, result) }
 }

 /** Holds if `e` is an expression that always has the same Boolean value `val`. */
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll
@@ -258,6 +258,8 @@ private predicate simpleLocalFlowStep0(Node node1, Node node2, string model) {
    model = "ValuePreservingMethod"
  )
  or
+  cloneStep(node1, node2) and model = "CloneStep"
+  or
  FlowSummaryImpl::Private::Steps::summaryLocalStep(node1.(FlowSummaryNode).getSummaryNode(),
    node2.(FlowSummaryNode).getSummaryNode(), true, model)
 }
--- a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -316,9 +316,6 @@ private predicate qualifierToMethodStep(Expr tracked, MethodCall sink, string mo
 * Methods that return tainted data when called on tainted data.
 */
 private predicate taintPreservingQualifierToMethod(Method m, string model) {
-  model = "" and
-  m instanceof CloneMethod
-  or
  model = "%StringWriter" and
  m.getDeclaringType().getQualifiedName().matches("%StringWriter") and
  (
--- a/java/ql/lib/semmle/code/java/frameworks/Jndi.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/Jndi.qll
@@ -44,8 +44,12 @@ class MethodLdapNameAddAll extends Method {
  }
 }

-/** A method with the name `clone` declared in `javax.naming.ldap.LdapName`. */
-class MethodLdapNameClone extends Method {
+/**
+ * DEPRECATED: No longer needed as clone steps are handled uniformly.
+ *
+ * A method with the name `clone` declared in `javax.naming.ldap.LdapName`.
+ */
+deprecated class MethodLdapNameClone extends Method {
  MethodLdapNameClone() {
    this.getDeclaringType() instanceof TypeLdapName and
    this.hasName("clone")
--- a/java/ql/lib/semmle/code/java/security/LdapInjection.qll
+++ b/java/ql/lib/semmle/code/java/security/LdapInjection.qll
@@ -62,7 +62,7 @@ private predicate ldapNameAddAllStep(DataFlow::ExprNode n1, DataFlow::ExprNode n

 /**
 * Holds if `n1` to `n2` is a dataflow step that converts between `LdapName` and `LdapName` or
- * `String`, i.e. `taintedLdapName.clone()`, `taintedLdapName.getAll()`,
+ * `String`, i.e. `taintedLdapName.getAll()`,
 * `taintedLdapName.getRdns()` or `taintedLdapName.toString()`.
 */
 private predicate ldapNameGetCloneStep(DataFlow::ExprNode n1, DataFlow::ExprNode n2) {
@@ -71,7 +71,6 @@ private predicate ldapNameGetCloneStep(DataFlow::ExprNode n1, DataFlow::ExprNode
    n2.asExpr() = ma and
    ma.getMethod() = m
  |
-    m instanceof MethodLdapNameClone or
    m instanceof MethodLdapNameGetAll or
    m instanceof MethodLdapNameGetRdns or
    m instanceof MethodLdapNameToString