Merge remote-tracking branch 'upstream/master' into set-map-list-copy-of

java/ql/src/semmle/code/Location.qll

@@ -90,16 +90,16 @@ class Top extends @top {
 
 /** A location maps language elements to positions in source files. */
 class Location extends @location {
-  /** Gets the line number where this location starts. */
+  /** Gets the 1-based line number (inclusive) where this location starts. */
   int getStartLine() { locations_default(this, _, result, _, _, _) }
 
-  /** Gets the column number where this location starts. */
+  /** Gets the 1-based column number (inclusive) where this location starts. */
   int getStartColumn() { locations_default(this, _, _, result, _, _) }
 
-  /** Gets the line number where this location ends. */
+  /** Gets the 1-based line number (inclusive) where this location ends. */
   int getEndLine() { locations_default(this, _, _, _, result, _) }
 
-  /** Gets the column number where this location ends. */
+  /** Gets the 1-based column number (inclusive) where this location ends. */
   int getEndColumn() { locations_default(this, _, _, _, _, result) }
 
   /**

java/ql/src/semmle/code/java/Expr.qll

@@ -60,6 +60,12 @@ class Expr extends ExprParent, @expr {
   /** Gets the statement containing this expression, if any. */
   Stmt getEnclosingStmt() { statementEnclosingExpr(this, result) }
 
+  /**
+   * Gets a statement that directly or transitively contains this expression, if any.
+   * This is equivalent to `this.getEnclosingStmt().getEnclosingStmt*()`.
+   */
+  Stmt getAnEnclosingStmt() { result = this.getEnclosingStmt().getEnclosingStmt*() }
+
   /** Gets a child of this expression. */
   Expr getAChildExpr() { exprs(result, _, _, this, _) }
 
@@ -1237,7 +1243,7 @@ class VariableAssign extends VariableUpdate {
   }
 
   /**
-   * Gets the source of this assignment, if any.
+   * Gets the source (right-hand side) of this assignment, if any.
    *
    * An initialization in a `CatchClause` or `EnhancedForStmt` is implicit and
    * does not have a source.

java/ql/src/semmle/code/java/Javadoc.qll

@@ -79,7 +79,7 @@ abstract class JavadocElement extends @javadocElement, Top {
   abstract string getText();
 }
 
-/** A Javadoc tag. */
+/** A Javadoc block tag. This does not include inline tags. */
 class JavadocTag extends JavadocElement, JavadocParent, @javadocTag {
   /** Gets the name of this Javadoc tag. */
   string getTagName() { javadocTag(this, result, _, _) }

java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll

@@ -196,6 +196,12 @@ private predicate taintPreservingArgumentToMethod(Method method, int arg) {
     method.hasName("entry") and
     arg = 1
   )
+  or
+  method.getDeclaringType().hasQualifiedName("java.util", "Arrays") and
+  (
+    method.hasName(["copyOf", "copyOfRange", "spliterator", "stream"]) and
+    arg = 0
+  )
 }
 
 /**
@@ -223,6 +229,13 @@ private predicate taintPreservingArgToArg(Method method, int input, int output)
     or
     method.hasName("replaceAll") and input = 2 and output = 0
   )
+  or
+  method.getDeclaringType().hasQualifiedName("java.util", "Arrays") and
+  (
+    method.hasName("fill") and
+    output = 0 and
+    input = method.getNumberOfParameters() - 1
+  )
 }
 
 private predicate argToQualifierStep(Expr tracked, Expr sink) {
@@ -236,9 +249,18 @@ private predicate argToQualifierStep(Expr tracked, Expr sink) {
 
 /** Access to a method that passes taint from an argument. */
 private predicate argToMethodStep(Expr tracked, MethodAccess sink) {
-  exists(int i |
-    taintPreservingArgumentToMethod(sink.getMethod(), i) and
-    tracked = sink.getArgument(i)
+  exists(Method m |
+    m = sink.getMethod() and
+    (
+      exists(int i |
+        taintPreservingArgumentToMethod(m, i) and
+        tracked = sink.getArgument(i)
+      )
+      or
+      m.getDeclaringType().hasQualifiedName("java.util", "Arrays") and
+      m.hasName("asList") and
+      tracked = sink.getAnArgument()
+    )
   )
   or
   taintPreservingArgumentToMethod(sink.getMethod()) and

