mirror of
https://github.com/github/codeql.git
synced 2026-04-24 16:25:15 +02:00
Mass-rename MethodAccess -> MethodCall
This commit is contained in:
Chris Smowton
@@ -1,6 +1,6 @@
|
||||
import java
|
||||
|
||||
from MethodAccess ma
|
||||
from MethodCall ma
|
||||
// Generally Kotlin calls will always use an explicit qualifier, except for calls
|
||||
// to the synthetic instance initializer <obinit>, which use an implicit `this`.
|
||||
where
|
||||
|
||||
@@ -44,7 +44,7 @@ predicate shouldBeDeadEnd(ControlFlowNode n) {
|
||||
or
|
||||
n instanceof WildcardTypeAccess // TODO
|
||||
or
|
||||
n instanceof MethodAccess // TODO
|
||||
n instanceof MethodCall // TODO
|
||||
or
|
||||
n instanceof Method
|
||||
or
|
||||
|
||||
@@ -37,11 +37,11 @@ predicate gapInChildren(Element e, int i) {
|
||||
// For statements may or may not declare a new variable (child 0), or
|
||||
// have a condition (child 1).
|
||||
not (e instanceof ForStmt and i = [0, 1]) and
|
||||
// TODO: Clarify situation with Kotlin and MethodAccess.
|
||||
// TODO: Clarify situation with Kotlin and MethodCall.
|
||||
// -1 can be skipped (type arguments from -2 down, no qualifier at -1,
|
||||
// then arguments from 0).
|
||||
// Can we also skip arguments, e.g. due to defaults for parameters?
|
||||
not (e instanceof MethodAccess and e.getFile().isKotlinSourceFile()) and
|
||||
not (e instanceof MethodCall and e.getFile().isKotlinSourceFile()) and
|
||||
// Kotlin-extracted annotations can have missing children where a default
|
||||
// value should be, because kotlinc doesn't load annotation defaults and we
|
||||
// want to leave a space for another extractor to fill in the default if it
|
||||
|
||||
@@ -8,7 +8,7 @@
|
||||
|
||||
import java
|
||||
|
||||
from MethodAccess call, Method method
|
||||
from MethodCall call, Method method
|
||||
where
|
||||
call.getMethod() = method and
|
||||
method.hasName("methodName") and
|
||||
|
||||
@@ -10,7 +10,7 @@ import java
|
||||
|
||||
from Method m, Method n
|
||||
where
|
||||
exists(MethodAccess ma | ma.getCaller() = m and ma.getCallee() = n) and
|
||||
exists(MethodAccess ma | ma.getCaller() = n and ma.getCallee() = m) and
|
||||
exists(MethodCall ma | ma.getCaller() = m and ma.getCallee() = n) and
|
||||
exists(MethodCall ma | ma.getCaller() = n and ma.getCallee() = m) and
|
||||
m != n
|
||||
select m, n
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
|
||||
import java
|
||||
|
||||
from MethodAccess call, Method add
|
||||
from MethodCall call, Method add
|
||||
where
|
||||
call.getMethod().overrides*(add) and
|
||||
add.hasName("add") and
|
||||
|
||||
@@ -5,7 +5,7 @@ private import semmle.code.java.dataflow.ExternalFlow
|
||||
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node n) {
|
||||
n.asExpr().(MethodAccess).getCallee().getName() = "source"
|
||||
n.asExpr().(MethodCall).getCallee().getName() = "source"
|
||||
or
|
||||
sourceNode(n, "kotlinMadFlowTest")
|
||||
}
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
import java
|
||||
|
||||
from MethodAccess ma
|
||||
from MethodCall ma
|
||||
select ma, ma.getCallee()
|
||||
|
||||
@@ -31,7 +31,7 @@ query predicate nestedTypes(NestedType nt, RefType parent) {
|
||||
}
|
||||
|
||||
query predicate javaKotlinCalleeAgreement(
|
||||
MethodAccess javaMa, MethodAccess kotlinMa, Callable callee
|
||||
MethodCall javaMa, MethodCall kotlinMa, Callable callee
|
||||
) {
|
||||
javaMa.getCallee() = callee and
|
||||
kotlinMa.getCallee() = callee and
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
import java
|
||||
|
||||
from MethodAccess ma
|
||||
from MethodCall ma
|
||||
select ma, ma.getCallee().toString(), ma.getCallee().getAParamType().toString()
|
||||
|
||||
@@ -15,7 +15,7 @@ import IDEContextual
|
||||
* the location may be slightly inaccurate and include such whitespace,
|
||||
* but it should suffice for the purpose of avoiding overlapping definitions.
|
||||
*/
|
||||
private class LocationOverridingMethodAccess extends MethodAccess {
|
||||
private class LocationOverridingMethodCall extends MethodCall {
|
||||
override predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) {
|
||||
exists(MemberRefExpr e | e.getReferencedCallable() = this.getMethod() |
|
||||
exists(int elRef, int ecRef | e.hasLocationInfo(path, _, _, elRef, ecRef) |
|
||||
@@ -152,7 +152,7 @@ private class LocationOverridingImportStaticTypeMember extends ImportStaticTypeM
|
||||
}
|
||||
|
||||
private Element definition(Element e, string kind) {
|
||||
e.(MethodAccess).getMethod().getSourceDeclaration() = result and
|
||||
e.(MethodCall).getMethod().getSourceDeclaration() = result and
|
||||
kind = "M" and
|
||||
not result instanceof InitializerMethod
|
||||
or
|
||||
|
||||
@@ -82,7 +82,7 @@ class CollectionMutator extends CollectionMethod {
|
||||
}
|
||||
|
||||
/** A method call that mutates a collection. */
|
||||
class CollectionMutation extends MethodAccess {
|
||||
class CollectionMutation extends MethodCall {
|
||||
CollectionMutation() { this.getMethod() instanceof CollectionMutator }
|
||||
|
||||
/** Holds if the result of this call is not immediately discarded. */
|
||||
|
||||
@@ -43,7 +43,7 @@
|
||||
*
|
||||
* An important goal of the CFG is to get the order of side-effects correct.
|
||||
* Most expressions can have side-effects and must therefore be modeled in the
|
||||
* CFG in AST post-order. For example, a `MethodAccess` evaluates its arguments
|
||||
* CFG in AST post-order. For example, a `MethodCall` evaluates its arguments
|
||||
* before the call. Most statements don't have side-effects, but merely affect
|
||||
* the control-flow and some could therefore be excluded from the CFG. However,
|
||||
* as a design choice, all statements are included in the CFG and generally
|
||||
@@ -190,7 +190,7 @@ private module ControlFlowGraphImpl {
|
||||
/**
|
||||
* Bind `t` to an unchecked exception that may occur in a precondition check.
|
||||
*/
|
||||
private predicate uncheckedExceptionFromMethod(MethodAccess ma, ThrowableType t) {
|
||||
private predicate uncheckedExceptionFromMethod(MethodCall ma, ThrowableType t) {
|
||||
conditionCheckArgument(ma, _, _) and
|
||||
(t instanceof TypeError or t instanceof TypeRuntimeException)
|
||||
}
|
||||
@@ -349,8 +349,8 @@ private module ControlFlowGraphImpl {
|
||||
forall(Parameter p | p = this.getAParameter() | exists(p.getAnAccess()))
|
||||
}
|
||||
|
||||
/** Gets a `MethodAccess` that calls this method. */
|
||||
MethodAccess getAnAccess() { result.getMethod().getAPossibleImplementation() = this }
|
||||
/** Gets a `MethodCall` that calls this method. */
|
||||
MethodCall getAnAccess() { result.getMethod().getAPossibleImplementation() = this }
|
||||
}
|
||||
|
||||
/** Holds if a call to `m` indicates that `m` is expected to return. */
|
||||
@@ -390,9 +390,9 @@ private module ControlFlowGraphImpl {
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets a `MethodAccess` that always throws an exception or calls `exit`.
|
||||
* Gets a `MethodCall` that always throws an exception or calls `exit`.
|
||||
*/
|
||||
private MethodAccess nonReturningMethodAccess() {
|
||||
private MethodCall nonReturningMethodCall() {
|
||||
result.getMethod().getSourceDeclaration() = nonReturningMethod() or
|
||||
result = likelyNonReturningMethod().getAnAccess()
|
||||
}
|
||||
@@ -422,7 +422,7 @@ private module ControlFlowGraphImpl {
|
||||
* Gets an expression that always throws an exception or calls `exit`.
|
||||
*/
|
||||
private Expr nonReturningExpr() {
|
||||
result = nonReturningMethodAccess()
|
||||
result = nonReturningMethodCall()
|
||||
or
|
||||
result.(StmtExpr).getStmt() = nonReturningStmt()
|
||||
or
|
||||
@@ -588,7 +588,7 @@ private module ControlFlowGraphImpl {
|
||||
not this instanceof BooleanLiteral and
|
||||
not this instanceof ReturnStmt and
|
||||
not this instanceof ThrowStmt and
|
||||
not this = nonReturningMethodAccess()
|
||||
not this = nonReturningMethodCall()
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -1380,7 +1380,7 @@ class MemberRefExpr extends FunctionalExpr, @memberref {
|
||||
*/
|
||||
RefType getReceiverType() {
|
||||
exists(Expr resultExpr | resultExpr = this.getResultExpr() |
|
||||
result = resultExpr.(MethodAccess).getReceiverType() or
|
||||
result = resultExpr.(MethodCall).getReceiverType() or
|
||||
result = resultExpr.(ClassInstanceExpr).getConstructedType() or
|
||||
result = resultExpr.(ArrayCreationExpr).getType()
|
||||
)
|
||||
@@ -1931,16 +1931,16 @@ class MethodCall extends Expr, Call, @methodaccess {
|
||||
* Holds if this is a method access to an instance method of `this`. That is,
|
||||
* the qualifier is either an explicit or implicit unqualified `this` or `super`.
|
||||
*/
|
||||
predicate isOwnMethodAccess() { Qualifier::ownMemberAccess(this) }
|
||||
predicate isOwnMethodCall() { Qualifier::ownMemberAccess(this) }
|
||||
|
||||
/**
|
||||
* Holds if this is a method access to an instance method of the enclosing
|
||||
* class `t`. That is, the qualifier is either an explicit or implicit
|
||||
* `t`-qualified `this` or `super`.
