Add test for NotNullExpr flow

2026-04-28 02:05:14 +02:00 · 2022-03-02 12:21:28 +01:00
parent 4e18974889
commit cf5152baa2
3 changed files with 40 additions and 0 deletions
--- a/java/ql/test/kotlin/library-tests/dataflow/notnullexpr/NotNullExpr.kt
+++ b/java/ql/test/kotlin/library-tests/dataflow/notnullexpr/NotNullExpr.kt
@@ -0,0 +1,14 @@
+class NotNullExpr {
+  fun taint() = Uri()
+
+  fun sink(s: String) { }
+
+  fun bad() {
+    val s0 = taint()
+    sink(s0!!.getQueryParameter())
+  }
+}
+
+class Uri {
+    fun getQueryParameter() = "tainted"
+}
--- a/java/ql/test/kotlin/library-tests/dataflow/notnullexpr/test.expected
+++ b/java/ql/test/kotlin/library-tests/dataflow/notnullexpr/test.expected
@@ -0,0 +1 @@
+| NotNullExpr.kt:7:14:7:20 | taint(...) | NotNullExpr.kt:8:15:8:33 | getQueryParameter(...) |
--- a/java/ql/test/kotlin/library-tests/dataflow/notnullexpr/test.ql
+++ b/java/ql/test/kotlin/library-tests/dataflow/notnullexpr/test.ql
@@ -0,0 +1,25 @@
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.ExternalFlow
+
+class Step extends SummaryModelCsv {
+  override predicate row(string row) {
+    row = ";Uri;false;getQueryParameter;;;Argument[-1];ReturnValue;taint"
+  }
+}
+
+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "qltest:notNullExprFlow" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    n.asExpr().(Argument).getCall().getCallee().hasName("sink")
+  }
+}
+
+from DataFlow::Node src, DataFlow::Node sink, Conf conf
+where conf.hasFlow(src, sink)
+select src, sink
				`@@ -0,0 +1 @@`
				`\| NotNullExpr.kt:7:14:7:20 \| taint(...) \| NotNullExpr.kt:8:15:8:33 \| getQueryParameter(...) \|`