Merge remote-tracking branch 'upstream/master' into set-map-list-copy-of

2026-03-01 05:13:41 +01:00 · 2020-07-08 15:11:13 +02:00
parent 1485f7c876 6ef7288848
commit e8f216c761
702 changed files with 27270 additions and 27127 deletions
--- a/java/ql/src/semmle/code/Location.qll
+++ b/java/ql/src/semmle/code/Location.qll
@@ -90,16 +90,16 @@ class Top extends @top {

 /** A location maps language elements to positions in source files. */
 class Location extends @location {
-  /** Gets the line number where this location starts. */
+  /** Gets the 1-based line number (inclusive) where this location starts. */
  int getStartLine() { locations_default(this, _, result, _, _, _) }

-  /** Gets the column number where this location starts. */
+  /** Gets the 1-based column number (inclusive) where this location starts. */
  int getStartColumn() { locations_default(this, _, _, result, _, _) }

-  /** Gets the line number where this location ends. */
+  /** Gets the 1-based line number (inclusive) where this location ends. */
  int getEndLine() { locations_default(this, _, _, _, result, _) }

-  /** Gets the column number where this location ends. */
+  /** Gets the 1-based column number (inclusive) where this location ends. */
  int getEndColumn() { locations_default(this, _, _, _, _, result) }

  /**
--- a/java/ql/src/semmle/code/java/Expr.qll
+++ b/java/ql/src/semmle/code/java/Expr.qll
@@ -60,6 +60,12 @@ class Expr extends ExprParent, @expr {
  /** Gets the statement containing this expression, if any. */
  Stmt getEnclosingStmt() { statementEnclosingExpr(this, result) }

+  /**
+   * Gets a statement that directly or transitively contains this expression, if any.
+   * This is equivalent to `this.getEnclosingStmt().getEnclosingStmt*()`.
+   */
+  Stmt getAnEnclosingStmt() { result = this.getEnclosingStmt().getEnclosingStmt*() }
+
  /** Gets a child of this expression. */
  Expr getAChildExpr() { exprs(result, _, _, this, _) }

@@ -1237,7 +1243,7 @@ class VariableAssign extends VariableUpdate {
  }

  /**
-   * Gets the source of this assignment, if any.
+   * Gets the source (right-hand side) of this assignment, if any.
   *
   * An initialization in a `CatchClause` or `EnhancedForStmt` is implicit and
   * does not have a source.
--- a/java/ql/src/semmle/code/java/Javadoc.qll
+++ b/java/ql/src/semmle/code/java/Javadoc.qll
@@ -79,7 +79,7 @@ abstract class JavadocElement extends @javadocElement, Top {
  abstract string getText();
 }

-/** A Javadoc tag. */
+/** A Javadoc block tag. This does not include inline tags. */
 class JavadocTag extends JavadocElement, JavadocParent, @javadocTag {
  /** Gets the name of this Javadoc tag. */
  string getTagName() { javadocTag(this, result, _, _) }
--- a/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
@@ -196,6 +196,12 @@ private predicate taintPreservingArgumentToMethod(Method method, int arg) {
    method.hasName("entry") and
    arg = 1
  )
+  or
+  method.getDeclaringType().hasQualifiedName("java.util", "Arrays") and
+  (
+    method.hasName(["copyOf", "copyOfRange", "spliterator", "stream"]) and
+    arg = 0
+  )
 }

 /**
@@ -223,6 +229,13 @@ private predicate taintPreservingArgToArg(Method method, int input, int output)
    or
    method.hasName("replaceAll") and input = 2 and output = 0
  )
+  or
+  method.getDeclaringType().hasQualifiedName("java.util", "Arrays") and
+  (
+    method.hasName("fill") and
+    output = 0 and
+    input = method.getNumberOfParameters() - 1
+  )
 }

 private predicate argToQualifierStep(Expr tracked, Expr sink) {
@@ -236,9 +249,18 @@ private predicate argToQualifierStep(Expr tracked, Expr sink) {

 /** Access to a method that passes taint from an argument. */
 private predicate argToMethodStep(Expr tracked, MethodAccess sink) {
-  exists(int i |
-    taintPreservingArgumentToMethod(sink.getMethod(), i) and
-    tracked = sink.getArgument(i)
+  exists(Method m |
+    m = sink.getMethod() and
+    (
+      exists(int i |
+        taintPreservingArgumentToMethod(m, i) and
+        tracked = sink.getArgument(i)
+      )
+      or
+      m.getDeclaringType().hasQualifiedName("java.util", "Arrays") and
+      m.hasName("asList") and
+      tracked = sink.getAnArgument()
+    )
  )
  or
  taintPreservingArgumentToMethod(sink.getMethod()) and
--- a/java/ql/src/semmle/code/java/security/FileReadWrite.qll
+++ b/java/ql/src/semmle/code/java/security/FileReadWrite.qll
@@ -9,9 +9,9 @@ private predicate fileRead(VarAccess fileAccess, Expr fileReadingExpr) {
    cie = fileReadingExpr and
    cie.getArgument(0) = fileAccess
  |
-    cie.getConstructedType().hasQualifiedName("java.io", "RandomAccessFile") or
-    cie.getConstructedType().hasQualifiedName("java.io", "FileReader") or
-    cie.getConstructedType().hasQualifiedName("java.io", "FileInputStream")
+    cie
+        .getConstructedType()
+        .hasQualifiedName("java.io", ["RandomAccessFile", "FileReader", "FileInputStream"])
  )
  or
  exists(MethodAccess ma, Method filesMethod |
@@ -22,13 +22,9 @@ private predicate fileRead(VarAccess fileAccess, Expr fileReadingExpr) {
      // represented by the first argument.
      filesMethod.getDeclaringType().hasQualifiedName("java.nio.file", "Files") and
      fileAccess = ma.getArgument(0) and
-      (
-        filesMethod.hasName("readAllBytes") or
-        filesMethod.hasName("readAllLines") or
-        filesMethod.hasName("newBufferedReader") or
-        filesMethod.hasName("newInputReader") or
-        filesMethod.hasName("newByteChannel")
-      )
+      filesMethod
+          .hasName(["readAllBytes", "readAllLines", "readString", "lines", "newBufferedReader",
+                "newInputStream", "newByteChannel"])
    )
  )
  or