|
||||
*/
|
||||
predicate isEnclosingMethodAccess(RefType t) { Qualifier::enclosingMemberAccess(this, t) }
|
||||
predicate isEnclosingMethodCall(RefType t) { Qualifier::enclosingMemberAccess(this, t) }
|
||||
|
||||
override string getAPrimaryQlClass() { result = "MethodAccess" }
|
||||
override string getAPrimaryQlClass() { result = "MethodCall" }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for `MethodCall`. */
|
||||
@@ -2107,23 +2107,32 @@ class Call extends ExprParent, @caller {
|
||||
}
|
||||
|
||||
/** A polymorphic call to an instance method. */
|
||||
class VirtualMethodAccess extends MethodAccess {
|
||||
VirtualMethodAccess() {
|
||||
class VirtualMethodCall extends MethodCall {
|
||||
VirtualMethodCall() {
|
||||
this.getMethod().isVirtual() and
|
||||
not this.getQualifier() instanceof SuperAccess
|
||||
}
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for `VirtualMethodCall`. */
|
||||
deprecated class VirtualMethodAccess = VirtualMethodCall;
|
||||
|
||||
/** A static method call. */
|
||||
class StaticMethodAccess extends MethodAccess {
|
||||
StaticMethodAccess() { this.getMethod().isStatic() }
|
||||
class StaticMethodCall extends MethodCall {
|
||||
StaticMethodCall() { this.getMethod().isStatic() }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for `StaticMethodCall`. */
|
||||
deprecated class StaticMethodAccess = StaticMethodCall;
|
||||
|
||||
/** A call to a method in the superclass. */
|
||||
class SuperMethodAccess extends MethodAccess {
|
||||
SuperMethodAccess() { this.getQualifier() instanceof SuperAccess }
|
||||
class SuperMethodCall extends MethodCall {
|
||||
SuperMethodCall() { this.getQualifier() instanceof SuperAccess }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for `SuperMethodCall`. */
|
||||
deprecated class SuperMethodAccess = SuperMethodCall;
|
||||
|
||||
/**
|
||||
* A constructor call, which occurs either as a constructor invocation inside a
|
||||
* constructor, or as part of a class instance expression.
|
||||
@@ -2172,23 +2181,23 @@ private module Qualifier {
|
||||
TThis() or
|
||||
TEnclosing(RefType t)
|
||||
|
||||
/** An expression that accesses a member. That is, either a `FieldAccess` or a `MethodAccess`. */
|
||||
/** An expression that accesses a member. That is, either a `FieldAccess` or a `MethodCall`. */
|
||||
class MemberAccess extends Expr {
|
||||
MemberAccess() {
|
||||
this instanceof FieldAccess or
|
||||
this instanceof MethodAccess
|
||||
this instanceof MethodCall
|
||||
}
|
||||
|
||||
/** Gets the member accessed by this member access. */
|
||||
Member getMember() {
|
||||
result = this.(FieldAccess).getField() or
|
||||
result = this.(MethodAccess).getMethod()
|
||||
result = this.(MethodCall).getMethod()
|
||||
}
|
||||
|
||||
/** Gets the qualifier of this member access, if any. */
|
||||
Expr getQualifier() {
|
||||
result = this.(FieldAccess).getQualifier() or
|
||||
result = this.(MethodAccess).getQualifier()
|
||||
result = this.(MethodCall).getQualifier()
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -479,7 +479,7 @@ class GenericCall extends Call {
|
||||
}
|
||||
|
||||
private RefType getAnExplicitTypeArgument(TypeVariable v) {
|
||||
exists(GenericCallable gen, MethodAccess call, int i |
|
||||
exists(GenericCallable gen, MethodCall call, int i |
|
||||
this = call and
|
||||
gen = call.getCallee() and
|
||||
v = gen.getTypeParameter(i) and
|
||||
|
||||
@@ -261,8 +261,8 @@ class MethodSystemGetProperty extends ValuePreservingMethod {
|
||||
/**
|
||||
* An access to a method named `getProperty` on class `java.lang.System`.
|
||||
*/
|
||||
class MethodAccessSystemGetProperty extends MethodAccess {
|
||||
MethodAccessSystemGetProperty() { this.getMethod() instanceof MethodSystemGetProperty }
|
||||
class MethodCallSystemGetProperty extends MethodCall {
|
||||
MethodCallSystemGetProperty() { this.getMethod() instanceof MethodSystemGetProperty }
|
||||
|
||||
/**
|
||||
* Holds if this call has a compile-time constant first argument with the value `propertyName`.
|
||||
|
||||
@@ -39,7 +39,7 @@ class RegisteredManagedBeanImpl extends Class {
|
||||
/**
|
||||
* A call that registers an object with the `MBeanServer`, directly or indirectly.
|
||||
*/
|
||||
class JmxRegistrationCall extends MethodAccess {
|
||||
class JmxRegistrationCall extends MethodCall {
|
||||
JmxRegistrationCall() { this.getCallee() instanceof JmxRegistrationMethod }
|
||||
|
||||
/**
|
||||
|
||||
@@ -49,7 +49,7 @@ class MapSizeMethod extends MapMethod {
|
||||
}
|
||||
|
||||
/** A method call that mutates a map. */
|
||||
class MapMutation extends MethodAccess {
|
||||
class MapMutation extends MethodCall {
|
||||
MapMutation() { this.getMethod() instanceof MapMutator }
|
||||
|
||||
/** Holds if the result of this call is not immediately discarded. */
|
||||
@@ -76,7 +76,7 @@ class FreshMap extends ClassInstanceExpr {
|
||||
/**
|
||||
* A call to `Map.put(key, value)`.
|
||||
*/
|
||||
class MapPutCall extends MethodAccess {
|
||||
class MapPutCall extends MethodCall {
|
||||
MapPutCall() { this.getCallee().(MapMethod).hasName("put") }
|
||||
|
||||
/** Gets the key argument of this call. */
|
||||
|
||||
@@ -129,7 +129,7 @@ class Callable extends StmtParent, Member, @callable {
|
||||
* Holds if this callable calls `target`
|
||||
* using a `super` method call.
|
||||
*/
|
||||
predicate callsSuper(Method target) { this.getACallSite(target) instanceof SuperMethodAccess }
|
||||
predicate callsSuper(Method target) { this.getACallSite(target) instanceof SuperMethodCall }
|
||||
|
||||
/**
|
||||
* Holds if this callable calls `c` using
|
||||
@@ -526,7 +526,7 @@ class Method extends Callable, @method {
|
||||
this.getSourceDeclaration().getAPossibleImplementationOfSrcMethod() = result
|
||||
}
|
||||
|
||||
override MethodAccess getAReference() { result = Callable.super.getAReference() }
|
||||
override MethodCall getAReference() { result = Callable.super.getAReference() }
|
||||
|
||||
override predicate isPublic() {
|
||||
Callable.super.isPublic()
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
import java
|
||||
|
||||
/** A call to a string to number conversion. */
|
||||
private class SpecialMethodAccess extends MethodAccess {
|
||||
private class SpecialMethodCall extends MethodCall {
|
||||
predicate isValueOfMethod(string klass) {
|
||||
this.getMethod().getName() = "valueOf" and
|
||||
this.getQualifier().getType().(RefType).hasQualifiedName("java.lang", klass) and
|
||||
@@ -78,7 +78,7 @@ deprecated predicate catchesNFE = catchesNfe/1;
|
||||
|
||||
/** Holds if `java.lang.NumberFormatException` can be thrown. */
|
||||
predicate throwsNfe(Expr e) {
|
||||
e.(SpecialClassInstanceExpr).throwsNfe() or e.(SpecialMethodAccess).throwsNfe()
|
||||
e.(SpecialClassInstanceExpr).throwsNfe() or e.(SpecialMethodCall).throwsNfe()
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for throwsNfe */
|
||||
|
||||
@@ -300,7 +300,7 @@ private class PpCall extends PpAst, Call {
|
||||
or
|
||||
i = 2 and
|
||||
(
|
||||
result = this.(MethodAccess).getMethod().getName()
|
||||
result = this.(MethodCall).getMethod().getName()
|
||||
or
|
||||
result = "this" and this instanceof ThisConstructorInvocationStmt
|
||||
or
|
||||
|
||||
@@ -62,8 +62,8 @@ private class ReflectiveClassIdentifierLiteral extends ReflectiveClassIdentifier
|
||||
/**
|
||||
* A call to a Java standard library method which constructs or returns a `Class<T>` from a `String`.
|
||||
*/
|
||||
class ReflectiveClassIdentifierMethodAccess extends ReflectiveClassIdentifier, MethodAccess {
|
||||
ReflectiveClassIdentifierMethodAccess() {
|
||||
class ReflectiveClassIdentifierMethodCall extends ReflectiveClassIdentifier, MethodCall {
|
||||
ReflectiveClassIdentifierMethodCall() {
|
||||
// A call to `Class.forName(...)`, from which we can infer `T` in the returned type `Class<T>`.
|
||||
this.getCallee().getDeclaringType() instanceof TypeClass and this.getCallee().hasName("forName")
|
||||
or
|
||||
@@ -211,7 +211,7 @@ private predicate expectsEnclosingInstance(RefType r) {
|
||||
/**
|
||||
* A call to `Class.newInstance()` or `Constructor.newInstance()`.
|
||||
*/
|
||||
class NewInstance extends MethodAccess {
|
||||
class NewInstance extends MethodCall {
|
||||
NewInstance() {
|
||||
(
|
||||
this.getCallee().getDeclaringType() instanceof TypeClass or
|
||||
@@ -301,10 +301,10 @@ class NewInstance extends MethodAccess {
|
||||
}
|
||||
|
||||
/**
|
||||
* A `MethodAccess` on a `Class` element.
|
||||
* A `MethodCall` on a `Class` element.
|
||||
*/
|
||||
class ClassMethodAccess extends MethodAccess {
|
||||
ClassMethodAccess() { this.getCallee().getDeclaringType() instanceof TypeClass }
|
||||
class ClassMethodCall extends MethodCall {
|
||||
ClassMethodCall() { this.getCallee().getDeclaringType() instanceof TypeClass }
|
||||
|
||||
/**
|
||||
* Gets an inferred type for the `Class` represented by this expression.
