Exclude models for simpler types

Avoid generating models for types that can't really propagate taint in a valuable way (e.g. primitivies, BigInt, ..). Keep tracking bulk-like data (e.g. char[] or byte[]).
2025-12-20 18:56:32 +01:00 · 2021-10-19 13:24:32 +02:00
parent 842f617bc1
commit f36bb8baaf
2 changed files with 46 additions and 6 deletions
--- a/java/ql/src/utils/model-generator/CaptureSummaryModels.ql
+++ b/java/ql/src/utils/model-generator/CaptureSummaryModels.ql
@@ -31,7 +31,7 @@ string captureFieldFlow(Callable api) {
  exists(FieldAccess fa, ReturnNodeExt postUpdate |
    not (fa.getField().isStatic() and fa.getField().isFinal()) and
    postUpdate.getEnclosingCallable() = api and
-    not api.getReturnType() instanceof PrimitiveType and
+    isRelevantType(api.getReturnType()) and
    not api.getDeclaringType() instanceof EnumType and
    TaintTracking::localTaint(DataFlow::exprNode(fa), postUpdate)
  |
@@ -55,7 +55,7 @@ class ParameterToFieldConfig extends TaintTracking::Configuration {

  override predicate isSource(DataFlow::Node source) {
    source instanceof DataFlow::ParameterNode and
-    not source.getType() instanceof PrimitiveType
+    isRelevantType(source.getType())
  }

  override predicate isSink(DataFlow::Node sink) {
@@ -82,10 +82,8 @@ class ParameterToReturnValueTaintConfig extends TaintTracking::Configuration {
    exists(Callable api |
      source instanceof DataFlow::ParameterNode and
      api = source.asParameter().getCallable() and
-      not api.getReturnType() instanceof PrimitiveType and
-      not api.getReturnType() instanceof TypeClass and
-      not source.asParameter().getType() instanceof PrimitiveType and
-      not source.asParameter().getType() instanceof TypeClass
+      isRelevantType(api.getReturnType()) and
+      isRelevantType(source.asParameter().getType())
    )
  }

@@ -120,6 +118,18 @@ string captureParameterToParameterFlow(Callable api) {
  )
 }

+predicate isRelevantType(Type t) {
+  not t instanceof TypeClass and
+  not t instanceof EnumType and
+  not t instanceof PrimitiveType and
+  not t instanceof BoxedType and
+  not t.(RefType).hasQualifiedName("java.math", "BigInteger") and
+  not t.(Array).getElementType() instanceof PrimitiveType and
+  not t.(Array).getElementType().(PrimitiveType).getName().regexpMatch("byte|char") and
+  not t.(Array).getElementType() instanceof BoxedType and
+  not t.(CollectionType).getElementType() instanceof BoxedType
+}
+
 // TODO: "com.google.common.base;Converter;true;convertAll;(Iterable);;Element of Argument[0];Element of ReturnValue;taint",
 // TODO: infer interface from multiple implementations? e.g. UriComponentsContributor
 // TODO: distinguish between taint and value flows. If we find a value flow, omit the taint flow