java/ql/src/semmle/code/java/security/FileReadWrite.qll

@@ -9,9 +9,9 @@ private predicate fileRead(VarAccess fileAccess, Expr fileReadingExpr) {
     cie = fileReadingExpr and
     cie.getArgument(0) = fileAccess
   |
-    cie.getConstructedType().hasQualifiedName("java.io", "RandomAccessFile") or
-    cie.getConstructedType().hasQualifiedName("java.io", "FileReader") or
-    cie.getConstructedType().hasQualifiedName("java.io", "FileInputStream")
+    cie
+        .getConstructedType()
+        .hasQualifiedName("java.io", ["RandomAccessFile", "FileReader", "FileInputStream"])
   )
   or
   exists(MethodAccess ma, Method filesMethod |
@@ -22,13 +22,9 @@ private predicate fileRead(VarAccess fileAccess, Expr fileReadingExpr) {
       // represented by the first argument.
       filesMethod.getDeclaringType().hasQualifiedName("java.nio.file", "Files") and
       fileAccess = ma.getArgument(0) and
-      (
-        filesMethod.hasName("readAllBytes") or
-        filesMethod.hasName("readAllLines") or
-        filesMethod.hasName("newBufferedReader") or
-        filesMethod.hasName("newInputReader") or
-        filesMethod.hasName("newByteChannel")
-      )
+      filesMethod
+          .hasName(["readAllBytes", "readAllLines", "readString", "lines", "newBufferedReader",
+                "newInputStream", "newByteChannel"])
     )
   )
   or

java/ql/test/experimental/query-tests/security/CWE-016/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.2.3
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3

java/ql/test/experimental/query-tests/security/CWE-074/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/shiro-core-1.5.2:${testdir}/../../../stubs/spring-ldap-2.3.2
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/shiro-core-1.5.2:${testdir}/../../../../stubs/spring-ldap-2.3.2

java/ql/test/experimental/query-tests/security/CWE-917/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/ognl-3.2.14:${testdir}/../../../stubs/struts2-core-2.5.22
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/springframework-5.2.3:${testdir}/../../../stubs/ognl-3.2.14:${testdir}/../../../stubs/struts2-core-2.5.22

java/ql/test/experimental/stubs/spring-ldap-2.3.2/org/springframework/ldap/core/ContextMapper.java

@@ -1,4 +0,0 @@
-package org.springframework.ldap.core;
-
-public interface ContextMapper<T> {
-}

java/ql/test/experimental/stubs/spring-ldap-2.3.2/org/springframework/ldap/core/DirContextOperations.java

@@ -1,4 +0,0 @@
-package org.springframework.ldap.core;
-
-public interface DirContextOperations {
-}

java/ql/test/experimental/stubs/spring-ldap-2.3.2/org/springframework/ldap/core/LdapTemplate.java

@@ -1,76 +0,0 @@
-package org.springframework.ldap.core;
-
-import org.springframework.beans.factory.InitializingBean;
-
-import java.util.*;
-
-import javax.naming.Name;
-import javax.naming.directory.SearchControls;
-
-import org.springframework.ldap.filter.Filter;
-
-import org.springframework.ldap.query.LdapQuery;
-
-public class LdapTemplate implements LdapOperations, InitializingBean {
-  public void authenticate(LdapQuery query, String password) { }
-
-  public boolean authenticate(Name base, String filter, String password) { return true; }
-
-  public <T> List<T> find(Name base, Filter filter, SearchControls searchControls, final Class<T> clazz) { return null; }
-
-  public <T> List<T> find(LdapQuery query, Class<T> clazz) { return null; }
-
-  public <T> T findOne(LdapQuery query, Class<T> clazz) { return null; }
-
-  public void search(String base, String filter, int searchScope, boolean returningObjFlag, NameClassPairCallbackHandler handler) { }
-
-  public void search(final String base, final String filter, final SearchControls controls, NameClassPairCallbackHandler handler) {}
-
-  public void search(final String base, final String filter, final SearchControls controls,	NameClassPairCallbackHandler handler, DirContextProcessor processor) {}
-
-  public void search(String base, String filter, NameClassPairCallbackHandler handler) {}
-
-  public <T> List<T> search(String base, String filter, int searchScope, String[] attrs, AttributesMapper<T> mapper) { return null; }
-
-  public <T> List<T> search(String base, String filter, int searchScope, AttributesMapper<T> mapper) { return null; }
-
-  public <T> List<T> search(String base, String filter, AttributesMapper<T> mapper) { return null; }
-
-  public <T> List<T> search(String base, String filter, int searchScope, String[] attrs, ContextMapper<T> mapper) { return null; }
-
-  public <T> List<T> search(String base, String filter, int searchScope, ContextMapper<T> mapper) { return null; }
-
-  public <T> List<T> search(String base, String filter, ContextMapper<T> mapper) { return null; }
-
-  public <T> List<T> search(String base, String filter, SearchControls controls, ContextMapper<T> mapper) { return null; }
-
-  public <T> List<T> search(String base, String filter, SearchControls controls, AttributesMapper<T> mapper) { return null; }
-
-  public <T> List<T> search(String base, String filter, SearchControls controls, AttributesMapper<T> mapper, DirContextProcessor processor) { return null; }
-
-  public <T> List<T> search(String base, String filter, SearchControls controls, ContextMapper<T> mapper,	DirContextProcessor processor) { return null; }
-
-  public DirContextOperations searchForContext(LdapQuery query) { return null; }
-
-  public <T> T searchForObject(Name base, String filter, ContextMapper<T> mapper) { return null; }
-
-  public <T> T searchForObject(String base, String filter, ContextMapper<T> mapper) { return null; }
-
-  public <T> T searchForObject(String base, String filter, SearchControls searchControls, ContextMapper<T> mapper) { return null; }
-
-  public Object lookup(final String dn) { return new Object(); }
-
-  public DirContextOperations lookupContext(String dn) { return null; }
-
-  public <T> T findByDn(Name dn, final Class<T> clazz) { return null; }
-
-  public void rename(final Name oldDn, final Name newDn) {}
-
-  public List<String> list(final Name base) { return null; }
-
-  public List<String> listBindings(final Name base) { return null; }
-
-  public void unbind(final String dn) {}
-
-  public void unbind(final String dn, boolean recursive) {}
-}