|
||||
@@ -320,7 +320,7 @@ class ClassMethodAccess extends MethodAccess {
|
||||
/**
|
||||
* A call to `Class.getConstructors(..)` or `Class.getDeclaredConstructors(..)`.
|
||||
*/
|
||||
class ReflectiveConstructorsAccess extends ClassMethodAccess {
|
||||
class ReflectiveConstructorsAccess extends ClassMethodCall {
|
||||
ReflectiveConstructorsAccess() {
|
||||
this.getCallee().hasName("getConstructors") or
|
||||
this.getCallee().hasName("getDeclaredConstructors")
|
||||
@@ -330,7 +330,7 @@ class ReflectiveConstructorsAccess extends ClassMethodAccess {
|
||||
/**
|
||||
* A call to `Class.getMethods(..)` or `Class.getDeclaredMethods(..)`.
|
||||
*/
|
||||
class ReflectiveMethodsAccess extends ClassMethodAccess {
|
||||
class ReflectiveMethodsAccess extends ClassMethodCall {
|
||||
ReflectiveMethodsAccess() {
|
||||
this.getCallee().hasName("getMethods") or
|
||||
this.getCallee().hasName("getDeclaredMethods")
|
||||
@@ -340,8 +340,8 @@ class ReflectiveMethodsAccess extends ClassMethodAccess {
|
||||
/**
|
||||
* A call to `Class.getMethod(..)` or `Class.getDeclaredMethod(..)`.
|
||||
*/
|
||||
class ReflectiveMethodAccess extends ClassMethodAccess {
|
||||
ReflectiveMethodAccess() {
|
||||
class ReflectiveMethodCall extends ClassMethodCall {
|
||||
ReflectiveMethodCall() {
|
||||
this.getCallee().hasName("getMethod") or
|
||||
this.getCallee().hasName("getDeclaredMethod")
|
||||
}
|
||||
@@ -369,7 +369,7 @@ class ReflectiveMethodAccess extends ClassMethodAccess {
|
||||
/**
|
||||
* A call to `Class.getAnnotation(..)`.
|
||||
*/
|
||||
class ReflectiveAnnotationAccess extends ClassMethodAccess {
|
||||
class ReflectiveAnnotationAccess extends ClassMethodCall {
|
||||
ReflectiveAnnotationAccess() { this.getCallee().hasName("getAnnotation") }
|
||||
|
||||
/**
|
||||
@@ -383,7 +383,7 @@ class ReflectiveAnnotationAccess extends ClassMethodAccess {
|
||||
/**
|
||||
* A call to `Class.getField(..)` that accesses a field.
|
||||
*/
|
||||
class ReflectiveFieldAccess extends ClassMethodAccess {
|
||||
class ReflectiveFieldAccess extends ClassMethodCall {
|
||||
ReflectiveFieldAccess() {
|
||||
this.getCallee().hasName("getField") or
|
||||
this.getCallee().hasName("getDeclaredField")
|
||||
|
||||
@@ -242,7 +242,7 @@ predicate implicitToStringCall(Expr e) {
|
||||
or
|
||||
exists(AddExpr add | add.getType() instanceof TypeString and add.getAnOperand() = e)
|
||||
or
|
||||
exists(MethodAccess ma, Method m, int i |
|
||||
exists(MethodCall ma, Method m, int i |
|
||||
ma.getMethod() = m and
|
||||
ma.getArgument(i) = e and
|
||||
printMethod(m, i)
|
||||
@@ -253,7 +253,7 @@ predicate implicitToStringCall(Expr e) {
|
||||
/**
|
||||
* A call to a `format` or `printf` method.
|
||||
*/
|
||||
class StringFormat extends MethodAccess, FormattingCall {
|
||||
class StringFormat extends MethodCall, FormattingCall {
|
||||
StringFormat() { this.getCallee() instanceof StringFormatMethod }
|
||||
}
|
||||
|
||||
|
||||
@@ -187,14 +187,14 @@ private predicate switchCaseControls(SwitchCase sc, BasicBlock bb) {
|
||||
}
|
||||
|
||||
private predicate preconditionBranchEdge(
|
||||
MethodAccess ma, BasicBlock bb1, BasicBlock bb2, boolean branch
|
||||
MethodCall ma, BasicBlock bb1, BasicBlock bb2, boolean branch
|
||||
) {
|
||||
conditionCheckArgument(ma, _, branch) and
|
||||
bb1.getLastNode() = ma.getControlFlowNode() and
|
||||
bb2 = bb1.getLastNode().getANormalSuccessor()
|
||||
}
|
||||
|
||||
private predicate preconditionControls(MethodAccess ma, BasicBlock controlled, boolean branch) {
|
||||
private predicate preconditionControls(MethodCall ma, BasicBlock controlled, boolean branch) {
|
||||
exists(BasicBlock check, BasicBlock succ |
|
||||
preconditionBranchEdge(ma, check, succ, branch) and
|
||||
dominatingEdge(check, succ) and
|
||||
@@ -249,7 +249,7 @@ private predicate equalityGuard(Guard g, Expr e1, Expr e2, boolean polarity) {
|
||||
eqtest.hasOperands(e1, e2)
|
||||
)
|
||||
or
|
||||
exists(MethodAccess ma |
|
||||
exists(MethodCall ma |
|
||||
ma = g and
|
||||
ma.getMethod() instanceof EqualsMethod and
|
||||
polarity = true and
|
||||
@@ -257,7 +257,7 @@ private predicate equalityGuard(Guard g, Expr e1, Expr e2, boolean polarity) {
|
||||
ma.getQualifier() = e2
|
||||
)
|
||||
or
|
||||
exists(MethodAccess ma, Method equals |
|
||||
exists(MethodCall ma, Method equals |
|
||||
ma = g and
|
||||
ma.getMethod() = equals and
|
||||
polarity = true and
|
||||
|
||||
@@ -59,7 +59,7 @@ predicate implies_v1(Guard g1, boolean b1, Guard g2, boolean b2) {
|
||||
or
|
||||
g1.(DefaultCase).getSwitchExpr().getAConstCase() = g2 and b1 = true and b2 = false
|
||||
or
|
||||
exists(MethodAccess check, int argIndex | check = g1 |
|
||||
exists(MethodCall check, int argIndex | check = g1 |
|
||||
conditionCheckArgument(check, argIndex, _) and
|
||||
g2 = check.getArgument(argIndex) and
|
||||
b1 = [true, false] and
|
||||
|
||||
@@ -17,7 +17,7 @@ predicate conditionCheckMethodArgument(Method m, int argument, boolean checkTrue
|
||||
or
|
||||
condtionCheckMethodTestingFramework(m, argument, checkTrue)
|
||||
or
|
||||
exists(Parameter p, MethodAccess ma, int argIndex, boolean ct, Expr arg |
|
||||
exists(Parameter p, MethodCall ma, int argIndex, boolean ct, Expr arg |
|
||||
p = m.getParameter(argument) and
|
||||
not m.isOverridable() and
|
||||
m.getBody().getStmt(0).(ExprStmt).getExpr() = ma and
|
||||
@@ -100,6 +100,6 @@ private predicate condtionCheckMethodTestingFramework(Method m, int argument, bo
|
||||
* Holds if `ma` is an access to a non-overridable method that checks that its
|
||||
* zero-indexed `argument` is equal to `checkTrue` and throws otherwise.
|
||||
*/
|
||||
predicate conditionCheckArgument(MethodAccess ma, int argument, boolean checkTrue) {
|
||||
predicate conditionCheckArgument(MethodCall ma, int argument, boolean checkTrue) {
|
||||
conditionCheckMethodArgument(ma.getMethod().getSourceDeclaration(), argument, checkTrue)
|
||||
}
|
||||
|
||||
@@ -126,9 +126,9 @@ private predicate variableStep(Expr tracked, VarAccess sink) {
|
||||
private class ReverseDnsSource extends RemoteFlowSource {
|
||||
ReverseDnsSource() {
|
||||
// Try not to trigger on `localhost`.
|
||||
exists(MethodAccess m | m = this.asExpr() |
|
||||
exists(MethodCall m | m = this.asExpr() |
|
||||
m.getMethod() instanceof ReverseDnsMethod and
|
||||
not exists(MethodAccess l |
|
||||
not exists(MethodCall l |
|
||||
(variableStep(l, m.getQualifier()) or l = m.getQualifier()) and
|
||||
l.getMethod().getName() = "getLocalHost"
|
||||
)
|
||||
@@ -325,7 +325,7 @@ class AndroidIntentInput extends DataFlow::Node {
|
||||
Type receiverType;
|
||||
|
||||
AndroidIntentInput() {
|
||||
exists(MethodAccess ma, AndroidGetIntentMethod m |
|
||||
exists(MethodCall ma, AndroidGetIntentMethod m |
|
||||
ma.getMethod().overrides*(m) and
|
||||
this.asExpr() = ma and
|
||||
receiverType = ma.getReceiverType()
|
||||
|
||||
@@ -58,8 +58,8 @@ private predicate implicitEnclosingThisCopy(ConstructorCall cc, RefType t1, RefT
|
||||
private predicate enclosingInstanceAccess(ExprParent e, RefType t) {
|
||||
e.(InstanceAccess).isEnclosingInstanceAccess(t)
|
||||
or
|
||||
exists(MethodAccess ma |
|
||||
ma.isEnclosingMethodAccess(t) and ma = e and not exists(ma.getQualifier())
|
||||
exists(MethodCall ma |
|
||||
ma.isEnclosingMethodCall(t) and ma = e and not exists(ma.getQualifier())
|
||||
)
|
||||
or
|
||||
exists(FieldAccess fa | fa.isEnclosingFieldAccess(t) and fa = e and not exists(fa.getQualifier()))
|
||||
@@ -95,7 +95,7 @@ private newtype TInstanceAccessExt =
|
||||
or
|
||||
c instanceof SuperConstructorInvocationStmt
|
||||
or
|
||||
c.(MethodAccess).isOwnMethodAccess() and not exists(c.getQualifier())
|
||||
c.(MethodCall).isOwnMethodCall() and not exists(c.getQualifier())
|
||||
} or
|
||||
TThisEnclosingInstanceCapture(ConstructorCall cc) { implicitSetEnclosingInstanceToThis(cc) } or
|
||||
TEnclosingInstanceAccess(ExprParent e, RefType t) {
|
||||
@@ -113,7 +113,7 @@ private newtype TInstanceAccessExt =
|
||||
* - Implicit field qualifier: The implicit access associated with an
|
||||
* unqualified `FieldAccess` to a non-static field.
