From d02fba8c37216e01e39f185778060efa41ccbcce Mon Sep 17 00:00:00 2001 From: Tamas Vajk Date: Tue, 16 Mar 2021 10:06:20 +0100 Subject: [PATCH] Java: adjust wrapped constructor calls --- .../code/java/dataflow/ExternalFlow.qll | 56 ++++++++----------- .../dataflow/internal/TaintTrackingUtil.qll | 3 - 2 files changed, 22 insertions(+), 37 deletions(-) diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll index 27875a21273..28808bc722d 100644 --- a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll +++ b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll @@ -243,28 +243,28 @@ private predicate summaryModelCsv(string row) { "org.apache.commons.io;IOUtils;false;writeLines;;;Argument[0];Argument[2];taint", "org.apache.commons.io;IOUtils;false;writeLines;;;Argument[1];Argument[2];taint", // constructor flow - "java.io;File;false;File;;;Argument[0];ReturnValue;taint", - "java.io;File;false;File;;;Argument[1];ReturnValue;taint", - "java.net;URI;false;URI;(String);;Argument[0];ReturnValue;taint", - "javax.xml.transform.stream;StreamSource;false;StreamSource;;;Argument[0];ReturnValue;taint", - "javax.xml.transform.sax;SAXSource;false;SAXSource;(InputSource);;Argument[0];ReturnValue;taint", - "javax.xml.transform.sax;SAXSource;false;SAXSource;(XMLReader,InputSource);;Argument[1];ReturnValue;taint", - "org.xml.sax;InputSource;false;InputSource;;;Argument[0];ReturnValue;taint", - "javax.servlet.http;Cookie;false;Cookie;;;Argument[0];ReturnValue;taint", - "javax.servlet.http;Cookie;false;Cookie;;;Argument[1];ReturnValue;taint", - "java.util.zip;ZipInputStream;false;ZipInputStream;;;Argument[0];ReturnValue;taint", - "java.util.zip;GZIPInputStream;false;GZIPInputStream;;;Argument[0];ReturnValue;taint", - "java.util;StringTokenizer;false;StringTokenizer;;;Argument[0];ReturnValue;taint", - "java.beans;XMLDecoder;false;XMLDecoder;;;Argument[0];ReturnValue;taint", - "com.esotericsoftware.kryo.io;Input;false;Input;;;Argument[0];ReturnValue;taint", - "java.io;BufferedInputStream;false;BufferedInputStream;;;Argument[0];ReturnValue;taint", - "java.io;DataInputStream;false;DataInputStream;;;Argument[0];ReturnValue;taint", - "java.io;ByteArrayInputStream;false;ByteArrayInputStream;;;Argument[0];ReturnValue;taint", - "java.io;ObjectInputStream;false;ObjectInputStream;;;Argument[0];ReturnValue;taint", - "java.io;StringReader;false;StringReader;;;Argument[0];ReturnValue;taint", - "java.io;CharArrayReader;false;CharArrayReader;;;Argument[0];ReturnValue;taint", - "java.io;BufferedReader;false;BufferedReader;;;Argument[0];ReturnValue;taint", - "java.io;InputStreamReader;false;InputStreamReader;;;Argument[0];ReturnValue;taint" + "java.io;File;false;File;;;Argument[0];Argument[-1];taint", + "java.io;File;false;File;;;Argument[1];Argument[-1];taint", + "java.net;URI;false;URI;(String);;Argument[0];Argument[-1];taint", + "javax.xml.transform.stream;StreamSource;false;StreamSource;;;Argument[0];Argument[-1];taint", + "javax.xml.transform.sax;SAXSource;false;SAXSource;(InputSource);;Argument[0];Argument[-1];taint", + "javax.xml.transform.sax;SAXSource;false;SAXSource;(XMLReader,InputSource);;Argument[1];Argument[-1];taint", + "org.xml.sax;InputSource;false;InputSource;;;Argument[0];Argument[-1];taint", + "javax.servlet.http;Cookie;false;Cookie;;;Argument[0];Argument[-1];taint", + "javax.servlet.http;Cookie;false;Cookie;;;Argument[1];Argument[-1];taint", + "java.util.zip;ZipInputStream;false;ZipInputStream;;;Argument[0];Argument[-1];taint", + "java.util.zip;GZIPInputStream;false;GZIPInputStream;;;Argument[0];Argument[-1];taint", + "java.util;StringTokenizer;false;StringTokenizer;;;Argument[0];Argument[-1];taint", + "java.beans;XMLDecoder;false;XMLDecoder;;;Argument[0];Argument[-1];taint", + "com.esotericsoftware.kryo.io;Input;false;Input;;;Argument[0];Argument[-1];taint", + "java.io;BufferedInputStream;false;BufferedInputStream;;;Argument[0];Argument[-1];taint", + "java.io;DataInputStream;false;DataInputStream;;;Argument[0];Argument[-1];taint", + "java.io;ByteArrayInputStream;false;ByteArrayInputStream;;;Argument[0];Argument[-1];taint", + "java.io;ObjectInputStream;false;ObjectInputStream;;;Argument[0];Argument[-1];taint", + "java.io;StringReader;false;StringReader;;;Argument[0];Argument[-1];taint", + "java.io;CharArrayReader;false;CharArrayReader;;;Argument[0];Argument[-1];taint", + "java.io;BufferedReader;false;BufferedReader;;;Argument[0];Argument[-1];taint", + "java.io;InputStreamReader;false;InputStreamReader;;;Argument[0];Argument[-1];taint" ] } @@ -697,15 +697,3 @@ predicate summaryStep(Node node1, Node node2, string kind) { interpretOutput(output, 0, ref, TNode(node2)) ) } - -/** - * Holds if `node1` to `node2` is specified as a flow step with the given kind, input and output - * in a CSV flow model. - */ -predicate summaryStep(Node node1, Node node2, string kind, string input, string output) { - exists(Top ref | - summaryElementRef(ref, input, output, kind) and - interpretInput(input, 0, ref, TNode(node1)) and - interpretOutput(output, 0, ref, TNode(node2)) - ) -} diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll index 21d52dba774..05f60123111 100644 --- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll +++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll @@ -166,9 +166,6 @@ private predicate inputStreamWrapper(Constructor c, int argi) { /** An object construction that preserves the data flow status of any of its arguments. */ private predicate constructorStep(Expr tracked, ConstructorCall sink) { exists(int argi | sink.getArgument(argi) = tracked | - summaryStep(any(DataFlow::Node n | n.asExpr() = tracked), - any(DataFlow::Node n | n.asExpr() = sink), "taint", "Argument(" + argi + ")", "ReturnValue") - or // wrappers constructed by extension exists(Constructor c, Parameter p, SuperConstructorInvocationStmt sup | c = sink.getConstructor() and