Add taint steps

java/ql/lib/change-notes/2024-09-24-multipart.md

@@ -1,4 +1,4 @@
 ---
 category: minorAnalysis
 ---
-* Added more dataflow models of `org.apache.commons.fileupload.FileItem` and `javax.servlet.http.Part`.
+* Added more dataflow models of `org.apache.commons.fileupload.FileItem`, `javax/jakarta.servlet.http.Part` and  `org.apache.commons.fileupload.util.Streams`.

java/ql/test/library-tests/frameworks/apache-commons-fileupload-1.4/Test.java

@@ -0,0 +1,55 @@
+package com.mycompany.app;
+
+import org.apache.commons.fileupload.util.Streams;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.ByteArrayOutputStream;
+
+// Test case generated by GenerateFlowTestCase.ql
+public class Test {
+
+	Object source() {
+		return null;
+	}
+
+	void sink(Object o) {
+	}
+
+	public void test() throws Exception {
+
+		{
+            InputStream in = (InputStream)source();
+            OutputStream os = new ByteArrayOutputStream(1024); 
+
+			InputStream in2 = (InputStream)source();
+            OutputStream os2 = new ByteArrayOutputStream(1024); 
+
+			byte[] myArray = new byte[1024];
+
+			// "org.apache.commons.fileupload.util;Streams;true;copy;(InputStream,OutputStream,boolean,byte[]);;Argument[0];Argument[1];taint;manual"
+			long status = Streams.copy(in, os, true, myArray);
+			sink(os); // $ hasTaintFlow
+			// "org.apache.commons.fileupload.util;Streams;true;copy;(InputStream,OutputStream,boolean);;Argument[0];Argument[1];taint;manual"
+			long status2 = Streams.copy(in2, os2, true);
+			sink(os2); // $ hasTaintFlow
+		}
+
+	}
+	public void test2() throws Exception {
+
+		{
+			
+            InputStream in = (InputStream)source();
+			// "org.apache.commons.fileupload.util;Streams;true;asString;(InputStream,String);;Argument[0];ReturnValue;taint;manual"
+			String result = Streams.asString(in);
+			sink(result); // $ hasTaintFlow
+
+            InputStream in1 = (InputStream)source();
+			// "org.apache.commons.fileupload.util;Streams;true;asString;(InputStream,String);;Argument[0];ReturnValue;taint;manual"
+            String result1 = Streams.asString(in1, "test");
+            sink(result1); // $ hasTaintFlow
+		}
+
+	}
+
+}

java/ql/test/library-tests/frameworks/apache-commons-fileupload-1.4/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/apache-commons-fileupload-1.4

java/ql/test/library-tests/frameworks/apache-commons-fileupload-1.4/test.expected