|
||||
* - Implicit method qualifier: The implicit access associated with an
|
||||
* unqualified `MethodAccess` to a non-static method.
|
||||
* unqualified `MethodCall` to a non-static method.
|
||||
* - Implicit this constructor argument: The implicit argument of the value of
|
||||
* `this` to a constructor call of the form `this()` or `super()`.
|
||||
* - Implicit enclosing instance capture: The implicit capture of the value of
|
||||
@@ -180,7 +180,7 @@ class InstanceAccessExt extends TInstanceAccessExt {
|
||||
}
|
||||
|
||||
/** Holds if this is the implicit qualifier of `ma`. */
|
||||
predicate isImplicitMethodQualifier(MethodAccess ma) {
|
||||
predicate isImplicitMethodQualifier(MethodCall ma) {
|
||||
this = TThisArgument(ma) or
|
||||
this = TEnclosingInstanceAccess(ma, _)
|
||||
}
|
||||
|
||||
@@ -15,10 +15,10 @@ private Expr exprWithIntValue(int i) {
|
||||
|
||||
/**
|
||||
* An expression for which the predicate `integerGuard` is relevant.
|
||||
* This includes `RValue` and `MethodAccess`.
|
||||
* This includes `RValue` and `MethodCall`.
|
||||
*/
|
||||
class IntComparableExpr extends Expr {
|
||||
IntComparableExpr() { this instanceof RValue or this instanceof MethodAccess }
|
||||
IntComparableExpr() { this instanceof RValue or this instanceof MethodCall }
|
||||
|
||||
/** Gets an integer that is directly assigned to the expression in case of a variable; or zero. */
|
||||
int relevantInt() {
|
||||
|
||||
@@ -89,7 +89,7 @@ Expr clearlyNotNullExpr(Expr reason) {
|
||||
or
|
||||
exists(SsaVariable v | clearlyNotNull(v, reason) and result = v.getAUse())
|
||||
or
|
||||
exists(Method m | m = result.(MethodAccess).getMethod() and reason = result |
|
||||
exists(Method m | m = result.(MethodCall).getMethod() and reason = result |
|
||||
m.getDeclaringType().hasQualifiedName("com.google.common.base", "Strings") and
|
||||
m.hasName("nullToEmpty")
|
||||
)
|
||||
@@ -187,7 +187,7 @@ Expr basicNullGuard(Expr e, boolean branch, boolean isnull) {
|
||||
or
|
||||
result.(InstanceOfExpr).getExpr() = e and branch = true and isnull = false
|
||||
or
|
||||
exists(MethodAccess call |
|
||||
exists(MethodCall call |
|
||||
call = result and
|
||||
call.getAnArgument() = e and
|
||||
nullCheckMethod(call.getMethod(), branch, isnull)
|
||||
@@ -212,7 +212,7 @@ Expr basicNullGuard(Expr e, boolean branch, boolean isnull) {
|
||||
Expr basicOrCustomNullGuard(Expr e, boolean branch, boolean isnull) {
|
||||
result = basicNullGuard(e, branch, isnull)
|
||||
or
|
||||
exists(MethodAccess call, Method m, int ix |
|
||||
exists(MethodCall call, Method m, int ix |
|
||||
call = result and
|
||||
call.getArgument(ix) = e and
|
||||
call.getMethod().getSourceDeclaration() = m and
|
||||
|
||||
@@ -106,7 +106,7 @@ predicate dereference(Expr e) {
|
||||
or
|
||||
exists(FieldAccess fa, Field f | fa.getQualifier() = e and fa.getField() = f and not f.isStatic())
|
||||
or
|
||||
exists(MethodAccess ma, Method m |
|
||||
exists(MethodCall ma, Method m |
|
||||
ma.getQualifier() = e and ma.getMethod() = m and not m.isStatic()
|
||||
)
|
||||
or
|
||||
@@ -149,10 +149,10 @@ private ControlFlowNode ensureNotNull(SsaVariable v) {
|
||||
or
|
||||
exists(AssertNotNullMethod m | result = m.getACheck(v.getAUse()))
|
||||
or
|
||||
exists(AssertThatMethod m, MethodAccess ma |
|
||||
exists(AssertThatMethod m, MethodCall ma |
|
||||
result = m.getACheck(v.getAUse()) and ma.getControlFlowNode() = result
|
||||
|
|
||||
ma.getAnArgument().(MethodAccess).getMethod().getName() = "notNullValue"
|
||||
ma.getAnArgument().(MethodCall).getMethod().getName() = "notNullValue"
|
||||
)
|
||||
}
|
||||
|
||||
@@ -195,7 +195,7 @@ private predicate varMaybeNull(SsaVariable v, string msg, Expr reason) {
|
||||
not exists(TryStmt try | try.getFinally() = e.getEnclosingStmt().getEnclosingStmt*()) and
|
||||
(
|
||||
e = any(ConditionalExpr c).getCondition().getAChildExpr*() or
|
||||
not exists(MethodAccess ma | ma.getAnArgument().getAChildExpr*() = e)
|
||||
not exists(MethodCall ma | ma.getAnArgument().getAChildExpr*() = e)
|
||||
) and
|
||||
// Don't use a guard as reason if there is a null assignment.
|
||||
not v.(SsaExplicitUpdate).getDefiningExpr().(VariableAssign).getSource() = nullExpr()
|
||||
@@ -250,7 +250,7 @@ private Expr nonEmptyExpr() {
|
||||
// ...it is guarded by a condition...
|
||||
cond.controls(result.getBasicBlock(), branch) and
|
||||
// ...and it isn't modified in the scope of the condition...
|
||||
forall(MethodAccess ma, Method m |
|
||||
forall(MethodCall ma, Method m |
|
||||
m = ma.getMethod() and
|
||||
ma.getQualifier() = v.getSourceVariable().getAnAccess() and
|
||||
cond.controls(ma.getBasicBlock(), branch)
|
||||
@@ -260,12 +260,12 @@ private Expr nonEmptyExpr() {
|
||||
cond.getCondition() = c
|
||||
|
|
||||
// ...and the condition proves that it is non-empty, either by using the `isEmpty` method...
|
||||
c.(MethodAccess).getMethod().hasName("isEmpty") and
|
||||
c.(MethodCall).getMethod().hasName("isEmpty") and
|
||||
branch = false and
|
||||
c.(MethodAccess).getQualifier() = v.getAUse()
|
||||
c.(MethodCall).getQualifier() = v.getAUse()
|
||||
or
|
||||
// ...or a check on its `size`.
|
||||
exists(MethodAccess size |
|
||||
exists(MethodCall size |
|
||||
c = integerGuard(size, branch, 0, false) and
|
||||
size.getMethod().hasName("size") and
|
||||
size.getQualifier() = v.getAUse()
|
||||
|
||||
@@ -490,7 +490,7 @@ private predicate boundFlowStep(Expr e2, Expr e1, int delta, boolean upper) {
|
||||
)
|
||||
)
|
||||
or
|
||||
exists(MethodAccess ma, Method m |
|
||||
exists(MethodCall ma, Method m |
|
||||
e2 = ma and
|
||||
ma.getMethod() = m and
|
||||
(
|
||||
@@ -752,9 +752,9 @@ private predicate boundedPhi(
|
||||
* Holds if `e` has a lower bound of zero.
|
||||
*/
|
||||
private predicate lowerBoundZero(Expr e) {
|
||||
e.(MethodAccess).getMethod() instanceof StringLengthMethod or
|
||||
e.(MethodAccess).getMethod() instanceof CollectionSizeMethod or
|
||||
e.(MethodAccess).getMethod() instanceof MapSizeMethod or
|
||||
e.(MethodCall).getMethod() instanceof StringLengthMethod or
|
||||
e.(MethodCall).getMethod() instanceof CollectionSizeMethod or
|
||||
e.(MethodCall).getMethod() instanceof MapSizeMethod or
|
||||
e.(FieldRead).getField() instanceof ArrayLengthField or
|
||||
positive(e.(AndBitwiseExpr).getAnOperand())
|
||||
}
|
||||
@@ -767,7 +767,7 @@ private predicate baseBound(Expr e, int b, boolean upper) {
|
||||
lowerBoundZero(e) and b = 0 and upper = false
|
||||
or
|
||||
exists(Method read |
|
||||
e.(MethodAccess).getMethod().overrides*(read) and
|
||||
e.(MethodCall).getMethod().overrides*(read) and
|
||||
read.getDeclaringType() instanceof TypeInputStream and
|
||||
read.hasName("read") and
|
||||
read.getNumberOfParameters() = 0
|
||||
|
||||
@@ -381,7 +381,7 @@ private module SsaImpl {
|
||||
* ```
|
||||
*/
|
||||
private predicate intraInstanceCallEdge(Callable c1, Method m2) {
|
||||
exists(MethodAccess ma, RefType t1 |
|
||||
exists(MethodCall ma, RefType t1 |
|
||||
ma.getCaller() = c1 and
|
||||
m2 = viableImpl_v2(ma) and
|
||||
not m2.isStatic() and
|
||||
|
||||
@@ -54,7 +54,7 @@ private Expr getAnInterestingPrefix(InterestingPrefix root) {
|
||||
result.(AddExpr).getAnOperand() = getAnInterestingPrefix(root)
|
||||
}
|
||||
|
||||
private class StringBuilderAppend extends MethodAccess {
|
||||
private class StringBuilderAppend extends MethodCall {
|
||||
StringBuilderAppend() {
|
||||
this.getMethod().getDeclaringType() instanceof StringBuildingType and
|
||||
this.getMethod().hasName("append")
|
||||
@@ -68,7 +68,7 @@ private class StringBuilderConstructorOrAppend extends Call {
|
||||
}
|
||||
}
|
||||
|
||||
private Expr getQualifier(Expr e) { result = e.(MethodAccess).getQualifier() }
|
||||
private Expr getQualifier(Expr e) { result = e.(MethodCall).getQualifier() }
|
||||
|
||||
/**
|
||||
* An extension of `StringBuilderVar` that also accounts for strings appended in StringBuilder/Buffer's constructor
|
||||
|
||||
@@ -184,13 +184,13 @@ private predicate taintPreservingQualifierToMethod(Method m) {
|
||||
m.(MapMethod).hasName(["elements", "search", "searchEntries", "searchValues"])
|
||||
}
|
||||
|
||||
private predicate qualifierToMethodStep(Expr tracked, MethodAccess sink) {
|
||||
private predicate qualifierToMethodStep(Expr tracked, MethodCall sink) {
|
||||
taintPreservingQualifierToMethod(sink.getMethod()) and
|
||||
tracked = sink.getQualifier()
|
||||
}
|
||||
|
||||
private predicate qualifierToArgumentStep(Expr tracked, Expr sink) {
|
||||
exists(MethodAccess ma, CollectionMethod method |
|
||||
exists(MethodCall ma, CollectionMethod method |
|
||||
method = ma.getMethod() and
|
||||
(
|
||||
// java.util.Vector
|
||||
@@ -350,7 +350,7 @@ private predicate taintPreservingArgToArg(Method method, int input, int output)
|
||||
}
|
||||
|
||||
private predicate argToQualifierStep(Expr tracked, Expr sink) {
|
||||
exists(Method m, int i, MethodAccess ma |
|
||||
exists(Method m, int i, MethodCall ma |
|
||||
taintPreservingArgumentToQualifier(m, i) and
|
||||
ma.getMethod() = m and
|
||||
tracked = ma.getArgument(i) and
|
||||
@@ -359,7 +359,7 @@ private predicate argToQualifierStep(Expr tracked, Expr sink) {
|
||||
}
|
||||
|
||||
/** Access to a method that passes taint from an argument. */
|
||||
private predicate argToMethodStep(Expr tracked, MethodAccess sink) {
|
||||
private predicate argToMethodStep(Expr tracked, MethodCall sink) {
|
||||
exists(Method m |
|
||||
m = sink.getMethod() and
|
||||
(
|
||||
@@ -383,7 +383,7 @@ private predicate argToMethodStep(Expr tracked, MethodAccess sink) {
|
||||
* between arguments.