java/ql/test/experimental/stubs/spring-ldap-2.3.2/org/springframework/ldap/core/NameClassPairCallbackHandler.java

@@ -1,3 +0,0 @@
-package org.springframework.ldap.core;
-
-public interface NameClassPairCallbackHandler { }

java/ql/test/experimental/stubs/spring-ldap-2.3.2/org/springframework/ldap/filter/EqualsFilter.java

@@ -1,5 +0,0 @@
-package org.springframework.ldap.filter;
-
-public class EqualsFilter implements Filter {
-  public EqualsFilter(String attribute, String value) { }
-}

java/ql/test/experimental/stubs/spring-ldap-2.3.2/org/springframework/ldap/filter/Filter.java

@@ -1,4 +0,0 @@
-package org.springframework.ldap.filter;
-
-public interface Filter {
-}

java/ql/test/experimental/stubs/spring-ldap-2.3.2/org/springframework/ldap/filter/HardcodedFilter.java

@@ -1,7 +0,0 @@
-package org.springframework.ldap.filter;
-
-public class HardcodedFilter implements Filter {
-  public HardcodedFilter(String filter) { }
-  public StringBuffer encode(StringBuffer buff) { return buff; }
-  public String toString() { return ""; }
-}

java/ql/test/experimental/stubs/spring-ldap-2.3.2/org/springframework/ldap/query/ConditionCriteria.java

@@ -1,5 +0,0 @@
-package org.springframework.ldap.query;
-
-public interface ConditionCriteria {
-  ContainerCriteria is(String value);
-}

java/ql/test/experimental/stubs/spring-ldap-2.3.2/org/springframework/ldap/query/ContainerCriteria.java

@@ -1,4 +0,0 @@
-package org.springframework.ldap.query;
-
-public interface ContainerCriteria extends LdapQuery {
-}

java/ql/test/experimental/stubs/spring-ldap-2.3.2/org/springframework/ldap/query/LdapQuery.java

@@ -1,4 +0,0 @@
-package org.springframework.ldap.query;
-
-public interface LdapQuery {
-}

java/ql/test/experimental/stubs/spring-ldap-2.3.2/org/springframework/ldap/query/LdapQueryBuilder.java

@@ -1,14 +0,0 @@
-package org.springframework.ldap.query;
-
-import javax.naming.Name;
-import org.springframework.ldap.filter.Filter;
-
-public class LdapQueryBuilder {
-  public static LdapQueryBuilder query() { return null; }
-  public LdapQuery filter(String hardcodedFilter) { return null; }
-  public LdapQuery filter(Filter filter) { return null; }
-  public LdapQuery filter(String filterFormat, Object... params) { return null; }
-  public LdapQueryBuilder base(String baseDn) { return this; }
-  public Name base() { return null; }
-  public ConditionCriteria where(String attribute) { return null; }
-}

java/ql/test/experimental/stubs/spring-ldap-2.3.2/org/springframework/ldap/support/LdapEncoder.java