@@ -0,0 +1,45 @@
+models
+| 1 | Summary: org.apache.commons.fileupload.util; Streams; true; asString; (InputStream); ; Argument[0]; ReturnValue; taint; manual |
+| 2 | Summary: org.apache.commons.fileupload.util; Streams; true; asString; (InputStream,String); ; Argument[0]; ReturnValue; taint; manual |
+| 3 | Summary: org.apache.commons.fileupload.util; Streams; true; copy; (InputStream,OutputStream,boolean); ; Argument[0]; Argument[1]; taint; manual |
+| 4 | Summary: org.apache.commons.fileupload.util; Streams; true; copy; (InputStream,OutputStream,boolean,byte[]); ; Argument[0]; Argument[1]; taint; manual |
+edges
+| Test.java:22:30:22:50 | (...)... : InputStream | Test.java:30:31:30:32 | in : InputStream | provenance |  |
+| Test.java:22:43:22:50 | source(...) : Object | Test.java:22:30:22:50 | (...)... : InputStream | provenance |  |
+| Test.java:25:22:25:42 | (...)... : InputStream | Test.java:33:32:33:34 | in2 : InputStream | provenance |  |
+| Test.java:25:35:25:42 | source(...) : Object | Test.java:25:22:25:42 | (...)... : InputStream | provenance |  |
+| Test.java:30:31:30:32 | in : InputStream | Test.java:30:35:30:36 | os [post update] : ByteArrayOutputStream | provenance | MaD:4 |
+| Test.java:30:35:30:36 | os [post update] : ByteArrayOutputStream | Test.java:31:9:31:10 | os | provenance |  |
+| Test.java:33:32:33:34 | in2 : InputStream | Test.java:33:37:33:39 | os2 [post update] : ByteArrayOutputStream | provenance | MaD:3 |
+| Test.java:33:37:33:39 | os2 [post update] : ByteArrayOutputStream | Test.java:34:9:34:11 | os2 | provenance |  |
+| Test.java:45:30:45:50 | (...)... : InputStream | Test.java:47:37:47:38 | in : InputStream | provenance |  |
+| Test.java:45:43:45:50 | source(...) : Object | Test.java:45:30:45:50 | (...)... : InputStream | provenance |  |
+| Test.java:47:20:47:39 | asString(...) : String | Test.java:48:9:48:14 | result | provenance |  |
+| Test.java:47:37:47:38 | in : InputStream | Test.java:47:20:47:39 | asString(...) : String | provenance | MaD:1 |
+| Test.java:50:31:50:51 | (...)... : InputStream | Test.java:51:47:51:49 | in1 : InputStream | provenance |  |
+| Test.java:50:44:50:51 | source(...) : Object | Test.java:50:31:50:51 | (...)... : InputStream | provenance |  |
+| Test.java:51:30:51:58 | asString(...) : String | Test.java:52:18:52:24 | result1 | provenance |  |
+| Test.java:51:47:51:49 | in1 : InputStream | Test.java:51:30:51:58 | asString(...) : String | provenance | MaD:2 |
+nodes
+| Test.java:22:30:22:50 | (...)... : InputStream | semmle.label | (...)... : InputStream |
+| Test.java:22:43:22:50 | source(...) : Object | semmle.label | source(...) : Object |
+| Test.java:25:22:25:42 | (...)... : InputStream | semmle.label | (...)... : InputStream |
+| Test.java:25:35:25:42 | source(...) : Object | semmle.label | source(...) : Object |
+| Test.java:30:31:30:32 | in : InputStream | semmle.label | in : InputStream |
+| Test.java:30:35:30:36 | os [post update] : ByteArrayOutputStream | semmle.label | os [post update] : ByteArrayOutputStream |
+| Test.java:31:9:31:10 | os | semmle.label | os |
+| Test.java:33:32:33:34 | in2 : InputStream | semmle.label | in2 : InputStream |
+| Test.java:33:37:33:39 | os2 [post update] : ByteArrayOutputStream | semmle.label | os2 [post update] : ByteArrayOutputStream |
+| Test.java:34:9:34:11 | os2 | semmle.label | os2 |
+| Test.java:45:30:45:50 | (...)... : InputStream | semmle.label | (...)... : InputStream |
+| Test.java:45:43:45:50 | source(...) : Object | semmle.label | source(...) : Object |
+| Test.java:47:20:47:39 | asString(...) : String | semmle.label | asString(...) : String |
+| Test.java:47:37:47:38 | in : InputStream | semmle.label | in : InputStream |
+| Test.java:48:9:48:14 | result | semmle.label | result |
+| Test.java:50:31:50:51 | (...)... : InputStream | semmle.label | (...)... : InputStream |
+| Test.java:50:44:50:51 | source(...) : Object | semmle.label | source(...) : Object |
+| Test.java:51:30:51:58 | asString(...) : String | semmle.label | asString(...) : String |
+| Test.java:51:47:51:49 | in1 : InputStream | semmle.label | in1 : InputStream |
+| Test.java:52:18:52:24 | result1 | semmle.label | result1 |
+subpaths
+testFailures

java/ql/test/library-tests/frameworks/apache-commons-fileupload-1.4/test.ql

@@ -0,0 +1,4 @@
+import java
+import TestUtilities.InlineFlowTest
+import DefaultFlowTest
+import TaintFlow::PathGraph

java/ql/test/stubs/apache-commons-fileupload-1.4/org/apache/commons/fileupload/util/Streams.java

@@ -0,0 +1,16 @@
+// Generated automatically from org.apache.commons.fileupload.util.Streams for testing purposes
+
+package org.apache.commons.fileupload.util;
+
+import java.io.InputStream;
+import java.io.OutputStream;
+
+public class Streams
+{
+    protected Streams() {}
+    public static String asString(InputStream p0){ return null; }
+    public static String asString(InputStream p0, String p1){ return null; }
+    public static String checkFileName(String p0){ return null; }
+    public static long copy(InputStream p0, OutputStream p1, boolean p2){ return 0; }
+    public static long copy(InputStream p0, OutputStream p1, boolean p2, byte[] p3){ return 0; }
+}