mirror of
https://github.com/github/codeql.git
synced 2026-05-05 05:35:13 +02:00
Merge pull request #6591 from bmuskalla/inlineFlowTest
Java: Simplify setup for flow tests using `InlineExpectationsTest`
This commit is contained in:
Anders Schack-Mulligen
@@ -1,8 +1,7 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
import semmle.code.java.dataflow.ExternalFlow
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
import DataFlow
|
||||
import TestUtilities.InlineFlowTest
|
||||
|
||||
class SummaryModelTest extends SummaryModelCsv {
|
||||
override predicate row(string row) {
|
||||
@@ -15,25 +14,6 @@ class SummaryModelTest extends SummaryModelCsv {
|
||||
}
|
||||
}
|
||||
|
||||
class ContainerFlowConf extends Configuration {
|
||||
ContainerFlowConf() { this = "qltest:ContainerFlowConf" }
|
||||
|
||||
override predicate isSource(Node n) { n.asExpr().(MethodAccess).getMethod().hasName("source") }
|
||||
|
||||
override predicate isSink(Node n) { n.asExpr().(Argument).getCall().getCallee().hasName("sink") }
|
||||
}
|
||||
|
||||
class HasFlowTest extends InlineExpectationsTest {
|
||||
HasFlowTest() { this = "HasFlowTest" }
|
||||
|
||||
override string getARelevantTag() { result = "hasValueFlow" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "hasValueFlow" and
|
||||
exists(Node src, Node sink, ContainerFlowConf conf | conf.hasFlow(src, sink) |
|
||||
sink.getLocation() = location and
|
||||
element = sink.toString() and
|
||||
value = ""
|
||||
)
|
||||
}
|
||||
class HasFlowTest extends InlineFlowTest {
|
||||
override DataFlow::Configuration getTaintFlowConfig() { none() }
|
||||
}
|
||||
|
||||
@@ -1,19 +1,7 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
import semmle.code.java.dataflow.FlowSteps
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
|
||||
class Conf extends DataFlow::Configuration {
|
||||
Conf() { this = "qltest:dataflow:fluent-methods" }
|
||||
|
||||
override predicate isSource(DataFlow::Node n) {
|
||||
n.asExpr().(MethodAccess).getMethod().hasName("source")
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node n) {
|
||||
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
|
||||
}
|
||||
}
|
||||
import TestUtilities.InlineFlowTest
|
||||
|
||||
class Model extends FluentMethod {
|
||||
Model() { this.getName() = "modelledFluentMethod" }
|
||||
@@ -25,17 +13,6 @@ class IdentityModel extends ValuePreservingMethod {
|
||||
override predicate returnsValue(int arg) { arg = 0 }
|
||||
}
|
||||
|
||||
class HasFlowTest extends InlineExpectationsTest {
|
||||
HasFlowTest() { this = "HasFlowTest" }
|
||||
|
||||
override string getARelevantTag() { result = "hasTaintFlow" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "hasTaintFlow" and
|
||||
exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
|
||||
sink.getLocation() = location and
|
||||
element = sink.toString() and
|
||||
value = ""
|
||||
)
|
||||
}
|
||||
class HasFlowTest extends InlineFlowTest {
|
||||
override DataFlow::Configuration getValueFlowConfig() { none() }
|
||||
}
|
||||
|
||||
@@ -1,47 +1,47 @@
|
||||
import java.util.Formatter;
|
||||
import java.lang.StringBuilder;
|
||||
|
||||
|
||||
|
||||
class A {
|
||||
public static String taint() { return "tainted"; }
|
||||
public static String source() {
|
||||
return "tainted";
|
||||
}
|
||||
|
||||
public static void test1() {
|
||||
String bad = taint();
|
||||
String bad = source(); // $ hasTaintFlow
|
||||
String good = "hi";
|
||||
|
||||
bad.formatted(good);
|
||||
good.formatted("a", bad, "b", good);
|
||||
String.format("%s%s", bad, good);
|
||||
bad.formatted(good); // $ hasTaintFlow
|
||||
good.formatted("a", bad, "b", good); // $ hasTaintFlow
|
||||
String.format("%s%s", bad, good); // $ hasTaintFlow
|
||||
String.format("%s", good);
|