@@ -1,5 +0,0 @@
-package org.springframework.ldap.support;
-
-public class LdapEncoder {
-  public static String filterEncode(String value) { return null; }
-}

java/ql/test/experimental/stubs/spring-ldap-2.3.2/org/springframework/ldap/support/LdapNameBuilder.java

@@ -1,12 +0,0 @@
-package org.springframework.ldap.support;
-
-import javax.naming.ldap.LdapName;
-
-public class LdapNameBuilder {
-  public static LdapNameBuilder newInstance() { return null; }
-  public static LdapNameBuilder newInstance(String name) { return null; }
-
-  public LdapNameBuilder add(String name) { return null; }
-  public LdapNameBuilder add(String key, Object value) { return null; }
-  public LdapName build() { return null; }
-}

java/ql/test/experimental/stubs/spring-ldap-2.3.2/org/springframework/ldap/support/LdapUtils.java

@@ -1,7 +0,0 @@
-package org.springframework.ldap.support;
-
-import javax.naming.ldap.LdapName;
-
-public class LdapUtils {
-  public static LdapName newLdapName(String distinguishedName) { return null; }
-}

java/ql/test/experimental/stubs/springframework-5.2.3/org/springframework/web/bind/annotation/RequestParam.java

@@ -1,8 +0,0 @@
-package org.springframework.web.bind.annotation;
-
-import java.lang.annotation.*;
-
-@Target(value=ElementType.PARAMETER)
-@Retention(value=RetentionPolicy.RUNTIME)
-@Documented
-public @interface RequestParam { }

java/ql/test/library-tests/dataflow/local-additional-taint/ArraysTest.java

@@ -0,0 +1,23 @@
+import java.util.Arrays;
+import java.util.List;
+
+class ArraysTest {
+	public static void taintSteps(String[] source) {
+		Arrays.asList();
+		Arrays.asList("one");
+		Arrays.asList("two", "three");
+		Arrays.copyOf(source, 10);
+		Arrays.copyOfRange(source, 0, 10);
+		Arrays.deepToString(source);
+		Arrays.spliterator(source);
+		Arrays.stream(source);
+		Arrays.toString(source);
+		Arrays.fill(source, "value");
+		Arrays.fill(source, 0, 10, "data");
+		Arrays.parallelPrefix(source, (x, y) -> x + y);
+		Arrays.parallelPrefix(source, 0, 10, (x, y) -> x + y);
+		Arrays.parallelSetAll(source, x -> Integer.toString(x));
+		Arrays.setAll(source, x -> Integer.toString(x));
+	}
+}
+

java/ql/test/library-tests/dataflow/local-additional-taint/localAdditionalTaintStep.expected

@@ -1,3 +1,23 @@
+| ArraysTest.java:7:17:7:21 | "one" | ArraysTest.java:7:3:7:22 | asList(...) |
+| ArraysTest.java:7:17:7:21 | "one" | ArraysTest.java:7:3:7:22 | new ..[] { .. } |
+| ArraysTest.java:8:17:8:21 | "two" | ArraysTest.java:8:3:8:31 | asList(...) |
+| ArraysTest.java:8:17:8:21 | "two" | ArraysTest.java:8:3:8:31 | new ..[] { .. } |
+| ArraysTest.java:8:24:8:30 | "three" | ArraysTest.java:8:3:8:31 | asList(...) |
+| ArraysTest.java:8:24:8:30 | "three" | ArraysTest.java:8:3:8:31 | new ..[] { .. } |
+| ArraysTest.java:9:17:9:22 | source | ArraysTest.java:9:3:9:27 | copyOf(...) |
+| ArraysTest.java:10:22:10:27 | source | ArraysTest.java:10:3:10:35 | copyOfRange(...) |
+| ArraysTest.java:12:22:12:27 | source | ArraysTest.java:12:3:12:28 | spliterator(...) |
+| ArraysTest.java:13:17:13:22 | source | ArraysTest.java:13:3:13:23 | stream(...) |
+| ArraysTest.java:15:23:15:29 | "value" | ArraysTest.java:15:15:15:20 | source [post update] |
+| ArraysTest.java:16:30:16:35 | "data" | ArraysTest.java:16:15:16:20 | source [post update] |
+| ArraysTest.java:17:43:17:43 | x | ArraysTest.java:17:43:17:47 | ... + ... |
+| ArraysTest.java:17:47:17:47 | y | ArraysTest.java:17:43:17:47 | ... + ... |
+| ArraysTest.java:18:50:18:50 | x | ArraysTest.java:18:50:18:54 | ... + ... |
+| ArraysTest.java:18:54:18:54 | y | ArraysTest.java:18:50:18:54 | ... + ... |
+| ArraysTest.java:19:38:19:44 | Integer | ArraysTest.java:19:38:19:56 | toString(...) |
+| ArraysTest.java:19:55:19:55 | x | ArraysTest.java:19:38:19:56 | toString(...) |
+| ArraysTest.java:20:30:20:36 | Integer | ArraysTest.java:20:30:20:48 | toString(...) |
+| ArraysTest.java:20:47:20:47 | x | ArraysTest.java:20:30:20:48 | toString(...) |
 | CollectionsTest.java:10:28:10:32 | "one" | CollectionsTest.java:10:3:10:33 | new ..[] { .. } |
 | CollectionsTest.java:10:28:10:32 | "one" | CollectionsTest.java:10:22:10:25 | list [post update] |
 | CollectionsTest.java:11:28:11:32 | "two" | CollectionsTest.java:11:3:11:42 | new ..[] { .. } |