|
||||
*/
|
||||
private predicate argToArgStep(Expr tracked, Expr sink) {
|
||||
exists(MethodAccess ma, Method method, int input, int output |
|
||||
exists(MethodCall ma, Method method, int input, int output |
|
||||
ma.getMethod() = method and
|
||||
ma.getArgument(input) = tracked and
|
||||
ma.getArgument(output) = sink and
|
||||
|
||||
@@ -38,7 +38,7 @@ private module DispatchImpl {
|
||||
* might be improved by knowing the call context. This is the case if the
|
||||
* qualifier is the `i`th parameter of the enclosing callable `c`.
|
||||
*/
|
||||
private predicate mayBenefitFromCallContext(MethodAccess ma, Callable c, int i) {
|
||||
private predicate mayBenefitFromCallContext(MethodCall ma, Callable c, int i) {
|
||||
exists(Parameter p |
|
||||
2 <= strictcount(sourceDispatch(ma)) and
|
||||
ma.getQualifier().(VarAccess).getVariable() = p and
|
||||
@@ -58,7 +58,7 @@ private module DispatchImpl {
|
||||
|
||||
/**
|
||||
* Holds if the call `ctx` might act as a context that improves the set of
|
||||
* dispatch targets of a `MethodAccess` that occurs in a viable target of
|
||||
* dispatch targets of a `MethodCall` that occurs in a viable target of
|
||||
* `ctx`.
|
||||
*/
|
||||
pragma[nomagic]
|
||||
@@ -128,7 +128,7 @@ private module DispatchImpl {
|
||||
*/
|
||||
DataFlowCallable viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) {
|
||||
result = viableCallable(call) and
|
||||
exists(int i, Callable c, Method def, RefType t, boolean exact, MethodAccess ma |
|
||||
exists(int i, Callable c, Method def, RefType t, boolean exact, MethodCall ma |
|
||||
ma = call.asCall() and
|
||||
mayBenefitFromCallContext(ma, c, i) and
|
||||
c = viableCallable(ctx).asCallable() and
|
||||
|
||||
@@ -84,7 +84,7 @@ private module Cached {
|
||||
import Cached
|
||||
|
||||
private predicate explicitInstanceArgument(Call call, Expr instarg) {
|
||||
call instanceof MethodAccess and
|
||||
call instanceof MethodCall and
|
||||
instarg = call.getQualifier() and
|
||||
not call.getCallee().isStatic()
|
||||
}
|
||||
@@ -463,7 +463,7 @@ module Private {
|
||||
/** A data flow node that represents the output of a call. */
|
||||
class OutNode extends Node {
|
||||
OutNode() {
|
||||
this.asExpr() instanceof MethodAccess
|
||||
this.asExpr() instanceof MethodCall
|
||||
or
|
||||
this.(FlowSummaryNode).isOut(_)
|
||||
}
|
||||
|
||||
@@ -246,7 +246,7 @@ predicate readStep(Node node1, ContentSet f, Node node2) {
|
||||
fr = node2.asExpr()
|
||||
)
|
||||
or
|
||||
exists(Record r, Method getter, Field recf, MethodAccess get |
|
||||
exists(Record r, Method getter, Field recf, MethodCall get |
|
||||
getter.getDeclaringType() = r and
|
||||
recf.getDeclaringType() = r and
|
||||
getter.getNumberOfParameters() = 0 and
|
||||
|
||||
@@ -225,7 +225,7 @@ private predicate simpleLocalFlowStep0(Node node1, Node node2) {
|
||||
or
|
||||
simpleAstFlowStep(node1.asExpr(), node2.asExpr())
|
||||
or
|
||||
exists(MethodAccess ma, ValuePreservingMethod m, int argNo |
|
||||
exists(MethodCall ma, ValuePreservingMethod m, int argNo |
|
||||
ma.getCallee().getSourceDeclaration() = m and m.returnsValue(argNo)
|
||||
|
|
||||
node2.asExpr() = ma and
|
||||
|
||||
@@ -290,7 +290,7 @@ private int argToParam(Call call, int argIdx) {
|
||||
|
||||
/** Access to a method that passes taint from qualifier to argument. */
|
||||
private predicate qualifierToArgumentStep(Expr tracked, Expr sink) {
|
||||
exists(MethodAccess ma, int arg |
|
||||
exists(MethodCall ma, int arg |
|
||||
ma.getMethod().(TaintPreservingCallable).transfersTaint(-1, argToParam(ma, arg)) and
|
||||
tracked = ma.getQualifier() and
|
||||
sink = ma.getArgument(arg)
|
||||
@@ -298,7 +298,7 @@ private predicate qualifierToArgumentStep(Expr tracked, Expr sink) {
|
||||
}
|
||||
|
||||
/** Access to a method that passes taint from the qualifier. */
|
||||
private predicate qualifierToMethodStep(Expr tracked, MethodAccess sink) {
|
||||
private predicate qualifierToMethodStep(Expr tracked, MethodCall sink) {
|
||||
taintPreservingQualifierToMethod(sink.getMethod()) and
|
||||
tracked = sink.getQualifier()
|
||||
}
|
||||
@@ -331,7 +331,7 @@ private predicate taintPreservingQualifierToMethod(Method m) {
|
||||
}
|
||||
|
||||
/** Access to a method that passes taint from an argument. */
|
||||
private predicate argToMethodStep(Expr tracked, MethodAccess sink) {
|
||||
private predicate argToMethodStep(Expr tracked, MethodCall sink) {
|
||||
exists(Method m, int i |
|
||||
m = sink.getMethod() and
|
||||
taintPreservingArgumentToMethod(m, argToParam(sink, i)) and
|
||||
@@ -375,7 +375,7 @@ private predicate taintPreservingArgumentToMethod(Method method, int arg) {
|
||||
* between arguments.
|
||||
*/
|
||||
private predicate argToArgStep(Expr tracked, Expr sink) {
|
||||
exists(MethodAccess ma, Method method, int input, int output |
|
||||
exists(MethodCall ma, Method method, int input, int output |
|
||||
method.(TaintPreservingCallable).transfersTaint(argToParam(ma, input), argToParam(ma, output)) and
|
||||
ma.getMethod() = method and
|
||||
ma.getArgument(input) = tracked and
|
||||
@@ -388,7 +388,7 @@ private predicate argToArgStep(Expr tracked, Expr sink) {
|
||||
* from the argument to the qualifier and `sink` is the qualifier.
|
||||
*/
|
||||
private predicate argToQualifierStep(Expr tracked, Expr sink) {
|
||||
exists(Method m, int i, MethodAccess ma |
|
||||
exists(Method m, int i, MethodCall ma |
|
||||
taintPreservingArgumentToQualifier(m, argToParam(ma, i)) and
|
||||
ma.getMethod() = m and
|
||||
tracked = ma.getArgument(i) and
|
||||
@@ -412,7 +412,7 @@ private predicate comparisonStep(Expr tracked, Expr sink) {
|
||||
e.hasOperands(tracked, other)
|
||||
)
|
||||
or
|
||||
exists(MethodAccess m | m.getMethod() instanceof EqualsMethod |
|
||||
exists(MethodCall m | m.getMethod() instanceof EqualsMethod |
|
||||
m = sink and
|
||||
(
|
||||
m.getQualifier() = tracked and m.getArgument(0) = other
|
||||
@@ -429,9 +429,9 @@ private predicate comparisonStep(Expr tracked, Expr sink) {
|
||||
private predicate serializationStep(Expr tracked, Expr sink) {
|
||||
exists(ObjectOutputStreamVar v, VariableAssign def |
|
||||
def = v.getADef() and
|
||||
exists(MethodAccess ma, RValue use |
|
||||
exists(MethodCall ma, RValue use |
|
||||
ma.getArgument(0) = tracked and
|
||||
ma = v.getAWriteObjectMethodAccess() and
|
||||
ma = v.getAWriteObjectMethodCall() and
|
||||
use = ma.getQualifier() and
|
||||
defUsePair(def, use)
|
||||
) and
|
||||
@@ -460,7 +460,7 @@ class ObjectOutputStreamVar extends LocalVariableDecl {
|
||||
result.getDestVar() = this
|
||||
}
|
||||
|
||||
MethodAccess getAWriteObjectMethodAccess() {
|
||||
MethodCall getAWriteObjectMethodCall() {
|
||||
result.getQualifier() = this.getAnAccess() and
|
||||
result.getMethod().hasName("writeObject")
|
||||
}
|
||||
@@ -470,9 +470,9 @@ class ObjectOutputStreamVar extends LocalVariableDecl {
|
||||
private predicate formatStep(Expr tracked, Expr sink) {
|
||||
exists(FormatterVar v, VariableAssign def |
|
||||
def = v.getADef() and
|
||||
exists(MethodAccess ma, RValue use |
|
||||
exists(MethodCall ma, RValue use |
|
||||
ma.getAnArgument() = tracked and
|
||||
ma = v.getAFormatMethodAccess() and
|
||||
ma = v.getAFormatMethodCall() and
|
||||
use = ma.getQualifier() and
|
||||
defUsePair(def, use)
|
||||
) and
|
||||
@@ -505,7 +505,7 @@ private class FormatterVar extends LocalVariableDecl {
|
||||
result.getDestVar() = this
|
||||
}
|
||||
|
||||
MethodAccess getAFormatMethodAccess() {
|
||||
MethodCall getAFormatMethodCall() {
|
||||
result.getQualifier() = this.getAnAccess() and
|
||||
result.getMethod().hasName("format")
|
||||
}
|
||||
@@ -555,7 +555,7 @@ module StringBuilderVarModule {
|
||||
/**
|
||||
* Gets a call that adds something to this string builder, from the argument at the given index.