||||
String.format("%s %s %s %s %s %s %s %s %s %s ", "a", "a", "a", "a", "a", "a", "a", "a", "a", bad);
|
||||
String.format("%s %s %s %s %s %s %s %s %s %s ", "a", "a", "a", "a", "a", "a", "a", "a", "a", bad); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public static void test2() {
|
||||
String bad = taint();
|
||||
String bad = source(); // $ hasTaintFlow
|
||||
Formatter f = new Formatter();
|
||||
|
||||
f.toString();
|
||||
f.format("%s", bad);
|
||||
f.toString();
|
||||
f.format("%s", bad); // $ hasTaintFlow
|
||||
f.toString(); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public static void test3() {
|
||||
String bad = taint();
|
||||
String bad = source(); // $ hasTaintFlow
|
||||
StringBuilder sb = new StringBuilder();
|
||||
Formatter f = new Formatter(sb);
|
||||
|
||||
sb.toString(); // false positive
|
||||
f.format("%s", bad);
|
||||
sb.toString();
|
||||
sb.toString(); // $ hasTaintFlow false positive
|
||||
f.format("%s", bad); // $ hasTaintFlow
|
||||
sb.toString(); // $ hasTaintFlow
|
||||
}
|
||||
|
||||
public static void test4() {
|
||||
String bad = taint();
|
||||
String bad = source(); // $ hasTaintFlow
|
||||
StringBuilder sb = new StringBuilder();
|
||||
|
||||
sb.append(bad);
|
||||
sb.append(bad); // $ hasTaintFlow
|
||||
|
||||
new Formatter(sb).format("ok").toString();
|
||||
new Formatter(sb).format("ok").toString(); // $ hasTaintFlow
|
||||
}
|
||||
}
|
||||
@@ -1,49 +0,0 @@
|
||||
| A.java:10:22:10:28 | taint(...) | A.java:10:22:10:28 | taint(...) |
|
||||
| A.java:10:22:10:28 | taint(...) | A.java:13:9:13:11 | bad |
|
||||
| A.java:10:22:10:28 | taint(...) | A.java:13:9:13:27 | formatted(...) |
|
||||
| A.java:10:22:10:28 | taint(...) | A.java:14:9:14:43 | formatted(...) |
|
||||
| A.java:10:22:10:28 | taint(...) | A.java:14:9:14:43 | new ..[] { .. } |
|
||||
| A.java:10:22:10:28 | taint(...) | A.java:14:29:14:31 | bad |
|
||||
| A.java:10:22:10:28 | taint(...) | A.java:15:9:15:40 | format(...) |
|
||||
| A.java:10:22:10:28 | taint(...) | A.java:15:9:15:40 | new ..[] { .. } |
|
||||
| A.java:10:22:10:28 | taint(...) | A.java:15:31:15:33 | bad |
|
||||
| A.java:10:22:10:28 | taint(...) | A.java:17:9:17:105 | format(...) |
|
||||
| A.java:10:22:10:28 | taint(...) | A.java:17:9:17:105 | new ..[] { .. } |
|
||||
| A.java:10:22:10:28 | taint(...) | A.java:17:102:17:104 | bad |
|
||||
| A.java:10:22:10:28 | taint(...) | file:///modules/java.base/java/lang/String.class:0:0:0:0 | [summary] read: [] of argument 0 in formatted |
|
||||
| A.java:10:22:10:28 | taint(...) | file:///modules/java.base/java/lang/String.class:0:0:0:0 | [summary] read: [] of argument 1 in format |
|
||||
| A.java:10:22:10:28 | taint(...) | file:///modules/java.base/java/lang/String.class:0:0:0:0 | [summary] to write: return (return) in format |
|
||||
| A.java:10:22:10:28 | taint(...) | file:///modules/java.base/java/lang/String.class:0:0:0:0 | [summary] to write: return (return) in formatted |
|
||||
| A.java:10:22:10:28 | taint(...) | file:///modules/java.base/java/lang/String.class:0:0:0:0 | parameter this |
|
||||
| A.java:10:22:10:28 | taint(...) | file://:0:0:0:0 | p0 |
|
||||
| A.java:10:22:10:28 | taint(...) | file://:0:0:0:0 | p1 |
|
||||
| A.java:21:22:21:28 | taint(...) | A.java:21:22:21:28 | taint(...) |
|
||||
| A.java:21:22:21:28 | taint(...) | A.java:25:9:25:9 | f [post update] |
|
||||
| A.java:21:22:21:28 | taint(...) | A.java:25:9:25:27 | format(...) |
|
||||
| A.java:21:22:21:28 | taint(...) | A.java:25:9:25:27 | new ..[] { .. } |
|
||||
| A.java:21:22:21:28 | taint(...) | A.java:25:24:25:26 | bad |
|
||||
| A.java:21:22:21:28 | taint(...) | A.java:26:9:26:9 | f |
|
||||
| A.java:21:22:21:28 | taint(...) | A.java:26:9:26:20 | toString(...) |
|
||||
| A.java:30:22:30:28 | taint(...) | A.java:30:22:30:28 | taint(...) |
