hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-27 12:23:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

Java: adjust wrapped constructor calls

Browse Source
This commit is contained in:
Tamas Vajk
2021-03-16 10:06:20 +01:00
parent e3534d1635
commit d02fba8c37
2 changed files with 22 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
View File

@@ -243,28 +243,28 @@ private predicate summaryModelCsv(string row) {
"org.apache.commons.io;IOUtils;false;writeLines;;;Argument[0];Argument[2];taint",
"org.apache.commons.io;IOUtils;false;writeLines;;;Argument[1];Argument[2];taint",
// constructor flow
"java.io;File;false;File;;;Argument[0];ReturnValue;taint",
"java.io;File;false;File;;;Argument[1];ReturnValue;taint",
"java.net;URI;false;URI;(String);;Argument[0];ReturnValue;taint",
"javax.xml.transform.stream;StreamSource;false;StreamSource;;;Argument[0];ReturnValue;taint",
"javax.xml.transform.sax;SAXSource;false;SAXSource;(InputSource);;Argument[0];ReturnValue;taint",
"javax.xml.transform.sax;SAXSource;false;SAXSource;(XMLReader,InputSource);;Argument[1];ReturnValue;taint",
"org.xml.sax;InputSource;false;InputSource;;;Argument[0];ReturnValue;taint",
"javax.servlet.http;Cookie;false;Cookie;;;Argument[0];ReturnValue;taint",
"javax.servlet.http;Cookie;false;Cookie;;;Argument[1];ReturnValue;taint",
"java.util.zip;ZipInputStream;false;ZipInputStream;;;Argument[0];ReturnValue;taint",
"java.util.zip;GZIPInputStream;false;GZIPInputStream;;;Argument[0];ReturnValue;taint",
"java.util;StringTokenizer;false;StringTokenizer;;;Argument[0];ReturnValue;taint",
"java.beans;XMLDecoder;false;XMLDecoder;;;Argument[0];ReturnValue;taint",
"com.esotericsoftware.kryo.io;Input;false;Input;;;Argument[0];ReturnValue;taint",
"java.io;BufferedInputStream;false;BufferedInputStream;;;Argument[0];ReturnValue;taint",
"java.io;DataInputStream;false;DataInputStream;;;Argument[0];ReturnValue;taint",
"java.io;ByteArrayInputStream;false;ByteArrayInputStream;;;Argument[0];ReturnValue;taint",
"java.io;ObjectInputStream;false;ObjectInputStream;;;Argument[0];ReturnValue;taint",
"java.io;StringReader;false;StringReader;;;Argument[0];ReturnValue;taint",
"java.io;CharArrayReader;false;CharArrayReader;;;Argument[0];ReturnValue;taint",
"java.io;BufferedReader;false;BufferedReader;;;Argument[0];ReturnValue;taint",
"java.io;InputStreamReader;false;InputStreamReader;;;Argument[0];ReturnValue;taint"
"java.io;File;false;File;;;Argument[0];Argument[-1];taint",
"java.io;File;false;File;;;Argument[1];Argument[-1];taint",
"java.net;URI;false;URI;(String);;Argument[0];Argument[-1];taint",
"javax.xml.transform.stream;StreamSource;false;StreamSource;;;Argument[0];Argument[-1];taint",
"javax.xml.transform.sax;SAXSource;false;SAXSource;(InputSource);;Argument[0];Argument[-1];taint",
"javax.xml.transform.sax;SAXSource;false;SAXSource;(XMLReader,InputSource);;Argument[1];Argument[-1];taint",
"org.xml.sax;InputSource;false;InputSource;;;Argument[0];Argument[-1];taint",
"javax.servlet.http;Cookie;false;Cookie;;;Argument[0];Argument[-1];taint",
"javax.servlet.http;Cookie;false;Cookie;;;Argument[1];Argument[-1];taint",
"java.util.zip;ZipInputStream;false;ZipInputStream;;;Argument[0];Argument[-1];taint",
"java.util.zip;GZIPInputStream;false;GZIPInputStream;;;Argument[0];Argument[-1];taint",
"java.util;StringTokenizer;false;StringTokenizer;;;Argument[0];Argument[-1];taint",
"java.beans;XMLDecoder;false;XMLDecoder;;;Argument[0];Argument[-1];taint",
"com.esotericsoftware.kryo.io;Input;false;Input;;;Argument[0];Argument[-1];taint",
"java.io;BufferedInputStream;false;BufferedInputStream;;;Argument[0];Argument[-1];taint",
"java.io;DataInputStream;false;DataInputStream;;;Argument[0];Argument[-1];taint",
"java.io;ByteArrayInputStream;false;ByteArrayInputStream;;;Argument[0];Argument[-1];taint",
"java.io;ObjectInputStream;false;ObjectInputStream;;;Argument[0];Argument[-1];taint",
"java.io;StringReader;false;StringReader;;;Argument[0];Argument[-1];taint",
"java.io;CharArrayReader;false;CharArrayReader;;;Argument[0];Argument[-1];taint",
"java.io;BufferedReader;false;BufferedReader;;;Argument[0];Argument[-1];taint",
"java.io;InputStreamReader;false;InputStreamReader;;;Argument[0];Argument[-1];taint"
]
}
@@ -697,15 +697,3 @@ predicate summaryStep(Node node1, Node node2, string kind) {
interpretOutput(output, 0, ref, TNode(node2))
)
}
/**
* Holds if `node1` to `node2` is specified as a flow step with the given kind, input and output
* in a CSV flow model.
*/
predicate summaryStep(Node node1, Node node2, string kind, string input, string output) {
exists(Top ref |
summaryElementRef(ref, input, output, kind) and
interpretInput(input, 0, ref, TNode(node1)) and
interpretOutput(output, 0, ref, TNode(node2))
)
}

3
java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
View File

@@ -166,9 +166,6 @@ private predicate inputStreamWrapper(Constructor c, int argi) {
/** An object construction that preserves the data flow status of any of its arguments. */
private predicate constructorStep(Expr tracked, ConstructorCall sink) {
exists(int argi | sink.getArgument(argi) = tracked |
summaryStep(any(DataFlow::Node n | n.asExpr() = tracked),
any(DataFlow::Node n | n.asExpr() = sink), "taint", "Argument(" + argi + ")", "ReturnValue")
or
// wrappers constructed by extension
exists(Constructor c, Parameter p, SuperConstructorInvocationStmt sup |
c = sink.getConstructor() and