|
||||
*/
|
||||
MethodAccess getAnInput(int arg) {
|
||||
MethodCall getAnInput(int arg) {
|
||||
result.getQualifier() = this.getAChainedReference() and
|
||||
(
|
||||
result.getMethod().getName() = "append" and arg = 0
|
||||
@@ -569,18 +569,18 @@ module StringBuilderVarModule {
|
||||
/**
|
||||
* Gets a call that appends something to this string builder.
|
||||
*/
|
||||
MethodAccess getAnAppend() {
|
||||
MethodCall getAnAppend() {
|
||||
result.getQualifier() = this.getAChainedReference() and
|
||||
result.getMethod().getName() = "append"
|
||||
}
|
||||
|
||||
MethodAccess getNextAppend(MethodAccess append) {
|
||||
MethodCall getNextAppend(MethodCall append) {
|
||||
result = this.getAnAppend() and
|
||||
append = this.getAnAppend() and
|
||||
(
|
||||
result.getQualifier() = append
|
||||
or
|
||||
not exists(MethodAccess chainAccess | chainAccess.getQualifier() = append) and
|
||||
not exists(MethodCall chainAccess | chainAccess.getQualifier() = append) and
|
||||
exists(RValue sbva1, RValue sbva2 |
|
||||
adjacentUseUse(sbva1, sbva2) and
|
||||
append.getQualifier() = this.getAChainedReference(sbva1) and
|
||||
@@ -592,7 +592,7 @@ module StringBuilderVarModule {
|
||||
/**
|
||||
* Gets a call that converts this string builder to a string.
|
||||
*/
|
||||
MethodAccess getToStringCall() {
|
||||
MethodCall getToStringCall() {
|
||||
result.getQualifier() = this.getAChainedReference() and
|
||||
result.getMethod().getName() = "toString"
|
||||
}
|
||||
@@ -612,7 +612,7 @@ module StringBuilderVarModule {
|
||||
}
|
||||
}
|
||||
|
||||
private MethodAccess callReturningSameType(Expr ref) {
|
||||
private MethodCall callReturningSameType(Expr ref) {
|
||||
ref = result.getQualifier() and
|
||||
result.getMethod().getReturnType() = ref.getType()
|
||||
}
|
||||
|
||||
@@ -200,11 +200,11 @@ private module Impl {
|
||||
* `Collection`).
|
||||
*/
|
||||
predicate containerSizeAccess(Expr e) {
|
||||
e.(MethodAccess).getMethod() instanceof StringLengthMethod
|
||||
e.(MethodCall).getMethod() instanceof StringLengthMethod
|
||||
or
|
||||
e.(MethodAccess).getMethod() instanceof CollectionSizeMethod
|
||||
e.(MethodCall).getMethod() instanceof CollectionSizeMethod
|
||||
or
|
||||
e.(MethodAccess).getMethod() instanceof MapSizeMethod
|
||||
e.(MethodCall).getMethod() instanceof MapSizeMethod
|
||||
}
|
||||
|
||||
/** Holds if `e` is by definition strictly positive. */
|
||||
@@ -218,7 +218,7 @@ private module Impl {
|
||||
// types handled in `specificSubExprSign`.
|
||||
e instanceof ArrayAccess and e.getType() instanceof NumericOrCharType
|
||||
or
|
||||
e instanceof MethodAccess and e.getType() instanceof NumericOrCharType
|
||||
e instanceof MethodCall and e.getType() instanceof NumericOrCharType
|
||||
or
|
||||
e instanceof ClassInstanceExpr and e.getType() instanceof NumericOrCharType
|
||||
}
|
||||
|
||||
@@ -19,7 +19,7 @@ VarAccess valueAccess(EnumConstant e) {
|
||||
(
|
||||
exists(Call c |
|
||||
c.getAnArgument() = valueFlow+(result) or
|
||||
c.(MethodAccess).getQualifier() = valueFlow+(result)
|
||||
c.(MethodCall).getQualifier() = valueFlow+(result)
|
||||
)
|
||||
or
|
||||
exists(Assignment a | a.getSource() = valueFlow+(result))
|
||||
@@ -47,14 +47,14 @@ predicate exception(EnumConstant e) {
|
||||
)
|
||||
or
|
||||
// A method iterates over the values of an enum.
|
||||
exists(MethodAccess values | values.getMethod().getDeclaringType() = t |
|
||||
exists(MethodCall values | values.getMethod().getDeclaringType() = t |
|
||||
values.getParent() instanceof EnhancedForStmt or
|
||||
values.getParent().(MethodAccess).getMethod().hasName("findThisIn")
|
||||
values.getParent().(MethodCall).getMethod().hasName("findThisIn")
|
||||
)
|
||||
or
|
||||
// The `valueOf` method is called, meaning that depending on the string any constant
|
||||
// could be retrieved.
|
||||
exists(MethodAccess valueOf | valueOf.getMethod().getDeclaringType() = t |
|
||||
exists(MethodCall valueOf | valueOf.getMethod().getDeclaringType() = t |
|
||||
valueOf.getMethod().hasName("valueOf")
|
||||
)
|
||||
or
|
||||
|
||||
@@ -142,7 +142,7 @@ deprecated class JAXAnnotationReflectivelyConstructedClass =
|
||||
class DeserializedClass extends ReflectivelyConstructedClass {
|
||||
DeserializedClass() {
|
||||
exists(CastingExpr cast, ReadObjectMethod readObject |
|
||||
cast.getExpr().(MethodAccess).getMethod() = readObject
|
||||
cast.getExpr().(MethodCall).getMethod() = readObject
|
||||
|
|
||||
hasDescendant(cast.getType(), this)
|
||||
)
|
||||
@@ -164,7 +164,7 @@ class NewInstanceCall extends EntryPoint, NewInstance {
|
||||
/**
|
||||
* A call to either `Class.getMethod(...)` or `Class.getDeclaredMethod(...)`.
|
||||
*/
|
||||
class ReflectiveMethodAccessEntryPoint extends EntryPoint, ReflectiveMethodAccess {
|
||||
class ReflectiveMethodCallEntryPoint extends EntryPoint, ReflectiveMethodCall {
|
||||
override Method getALiveCallable() {
|
||||
result = this.inferAccessedMethod() and
|
||||
// The `getMethod(...)` call must be used in a live context.
|
||||
|
||||
@@ -19,7 +19,7 @@ private import codeql.typetracking.TypeTracking
|
||||
/**
|
||||
* Gets a viable dispatch target for `ma`. This is the input dispatch relation.
|
||||
*/
|
||||
private Method viableImpl_inp(MethodAccess ma) { result = viableImpl_v2(ma) }
|
||||
private Method viableImpl_inp(MethodCall ma) { result = viableImpl_v2(ma) }
|
||||
|
||||
private Callable dispatchCand(Call c) {
|
||||
c instanceof ConstructorCall and result = c.getCallee().getSourceDeclaration()
|
||||
@@ -99,7 +99,7 @@ private predicate trackedMethodOnType(Method m, SrcRefType t) {
|
||||
* by the type constructed by `cie`. Thus the dispatch from `ma` to `m` will
|
||||
* only be included if `cie` flows to the qualifier of `ma`.
