Java: Add taint modelling for string format methods

2026-05-01 03:35:13 +02:00 · 2020-09-28 16:25:45 +01:00
parent 274147c87a
commit bea38fcd07
5 changed files with 151 additions and 1 deletions
--- a/java/ql/test/library-tests/dataflow/taint-format/A.java
+++ b/java/ql/test/library-tests/dataflow/taint-format/A.java
@@ -0,0 +1,34 @@
+import java.util.Formatter;
+import java.lang.StringBuilder;
+
+class A {
+    public static String taint() { return "tainted"; }
+
+    public static void test1() {
+        String bad = taint();
+        String good = "hi";
+
+        bad.formatted(good);
+        good.formatted("a", bad, "b", good);
+        String.format("%s%s", bad, good);
+    }
+
+    public static void test2() {
+        String bad = taint();
+        Formatter f = new Formatter();
+
+        f.toString();
+        f.format("%s", bad);
+        f.toString();
+    }
+
+    public static void test3() {
+        String bad = taint();
+        StringBuilder sb = new StringBuilder();
+        Formatter f = new Formatter(sb);
+
+        sb.toString(); // false positive
+        f.format("%s", bad);
+        sb.toString();
+    }
+}
--- a/java/ql/test/library-tests/dataflow/taint-format/options
+++ b/java/ql/test/library-tests/dataflow/taint-format/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args --enable-preview -source 14 -target 14
--- a/java/ql/test/library-tests/dataflow/taint-format/test.expected
+++ b/java/ql/test/library-tests/dataflow/taint-format/test.expected
@@ -0,0 +1,24 @@
+| A.java:8:22:8:28 | taint(...) | A.java:8:22:8:28 | taint(...) |
+| A.java:8:22:8:28 | taint(...) | A.java:11:9:11:11 | bad |
+| A.java:8:22:8:28 | taint(...) | A.java:11:9:11:27 | formatted(...) |
+| A.java:8:22:8:28 | taint(...) | A.java:12:9:12:43 | formatted(...) |
+| A.java:8:22:8:28 | taint(...) | A.java:12:9:12:43 | new ..[] { .. } |
+| A.java:8:22:8:28 | taint(...) | A.java:12:29:12:31 | bad |
+| A.java:8:22:8:28 | taint(...) | A.java:13:9:13:40 | format(...) |
+| A.java:8:22:8:28 | taint(...) | A.java:13:9:13:40 | new ..[] { .. } |
+| A.java:8:22:8:28 | taint(...) | A.java:13:31:13:33 | bad |
+| A.java:17:22:17:28 | taint(...) | A.java:17:22:17:28 | taint(...) |
+| A.java:17:22:17:28 | taint(...) | A.java:21:9:21:9 | f [post update] |
+| A.java:17:22:17:28 | taint(...) | A.java:21:9:21:27 | format(...) |
+| A.java:17:22:17:28 | taint(...) | A.java:21:9:21:27 | new ..[] { .. } |
+| A.java:17:22:17:28 | taint(...) | A.java:21:24:21:26 | bad |
+| A.java:17:22:17:28 | taint(...) | A.java:22:9:22:9 | f |
+| A.java:26:22:26:28 | taint(...) | A.java:26:22:26:28 | taint(...) |
+| A.java:26:22:26:28 | taint(...) | A.java:30:9:30:10 | sb |
+| A.java:26:22:26:28 | taint(...) | A.java:30:9:30:21 | toString(...) |
+| A.java:26:22:26:28 | taint(...) | A.java:31:9:31:9 | f [post update] |
+| A.java:26:22:26:28 | taint(...) | A.java:31:9:31:27 | format(...) |
+| A.java:26:22:26:28 | taint(...) | A.java:31:9:31:27 | new ..[] { .. } |
+| A.java:26:22:26:28 | taint(...) | A.java:31:24:31:26 | bad |
+| A.java:26:22:26:28 | taint(...) | A.java:32:9:32:10 | sb |
+| A.java:26:22:26:28 | taint(...) | A.java:32:9:32:21 | toString(...) |
--- a/java/ql/test/library-tests/dataflow/taint-format/test.ql
+++ b/java/ql/test/library-tests/dataflow/taint-format/test.ql
@@ -0,0 +1,16 @@
+import java
+import semmle.code.java.dataflow.TaintTracking
+
+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "qltest:dataflow:format" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+  }
+
+  override predicate isSink(DataFlow::Node n) { any() }
+}
+
+from DataFlow::Node src, DataFlow::Node sink, Conf conf
+where conf.hasFlow(src, sink)
+select src, sink
				`@@ -0,0 +1 @@`
				`//semmle-extractor-options: --javac-args --enable-preview -source 14 -target 14`