hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 03:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Convert taint-format test into inline test

Browse Source
This commit is contained in:
Benjamin Muskalla
2021-09-02 10:33:53 +02:00
parent 995a8192a9
commit d1a1f57e77
3 changed files with 37 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
java/ql/test/library-tests/dataflow/taint-format/A.java
View File

@@ -1,47 +1,47 @@
import java.util.Formatter;
import java.lang.StringBuilder;
class A {
public static String taint() { return "tainted"; }
public static String taint() {
return "tainted";
}
public static void test1() {
String bad = taint();
String bad = taint(); // $ hasTaintFlow
String good = "hi";
bad.formatted(good);
good.formatted("a", bad, "b", good);
String.format("%s%s", bad, good);
bad.formatted(good); // $ hasTaintFlow
good.formatted("a", bad, "b", good); // $ hasTaintFlow
String.format("%s%s", bad, good); // $ hasTaintFlow
String.format("%s", good);
String.format("%s %s %s %s %s %s %s %s %s %s ", "a", "a", "a", "a", "a", "a", "a", "a", "a", bad);
String.format("%s %s %s %s %s %s %s %s %s %s ", "a", "a", "a", "a", "a", "a", "a", "a", "a", bad); // $ hasTaintFlow
}
public static void test2() {
String bad = taint();
String bad = taint(); // $ hasTaintFlow
Formatter f = new Formatter();
f.toString();
f.format("%s", bad);
f.toString();
f.format("%s", bad); // $ hasTaintFlow
f.toString(); // $ hasTaintFlow
}
public static void test3() {
String bad = taint();
String bad = taint(); // $ hasTaintFlow
StringBuilder sb = new StringBuilder();
Formatter f = new Formatter(sb);
sb.toString(); // false positive
f.format("%s", bad);
sb.toString();
sb.toString(); // $ hasTaintFlow false positive
f.format("%s", bad); // $ hasTaintFlow
sb.toString(); // $ hasTaintFlow
}
public static void test4() {
String bad = taint();
String bad = taint(); // $ hasTaintFlow
StringBuilder sb = new StringBuilder();
sb.append(bad);
sb.append(bad); // $ hasTaintFlow
new Formatter(sb).format("ok").toString();
new Formatter(sb).format("ok").toString(); // $ hasTaintFlow
}
}

36
java/ql/test/library-tests/dataflow/taint-format/test.expected
View File

@@ -1,36 +0,0 @@
| A.java:10:22:10:28 | taint(...) | A.java:10:22:10:28 | taint(...) |
| A.java:10:22:10:28 | taint(...) | A.java:13:9:13:11 | bad |
| A.java:10:22:10:28 | taint(...) | A.java:13:9:13:27 | formatted(...) |
| A.java:10:22:10:28 | taint(...) | A.java:14:9:14:43 | formatted(...) |
| A.java:10:22:10:28 | taint(...) | A.java:14:9:14:43 | new ..[] { .. } |
| A.java:10:22:10:28 | taint(...) | A.java:14:29:14:31 | bad |
| A.java:10:22:10:28 | taint(...) | A.java:15:9:15:40 | format(...) |
| A.java:10:22:10:28 | taint(...) | A.java:15:9:15:40 | new ..[] { .. } |
| A.java:10:22:10:28 | taint(...) | A.java:15:31:15:33 | bad |
| A.java:10:22:10:28 | taint(...) | A.java:17:9:17:105 | format(...) |
| A.java:10:22:10:28 | taint(...) | A.java:17:9:17:105 | new ..[] { .. } |
| A.java:10:22:10:28 | taint(...) | A.java:17:102:17:104 | bad |
| A.java:21:22:21:28 | taint(...) | A.java:21:22:21:28 | taint(...) |
| A.java:21:22:21:28 | taint(...) | A.java:25:9:25:9 | f [post update] |
| A.java:21:22:21:28 | taint(...) | A.java:25:9:25:27 | format(...) |
| A.java:21:22:21:28 | taint(...) | A.java:25:9:25:27 | new ..[] { .. } |
| A.java:21:22:21:28 | taint(...) | A.java:25:24:25:26 | bad |
| A.java:21:22:21:28 | taint(...) | A.java:26:9:26:9 | f |
| A.java:21:22:21:28 | taint(...) | A.java:26:9:26:20 | toString(...) |
| A.java:30:22:30:28 | taint(...) | A.java:30:22:30:28 | taint(...) |
| A.java:30:22:30:28 | taint(...) | A.java:34:9:34:10 | sb |
| A.java:30:22:30:28 | taint(...) | A.java:34:9:34:21 | toString(...) |
| A.java:30:22:30:28 | taint(...) | A.java:35:9:35:9 | f [post update] |
| A.java:30:22:30:28 | taint(...) | A.java:35:9:35:27 | format(...) |
| A.java:30:22:30:28 | taint(...) | A.java:35:9:35:27 | new ..[] { .. } |
| A.java:30:22:30:28 | taint(...) | A.java:35:24:35:26 | bad |
| A.java:30:22:30:28 | taint(...) | A.java:36:9:36:10 | sb |
| A.java:30:22:30:28 | taint(...) | A.java:36:9:36:21 | toString(...) |
| A.java:40:22:40:28 | taint(...) | A.java:40:22:40:28 | taint(...) |
| A.java:40:22:40:28 | taint(...) | A.java:43:9:43:10 | sb [post update] |
| A.java:40:22:40:28 | taint(...) | A.java:43:9:43:22 | append(...) |
| A.java:40:22:40:28 | taint(...) | A.java:43:19:43:21 | bad |
| A.java:40:22:40:28 | taint(...) | A.java:45:9:45:25 | new Formatter(...) |
| A.java:40:22:40:28 | taint(...) | A.java:45:9:45:38 | format(...) |
| A.java:40:22:40:28 | taint(...) | A.java:45:9:45:49 | toString(...) |
| A.java:40:22:40:28 | taint(...) | A.java:45:23:45:24 | sb |

25
java/ql/test/library-tests/dataflow/taint-format/test.ql
View File

@@ -1,16 +1,29 @@
import java
import semmle.code.java.dataflow.DataFlow
import semmle.code.java.dataflow.TaintTracking
import TestUtilities.InlineExpectationsTest
class Conf extends TaintTracking::Configuration {
Conf() { this = "qltest:dataflow:format" }
class TaintFlowConf extends TaintTracking::Configuration {
TaintFlowConf() { this = "qltest:dataflow:format" }
override predicate isSource(DataFlow::Node n) {
n.asExpr().(MethodAccess).getMethod().hasName("taint")
}
override predicate isSink(DataFlow::Node n) { any() }
override predicate isSink(DataFlow::Node n) { n instanceof DataFlow::ExprNode }
}
from DataFlow::Node src, DataFlow::Node sink, Conf conf
where conf.hasFlow(src, sink)
select src, sink
class HasFlowTest extends InlineExpectationsTest {
HasFlowTest() { this = "HasFlowTest" }
override string getARelevantTag() { result = ["hasTaintFlow"] }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "hasTaintFlow" and
exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf | conf.hasFlow(src, sink) |
sink.getLocation() = location and
element = sink.toString() and
value = ""
)
}
}