Java: Implement ContentSet

2026-05-01 19:55:15 +02:00 · 2022-04-01 16:34:12 +02:00
parent d99bb65ea9
commit b91858e7cf
8 changed files with 35 additions and 13 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll
@@ -256,6 +256,34 @@ class SyntheticFieldContent extends Content, TSyntheticFieldContent {
  override string toString() { result = s.toString() }
 }

+/**
+ * An entity that represents a set of `Content`s.
+ *
+ * The set may be interpreted differently depending on whether it is
+ * stored into (`getAStoreContent`) or read from (`getAReadContent`).
+ */
+class ContentSet instanceof Content {
+  /** Gets a content that may be stored into when storing into this set. */
+  Content getAStoreContent() { result = this }
+
+  /** Gets a content that may be read from when reading from this set. */
+  Content getAReadContent() { result = this }
+
+  /** Gets a textual representation of this content set. */
+  string toString() { result = super.toString() }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
+    super.hasLocationInfo(path, sl, sc, el, ec)
+  }
+}
+
 /**
 * A guard that validates some expression.
 *
--- a/java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/AndroidSensitiveCommunicationQuery.qll
@@ -142,7 +142,7 @@ class SensitiveCommunicationConfig extends TaintTracking::Configuration {
   */
  override predicate isSanitizer(DataFlow::Node node) { node instanceof ExplicitIntentSanitizer }

-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
    super.allowImplicitRead(node, c)
    or
    this.isSink(node)
--- a/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ImplicitPendingIntentsQuery.qll
@@ -36,7 +36,7 @@ class ImplicitPendingIntentStartConf extends TaintTracking::Configuration {
    any(ImplicitPendingIntentAdditionalTaintStep c).step(node1, state1, node2, state2)
  }

-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
    super.allowImplicitRead(node, c)
    or
    this.isSink(node, _) and
--- a/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/InsecureTrustManagerQuery.qll
@@ -17,7 +17,7 @@ class InsecureTrustManagerConfiguration extends DataFlow::Configuration {

  override predicate isSink(DataFlow::Node sink) { sink instanceof InsecureTrustManagerSink }

-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
    (this.isSink(node) or this.isAdditionalFlowStep(node, _)) and
    node.getType() instanceof Array and
    c instanceof DataFlow::ArrayContent
--- a/java/ql/src/experimental/Security/CWE/CWE-200/AndroidFileIntentSource.qll
+++ b/java/ql/src/experimental/Security/CWE/CWE-200/AndroidFileIntentSource.qll
@@ -40,7 +40,7 @@ class GetContentIntentConfig extends TaintTracking2::Configuration {
    )
  }

-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content content) {
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet content) {
    super.allowImplicitRead(node, content)
    or
    // Allow the wrapped intent created by Intent.getChooser to be consumed
--- a/java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.expected
+++ b/java/ql/test/experimental/query-tests/security/CWE-470/UnsafeReflection.expected
@@ -1,13 +1,9 @@
 edges
-| UnsafeReflection.java:21:28:21:60 | getParameter(...) : String | UnsafeReflection.java:25:29:25:59 | getDeclaredConstructors(...) : Constructor[] |
 | UnsafeReflection.java:21:28:21:60 | getParameter(...) : String | UnsafeReflection.java:25:29:25:62 | ...[...] |
 | UnsafeReflection.java:22:33:22:70 | getParameter(...) : String | UnsafeReflection.java:25:76:25:89 | parameterValue |
-| UnsafeReflection.java:25:29:25:59 | getDeclaredConstructors(...) : Constructor[] | UnsafeReflection.java:25:29:25:62 | ...[...] |
-| UnsafeReflection.java:33:28:33:60 | getParameter(...) : String | UnsafeReflection.java:39:13:39:38 | getDeclaredMethods(...) : Method[] |
 | UnsafeReflection.java:33:28:33:60 | getParameter(...) : String | UnsafeReflection.java:39:13:39:41 | ...[...] |
 | UnsafeReflection.java:33:28:33:60 | getParameter(...) : String | UnsafeReflection.java:39:50:39:55 | object |
 | UnsafeReflection.java:34:33:34:70 | getParameter(...) : String | UnsafeReflection.java:39:58:39:71 | parameterValue |
-| UnsafeReflection.java:39:13:39:38 | getDeclaredMethods(...) : Method[] | UnsafeReflection.java:39:13:39:41 | ...[...] |
 | UnsafeReflection.java:46:24:46:82 | beanIdOrClassName : String | UnsafeReflection.java:53:30:53:46 | beanIdOrClassName : String |
 | UnsafeReflection.java:46:132:46:168 | body : Map | UnsafeReflection.java:49:37:49:40 | body : Map |
 | UnsafeReflection.java:49:23:49:59 | (...)... : Object | UnsafeReflection.java:53:67:53:73 | rawData : Object |
@@ -24,12 +20,10 @@ edges
 nodes
 | UnsafeReflection.java:21:28:21:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | UnsafeReflection.java:22:33:22:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| UnsafeReflection.java:25:29:25:59 | getDeclaredConstructors(...) : Constructor[] | semmle.label | getDeclaredConstructors(...) : Constructor[] |
 | UnsafeReflection.java:25:29:25:62 | ...[...] | semmle.label | ...[...] |
 | UnsafeReflection.java:25:76:25:89 | parameterValue | semmle.label | parameterValue |
 | UnsafeReflection.java:33:28:33:60 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | UnsafeReflection.java:34:33:34:70 | getParameter(...) : String | semmle.label | getParameter(...) : String |
-| UnsafeReflection.java:39:13:39:38 | getDeclaredMethods(...) : Method[] | semmle.label | getDeclaredMethods(...) : Method[] |
 | UnsafeReflection.java:39:13:39:41 | ...[...] | semmle.label | ...[...] |
 | UnsafeReflection.java:39:50:39:55 | object | semmle.label | object |
 | UnsafeReflection.java:39:58:39:71 | parameterValue | semmle.label | parameterValue |
--- a/java/ql/test/library-tests/dataflow/getter/getter.ql
+++ b/java/ql/test/library-tests/dataflow/getter/getter.ql
@@ -3,10 +3,10 @@ import semmle.code.java.dataflow.internal.DataFlowImplCommon
 import semmle.code.java.dataflow.internal.DataFlowImplSpecific::Public
 import semmle.code.java.dataflow.internal.DataFlowImplSpecific::Private

-from Node n1, Content f, Node n2
+from Node n1, ContentSet f, Node n2
 where
  (
-    read(n1, f, n2) or
+    readSet(n1, f, n2) or
    getterStep(n1, f, n2)
  ) and
  n1.getEnclosingCallable().fromSource()
--- a/java/ql/test/library-tests/frameworks/android/slice/test.ql
+++ b/java/ql/test/library-tests/frameworks/android/slice/test.ql
@@ -9,7 +9,7 @@ class SliceValueFlowConf extends DefaultValueFlowConf {
 }

 class SliceTaintFlowConf extends DefaultTaintFlowConf {
-  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
    super.allowImplicitRead(node, c)
    or
    isSink(node) and