java/ql/test/stubs/spring-ldap-2.3.2/org/springframework/ldap/core/LdapTemplate.java

@@ -1,5 +1,7 @@
 package org.springframework.ldap.core;
 
+import org.springframework.beans.factory.InitializingBean;
+
 import java.util.*;
 
 import javax.naming.Name;
@@ -9,7 +11,7 @@ import org.springframework.ldap.filter.Filter;
 
 import org.springframework.ldap.query.LdapQuery;
 
-public class LdapTemplate {
+public class LdapTemplate implements LdapOperations, InitializingBean {
   public void authenticate(LdapQuery query, String password) { }
 
   public boolean authenticate(Name base, String filter, String password) { return true; }
@@ -22,7 +24,53 @@ public class LdapTemplate {
 
   public void search(String base, String filter, int searchScope, boolean returningObjFlag, NameClassPairCallbackHandler handler) { }
 
+  public void search(final String base, final String filter, final SearchControls controls, NameClassPairCallbackHandler handler) {}
+
+  public void search(final String base, final String filter, final SearchControls controls, NameClassPairCallbackHandler handler, DirContextProcessor processor) {}
+
+  public void search(String base, String filter, NameClassPairCallbackHandler handler) {}
+
+  public <T> List<T> search(String base, String filter, int searchScope, String[] attrs, AttributesMapper<T> mapper) { return null; }
+
+  public <T> List<T> search(String base, String filter, int searchScope, AttributesMapper<T> mapper) { return null; }
+
+  public <T> List<T> search(String base, String filter, AttributesMapper<T> mapper) { return null; }
+
+  public <T> List<T> search(String base, String filter, int searchScope, String[] attrs, ContextMapper<T> mapper) { return null; }
+
+  public <T> List<T> search(String base, String filter, int searchScope, ContextMapper<T> mapper) { return null; }
+
+  public <T> List<T> search(String base, String filter, ContextMapper<T> mapper) { return null; }
+
+  public <T> List<T> search(String base, String filter, SearchControls controls, ContextMapper<T> mapper) { return null; }
+
+  public <T> List<T> search(String base, String filter, SearchControls controls, AttributesMapper<T> mapper) { return null; }
+
+  public <T> List<T> search(String base, String filter, SearchControls controls, AttributesMapper<T> mapper, DirContextProcessor processor) { return null; }
+
+  public <T> List<T> search(String base, String filter, SearchControls controls, ContextMapper<T> mapper, DirContextProcessor processor) { return null; }
+
   public DirContextOperations searchForContext(LdapQuery query) { return null; }
 
   public <T> T searchForObject(Name base, String filter, ContextMapper<T> mapper) { return null; }
+
+  public <T> T searchForObject(String base, String filter, ContextMapper<T> mapper) { return null; }
+
+  public <T> T searchForObject(String base, String filter, SearchControls searchControls, ContextMapper<T> mapper) { return null; }
+
+  public Object lookup(final String dn) { return new Object(); }
+
+  public DirContextOperations lookupContext(String dn) { return null; }
+
+  public <T> T findByDn(Name dn, final Class<T> clazz) { return null; }
+
+  public void rename(final Name oldDn, final Name newDn) {}
+
+  public List<String> list(final Name base) { return null; }
+
+  public List<String> listBindings(final Name base) { return null; }
+
+  public void unbind(final String dn) {}
+
+  public void unbind(final String dn, boolean recursive) {}
 }