|
||||
*/
|
||||
private predicate dispatchOrigin(ClassInstanceExpr cie, MethodAccess ma, Method m) {
|
||||
private predicate dispatchOrigin(ClassInstanceExpr cie, MethodCall ma, Method m) {
|
||||
m = viableImpl_inp(ma) and
|
||||
not m = ma.getMethod().getSourceDeclaration() and
|
||||
trackedMethodOnType(m, cie.getConstructedType().getSourceDeclaration())
|
||||
@@ -197,10 +197,10 @@ private module TypeTrackingSteps {
|
||||
enum.getAnEnumConstant().getAnAssignedValue() = n1.asExpr() and
|
||||
getValue.getDeclaringType() = enum and
|
||||
getValue.hasName("valueOf") and
|
||||
n2.asExpr().(MethodAccess).getMethod() = getValue
|
||||
n2.asExpr().(MethodCall).getMethod() = getValue
|
||||
)
|
||||
or
|
||||
exists(Variable v, MethodAccess put, MethodAccess get |
|
||||
exists(Variable v, MethodCall put, MethodCall get |
|
||||
put.getArgument(1) = n1.asExpr() and
|
||||
put.getMethod().(MapMethod).hasName("put") and
|
||||
put.getQualifier() = v.getAnAccess() and
|
||||
@@ -209,12 +209,12 @@ private module TypeTrackingSteps {
|
||||
n2.asExpr() = get
|
||||
)
|
||||
or
|
||||
exists(Variable v, MethodAccess add |
|
||||
exists(Variable v, MethodCall add |
|
||||
add.getAnArgument() = n1.asExpr() and
|
||||
add.getMethod().(CollectionMethod).hasName("add") and
|
||||
add.getQualifier() = v.getAnAccess()
|
||||
|
|
||||
exists(MethodAccess get |
|
||||
exists(MethodCall get |
|
||||
get.getQualifier() = v.getAnAccess() and
|
||||
get.getMethod().(CollectionMethod).hasName("get") and
|
||||
n2.asExpr() = get
|
||||
@@ -236,7 +236,7 @@ private module TypeTrackingSteps {
|
||||
enum.getAnEnumConstant().getAnAssignedValue() = n1.asExpr() and
|
||||
getValue.getDeclaringType() = enum and
|
||||
getValue.hasName("values") and
|
||||
n2.asExpr().(MethodAccess).getMethod() = getValue and
|
||||
n2.asExpr().(MethodCall).getMethod() = getValue and
|
||||
f = ContentArray()
|
||||
)
|
||||
or
|
||||
@@ -300,10 +300,10 @@ private module TypeTrackingSteps {
|
||||
private predicate lambdaSource(RelevantNode n) { dispatchOrigin(n.asExpr(), _, _) }
|
||||
|
||||
private predicate lambdaSink(RelevantNode n) {
|
||||
exists(MethodAccess ma | dispatchOrigin(_, ma, _) | n = DataFlow::getInstanceArgument(ma))
|
||||
exists(MethodCall ma | dispatchOrigin(_, ma, _) | n = DataFlow::getInstanceArgument(ma))
|
||||
}
|
||||
|
||||
private signature Method methodDispatchSig(MethodAccess ma);
|
||||
private signature Method methodDispatchSig(MethodCall ma);
|
||||
|
||||
private module TrackLambda<methodDispatchSig/1 lambdaDispatch0> {
|
||||
private Callable dispatch(Call c) {
|
||||
@@ -352,7 +352,7 @@ private module TrackLambda<methodDispatchSig/1 lambdaDispatch0> {
|
||||
|
||||
private predicate edgePlus(PathNode n1, PathNode n2) = fastTC(edges/2)(n1, n2)
|
||||
|
||||
private predicate pairCand(PathNode p1, PathNode p2, Method m, MethodAccess ma) {
|
||||
private predicate pairCand(PathNode p1, PathNode p2, Method m, MethodCall ma) {
|
||||
exists(ClassInstanceExpr cie |
|
||||
dispatchOrigin(cie, ma, m) and
|
||||
p1.getNode() = DataFlow::exprNode(cie) and
|
||||
@@ -367,7 +367,7 @@ private module TrackLambda<methodDispatchSig/1 lambdaDispatch0> {
|
||||
* declares or inherits the tracked method `result` to the qualifier of `ma` such
|
||||
* that `ma` may dispatch to `result`.
|
||||
*/
|
||||
Method lambdaDispatch(MethodAccess ma) {
|
||||
Method lambdaDispatch(MethodCall ma) {
|
||||
exists(PathNode p1, PathNode p2 |
|
||||
(p1 = p2 or edgePlus(p1, p2)) and
|
||||
pairCand(p1, p2, result, ma)
|
||||
@@ -375,30 +375,30 @@ private module TrackLambda<methodDispatchSig/1 lambdaDispatch0> {
|
||||
}
|
||||
}
|
||||
|
||||
private Method noDisp(MethodAccess ma) { none() }
|
||||
private Method noDisp(MethodCall ma) { none() }
|
||||
|
||||
pragma[nomagic]
|
||||
private Method d1(MethodAccess ma) { result = TrackLambda<noDisp/1>::lambdaDispatch(ma) }
|
||||
private Method d1(MethodCall ma) { result = TrackLambda<noDisp/1>::lambdaDispatch(ma) }
|
||||
|
||||
pragma[nomagic]
|
||||
private Method d2(MethodAccess ma) { result = TrackLambda<d1/1>::lambdaDispatch(ma) }
|
||||
private Method d2(MethodCall ma) { result = TrackLambda<d1/1>::lambdaDispatch(ma) }
|
||||
|
||||
pragma[nomagic]
|
||||
private Method d3(MethodAccess ma) { result = TrackLambda<d2/1>::lambdaDispatch(ma) }
|
||||
private Method d3(MethodCall ma) { result = TrackLambda<d2/1>::lambdaDispatch(ma) }
|
||||
|
||||
pragma[nomagic]
|
||||
private Method d4(MethodAccess ma) { result = TrackLambda<d3/1>::lambdaDispatch(ma) }
|
||||
private Method d4(MethodCall ma) { result = TrackLambda<d3/1>::lambdaDispatch(ma) }
|
||||
|
||||
pragma[nomagic]
|
||||
private Method d5(MethodAccess ma) { result = TrackLambda<d4/1>::lambdaDispatch(ma) }
|
||||
private Method d5(MethodCall ma) { result = TrackLambda<d4/1>::lambdaDispatch(ma) }
|
||||
|
||||
pragma[nomagic]
|
||||
private Method d6(MethodAccess ma) { result = TrackLambda<d5/1>::lambdaDispatch(ma) }
|
||||
private Method d6(MethodCall ma) { result = TrackLambda<d5/1>::lambdaDispatch(ma) }
|
||||
|
||||
/**
|
||||
* Gets a viable dispatch target for `ma`. This is the output dispatch relation.
|
||||
*/
|
||||
Method viableImpl_out(MethodAccess ma) {
|
||||
Method viableImpl_out(MethodCall ma) {
|
||||
result = viableImpl_inp(ma) and
|
||||
(result = d6(ma) or not dispatchOrigin(_, ma, result))
|
||||
}
|
||||
|
||||
@@ -20,7 +20,7 @@ private import semmle.code.java.dispatch.internal.Unification
|
||||
/**
|
||||
* Gets a viable dispatch target for `ma`. This is the input dispatch relation.
|
||||
*/
|
||||
private Method viableImpl_inp(MethodAccess ma) { result = viableImpl_v3(ma) }
|
||||
private Method viableImpl_inp(MethodCall ma) { result = viableImpl_v3(ma) }
|
||||
|
||||
private Callable dispatchCand(Call c) {
|
||||
c instanceof ConstructorCall and result = c.getCallee().getSourceDeclaration()
|
||||
@@ -193,7 +193,7 @@ private predicate source(RefType t, ObjNode n) {
|
||||
* Holds if `n` is the qualifier of an `Object.toString()` call.
|
||||
*/
|
||||
private predicate sink(ObjNode n) {
|
||||
exists(MethodAccess toString |
|
||||
exists(MethodCall toString |
|
||||
toString.getQualifier() = n.asExpr() and
|
||||
toString.getMethod() instanceof ToStringMethod
|
||||
) and
|
||||
@@ -231,7 +231,7 @@ private predicate objType(ObjNode n, RefType t) {
|
||||
)
|
||||
}
|
||||
|
||||
private VirtualMethodAccess objectToString(ObjNode n) {
|
||||
private VirtualMethodCall objectToString(ObjNode n) {
|
||||
result.getQualifier() = n.asExpr() and sink(n)
|
||||
}
|
||||
|
||||
@@ -239,16 +239,16 @@ private VirtualMethodAccess objectToString(ObjNode n) {
|
||||
* Holds if `ma` is an `Object.toString()` call taking possibly improved type
|
||||
* bounds into account.
|
||||
*/
|
||||
predicate objectToStringCall(VirtualMethodAccess ma) { ma = objectToString(_) }
|
||||
predicate objectToStringCall(VirtualMethodCall ma) { ma = objectToString(_) }
|
||||
|
||||
/**
|
||||
* Holds if the qualifier of the `Object.toString()` call `ma` might have type `t`.
|
||||
*/
|
||||
private predicate objectToStringQualType(MethodAccess ma, RefType t) {
|
||||
private predicate objectToStringQualType(MethodCall ma, RefType t) {
|
||||
exists(ObjNode n | ma = objectToString(n) and objType(n, t))
|
||||
}
|
||||
|
||||
private Method viableImplObjectToString(MethodAccess ma) {
|
||||
private Method viableImplObjectToString(MethodCall ma) {
|
||||
exists(Method def, RefType t |
|
||||
objectToStringQualType(ma, t) and
|
||||
def = ma.getMethod() and
|
||||
@@ -265,7 +265,7 @@ private Method viableImplObjectToString(MethodAccess ma) {
|
||||
* The set of dispatch targets for `Object.toString()` calls are reduced based
|
||||
* on possible data flow from objects of more specific types to the qualifier.
|
||||
*/
|
||||
Method viableImpl_out(MethodAccess ma) {
|
||||
Method viableImpl_out(MethodCall ma) {
|
||||
result = viableImpl_inp(ma) and
|
||||
(
|
||||
result = viableImplObjectToString(ma) or
|
||||
|
||||
@@ -15,7 +15,7 @@ private import semmle.code.java.dispatch.internal.Unification
|
||||
* A conservative analysis that returns a single method - if we can establish
|
||||
* one - that will be the target of the virtual dispatch.
|
||||
*/
|
||||
Method exactVirtualMethod(MethodAccess c) {
|
||||
Method exactVirtualMethod(MethodCall c) {
|
||||
// If there are multiple potential implementations, return nothing.
|
||||
implCount(c, 1) and
|
||||
result = viableImpl(c)
|
||||
@@ -31,7 +31,7 @@ Callable exactCallable(Call c) {
|
||||
c instanceof ConstructorCall and result = c.getCallee()
|
||||
}
|
||||
|
||||
private predicate implCount(MethodAccess m, int c) { strictcount(viableImpl(m)) = c }
|
||||
private predicate implCount(MethodCall m, int c) { strictcount(viableImpl(m)) = c }
|
||||
|
||||
/** Gets a viable implementation of the target of the given `Call`. */
|
||||
Callable viableCallable(Call c) {
|
||||
@@ -44,7 +44,7 @@ Callable viableCallable(Call c) {
|
||||
class VirtCalledSrcMethod extends SrcMethod {
|
||||
pragma[nomagic]
|
||||
VirtCalledSrcMethod() {
|
||||
exists(VirtualMethodAccess ma | ma.getMethod().getSourceDeclaration() = this)
|
||||
exists(VirtualMethodCall ma | ma.getMethod().getSourceDeclaration() = this)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -52,7 +52,7 @@ cached
|
||||
private module Dispatch {
|
||||
/** Gets a viable implementation of the method called in the given method access. */
|
||||
cached
|
||||
Method viableImpl(MethodAccess ma) { result = ObjFlow::viableImpl_out(ma) }
|
||||
Method viableImpl(MethodCall ma) { result = ObjFlow::viableImpl_out(ma) }
|
||||
|
||||
/**
|
||||
* Holds if `m` is a viable implementation of the method called in `ma` for
|
||||
@@ -60,7 +60,7 @@ private module Dispatch {
|
||||
* the dispatch type is likely to yield implausible dispatch targets.