|
||||
| A.java:30:22:30:28 | taint(...) | A.java:34:9:34:10 | sb |
|
||||
| A.java:30:22:30:28 | taint(...) | A.java:34:9:34:21 | toString(...) |
|
||||
| A.java:30:22:30:28 | taint(...) | A.java:35:9:35:9 | f [post update] |
|
||||
| A.java:30:22:30:28 | taint(...) | A.java:35:9:35:27 | format(...) |
|
||||
| A.java:30:22:30:28 | taint(...) | A.java:35:9:35:27 | new ..[] { .. } |
|
||||
| A.java:30:22:30:28 | taint(...) | A.java:35:24:35:26 | bad |
|
||||
| A.java:30:22:30:28 | taint(...) | A.java:36:9:36:10 | sb |
|
||||
| A.java:30:22:30:28 | taint(...) | A.java:36:9:36:21 | toString(...) |
|
||||
| A.java:30:22:30:28 | taint(...) | file:///modules/java.base/java/lang/StringBuilder.class:0:0:0:0 | [summary] to write: return (return) in toString |
|
||||
| A.java:30:22:30:28 | taint(...) | file:///modules/java.base/java/lang/StringBuilder.class:0:0:0:0 | parameter this |
|
||||
| A.java:40:22:40:28 | taint(...) | A.java:40:22:40:28 | taint(...) |
|
||||
| A.java:40:22:40:28 | taint(...) | A.java:43:9:43:10 | sb [post update] |
|
||||
| A.java:40:22:40:28 | taint(...) | A.java:43:9:43:22 | append(...) |
|
||||
| A.java:40:22:40:28 | taint(...) | A.java:43:19:43:21 | bad |
|
||||
| A.java:40:22:40:28 | taint(...) | A.java:45:9:45:25 | new Formatter(...) |
|
||||
| A.java:40:22:40:28 | taint(...) | A.java:45:9:45:38 | format(...) |
|
||||
| A.java:40:22:40:28 | taint(...) | A.java:45:9:45:49 | toString(...) |
|
||||
| A.java:40:22:40:28 | taint(...) | A.java:45:23:45:24 | sb |
|
||||
| A.java:40:22:40:28 | taint(...) | file:///modules/java.base/java/lang/StringBuilder.class:0:0:0:0 | [summary] to write: argument -1 in append |
|
||||
| A.java:40:22:40:28 | taint(...) | file:///modules/java.base/java/lang/StringBuilder.class:0:0:0:0 | [summary] to write: return (return) in append |
|
||||
| A.java:40:22:40:28 | taint(...) | file:///modules/java.base/java/lang/StringBuilder.class:0:0:0:0 | parameter this |
|
||||
| A.java:40:22:40:28 | taint(...) | file://:0:0:0:0 | p0 |
|
||||
|
||||
@@ -1,16 +1,8 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import TestUtilities.InlineFlowTest
|
||||
|
||||
class Conf extends TaintTracking::Configuration {
|
||||
Conf() { this = "qltest:dataflow:format" }
|
||||
|
||||
override predicate isSource(DataFlow::Node n) {
|
||||
n.asExpr().(MethodAccess).getMethod().hasName("taint")
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node n) { any() }
|
||||
class TaintFlowConf extends DefaultTaintFlowConf {
|
||||
override predicate isSink(DataFlow::Node n) { n instanceof DataFlow::ExprNode }
|
||||
}
|
||||
|
||||
from DataFlow::Node src, DataFlow::Node sink, Conf conf
|
||||
where conf.hasFlow(src, sink)
|
||||
select src, sink
|
||||
|
||||
@@ -1,34 +1,2 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
|
||||
class Conf extends TaintTracking::Configuration {
|
||||
Conf() { this = "qltest:dataflow:jackson" }
|
||||
|
||||
override predicate isSource(DataFlow::Node n) {
|
||||
n.asExpr().(MethodAccess).getMethod().hasName("taint")
|
||||
or
|
||||
n instanceof RemoteFlowSource
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node n) {
|
||||
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
|
||||
}
|
||||
}
|
||||
|
||||
class HasFlowTest extends InlineExpectationsTest {
|
||||
HasFlowTest() { this = "HasFlowTest" }
|
||||
|
||||
override string getARelevantTag() { result = "hasTaintFlow" }
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "hasTaintFlow" and
|
||||
exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
|
||||
sink.getLocation() = location and
|
||||
element = sink.toString() and
|
||||
value = ""
|
||||
)
|
||||
}
|
||||
}
|
||||
import TestUtilities.InlineFlowTest
|
||||
|
||||
Reference in New Issue
Block a user