|
||||
*/
|
||||
cached
|
||||
predicate lowConfidenceDispatchTarget(MethodAccess ma, Method m) {
|
||||
predicate lowConfidenceDispatchTarget(MethodCall ma, Method m) {
|
||||
m = viableImpl(ma) and lowConfidenceDispatch(ma)
|
||||
}
|
||||
|
||||
@@ -70,13 +70,13 @@ private module Dispatch {
|
||||
* Gets a viable implementation of the method called in the given method access.
|
||||
*/
|
||||
cached
|
||||
Method viableImpl_v3(MethodAccess ma) { result = DispatchFlow::viableImpl_out(ma) }
|
||||
Method viableImpl_v3(MethodCall ma) { result = DispatchFlow::viableImpl_out(ma) }
|
||||
|
||||
/**
|
||||
* Holds if the best type bounds for the qualifier of `ma` are likely to
|
||||
* contain implausible dispatch targets.
|
||||
*/
|
||||
private predicate lowConfidenceDispatch(VirtualMethodAccess ma) {
|
||||
private predicate lowConfidenceDispatch(VirtualMethodCall ma) {
|
||||
exists(RefType t | hasQualifierType(ma, t, false) |
|
||||
lowConfidenceDispatchType(t.getSourceDeclaration())
|
||||
) and
|
||||
@@ -121,7 +121,7 @@ private module Dispatch {
|
||||
* Gets a viable implementation of the method called in the given method access.
|
||||
*/
|
||||
cached
|
||||
Method viableImpl_v2(MethodAccess ma) {
|
||||
Method viableImpl_v2(MethodCall ma) {
|
||||
result = viableImpl_v2_cand(pragma[only_bind_into](ma)) and
|
||||
exists(Method def, RefType t, boolean exact |
|
||||
qualUnionType(pragma[only_bind_into](ma), pragma[only_bind_into](t),
|
||||
@@ -141,7 +141,7 @@ private module Dispatch {
|
||||
not qualUnionType(ma, _, _)
|
||||
}
|
||||
|
||||
private predicate qualUnionType(VirtualMethodAccess ma, RefType t, boolean exact) {
|
||||
private predicate qualUnionType(VirtualMethodCall ma, RefType t, boolean exact) {
|
||||
exprUnionTypeFlow(ma.getQualifier(), t, exact)
|
||||
}
|
||||
|
||||
@@ -150,7 +150,7 @@ private module Dispatch {
|
||||
private module Unification_v2 =
|
||||
MkUnification<unificationTargetLeft_v2/1, unificationTargetRight/1>;
|
||||
|
||||
private Method viableImpl_v2_cand(MethodAccess ma) {
|
||||
private Method viableImpl_v2_cand(MethodCall ma) {
|
||||
result = viableImpl_v1(ma) and
|
||||
(
|
||||
exists(Method def, RefType t, boolean exact |
|
||||
@@ -170,7 +170,7 @@ private module Dispatch {
|
||||
)
|
||||
}
|
||||
|
||||
private predicate qualType(VirtualMethodAccess ma, RefType t, boolean exact) {
|
||||
private predicate qualType(VirtualMethodCall ma, RefType t, boolean exact) {
|
||||
exprTypeFlow(ma.getQualifier(), t, exact)
|
||||
}
|
||||
|
||||
@@ -185,7 +185,7 @@ private module Dispatch {
|
||||
* Gets a viable implementation of the method called in the given method access.
|
||||
*/
|
||||
cached
|
||||
Method viableImpl_v1(MethodAccess source) {
|
||||
Method viableImpl_v1(MethodCall source) {
|
||||
result = viableImpl_v1_cand(source) and
|
||||
not impossibleDispatchTarget(source, result)
|
||||
}
|
||||
@@ -193,7 +193,7 @@ private module Dispatch {
|
||||
/**
|
||||
* Holds if `source` cannot dispatch to `tgt` due to a negative `instanceof` guard.
|
||||
*/
|
||||
private predicate impossibleDispatchTarget(MethodAccess source, Method tgt) {
|
||||
private predicate impossibleDispatchTarget(MethodCall source, Method tgt) {
|
||||
tgt = viableImpl_v1_cand(source) and
|
||||
exists(InstanceOfExpr ioe, BaseSsaVariable v, Expr q, RefType t |
|
||||
source.getQualifier() = q and
|
||||
@@ -208,9 +208,9 @@ private module Dispatch {
|
||||
/**
|
||||
* Gets a viable implementation of the method called in the given method access.
|
||||
*/
|
||||
private Method viableImpl_v1_cand(MethodAccess source) {
|
||||
private Method viableImpl_v1_cand(MethodCall source) {
|
||||
not result.isAbstract() and
|
||||
if source instanceof VirtualMethodAccess
|
||||
if source instanceof VirtualMethodCall
|
||||
then
|
||||
exists(VirtCalledSrcMethod def, RefType t, boolean exact |
|
||||
source.getMethod().getSourceDeclaration() = def and
|
||||
@@ -242,7 +242,7 @@ private module Dispatch {
|
||||
not e instanceof FunctionalExpr and result = e.getType()
|
||||
}
|
||||
|
||||
private predicate hasQualifierType(VirtualMethodAccess ma, RefType t, boolean exact) {
|
||||
private predicate hasQualifierType(VirtualMethodCall ma, RefType t, boolean exact) {
|
||||
exists(Expr src | src = ma.getQualifier() |
|
||||
// If we have a qualifier, then we take its type.
|
||||
exists(RefType srctype | srctype = getPreciseType(src) |
|
||||
@@ -264,9 +264,9 @@ private module Dispatch {
|
||||
not exists(ma.getQualifier()) and
|
||||
exact = false and
|
||||
(
|
||||
ma.isOwnMethodAccess() and t = ma.getEnclosingCallable().getDeclaringType()
|
||||
ma.isOwnMethodCall() and t = ma.getEnclosingCallable().getDeclaringType()
|
||||
or
|
||||
ma.isEnclosingMethodAccess(t)
|
||||
ma.isEnclosingMethodCall(t)
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -16,7 +16,7 @@ private predicate runner(Method m, int n, Method runmethod) {
|
||||
(
|
||||
m.isNative()
|
||||
or
|
||||
exists(Parameter p, MethodAccess ma, int j |
|
||||
exists(Parameter p, MethodCall ma, int j |
|
||||
p = m.getParameter(n) and
|
||||
ma.getEnclosingCallable() = m and
|
||||
runner(pragma[only_bind_into](ma.getMethod().getSourceDeclaration()),
|
||||
@@ -31,7 +31,7 @@ private predicate runner(Method m, int n, Method runmethod) {
|
||||
* through a functional interface. The argument is traced backwards through
|
||||
* casts and variable assignments.
|
||||
*/
|
||||
private Expr getRunnerArgument(MethodAccess ma, Method runmethod) {
|
||||
private Expr getRunnerArgument(MethodCall ma, Method runmethod) {
|
||||
exists(Method runner, int param |
|
||||
runner(runner, param, runmethod) and
|
||||
viableImpl_v2(ma) = runner and
|
||||
@@ -50,7 +50,7 @@ private Expr getRunnerArgument(MethodAccess ma, Method runmethod) {
|
||||
* Gets a method that can be invoked through a functional interface as an
|
||||
* argument to `ma`.
|
||||
*/
|
||||
Method getRunnerTarget(MethodAccess ma) {
|
||||
Method getRunnerTarget(MethodCall ma) {
|
||||
exists(Expr action, Method runmethod | action = getRunnerArgument(ma, runmethod) |
|
||||
action.(FunctionalExpr).asMethod().getSourceDeclaration() = result
|
||||
or
|
||||
|
||||
@@ -23,8 +23,8 @@ Expr getSystemProperty(string propertyName) {
|
||||
result = getSystemPropertyFromSpringProperties(propertyName)
|
||||
}
|
||||
|
||||
private MethodAccess getSystemPropertyFromSystem(string propertyName) {
|
||||
result.(MethodAccessSystemGetProperty).hasCompileTimeConstantGetPropertyName(propertyName)
|
||||
private MethodCall getSystemPropertyFromSystem(string propertyName) {
|
||||
result.(MethodCallSystemGetProperty).hasCompileTimeConstantGetPropertyName(propertyName)
|
||||
or
|
||||
result.getMethod().hasName("lineSeparator") and propertyName = "line.separator"
|
||||
}
|
||||
@@ -34,7 +34,7 @@ private MethodAccess getSystemPropertyFromSystem(string propertyName) {
|
||||
* - `System.getProperties().getProperty(...)`
|
||||
* - `System.getProperties().get(...)`
|
||||
*/
|
||||
private MethodAccess getSystemPropertyFromSystemGetProperties(string propertyName) {
|
||||
private MethodCall getSystemPropertyFromSystemGetProperties(string propertyName) {
|
||||
exists(Method getMethod |
|
||||
getMethod instanceof PropertiesGetMethod
|
||||
or
|
||||
@@ -42,7 +42,7 @@ private MethodAccess getSystemPropertyFromSystemGetProperties(string propertyNam
|
||||
result.getMethod() = getMethod
|
||||
) and
|
||||
result.getArgument(0).(CompileTimeConstantExpr).getStringValue() = propertyName and
|
||||
localExprFlowPlusInitializers(any(MethodAccess m |
|
||||
localExprFlowPlusInitializers(any(MethodCall m |
|
||||
m.getMethod().getDeclaringType() instanceof TypeSystem and
|
||||
m.getMethod().hasName("getProperties")
|
||||
), result.getQualifier())
|
||||
@@ -156,7 +156,7 @@ private FieldAccess getSystemPropertyFromApacheSystemUtils(string propertyName)
|
||||
)
|
||||
}
|
||||
|
||||
private MethodAccess getSystemPropertyFromApacheFileUtils(string propertyName) {
|
||||
private MethodCall getSystemPropertyFromApacheFileUtils(string propertyName) {
|
||||
exists(Method m |
|
||||
result.getMethod() = m and
|
||||
m.getDeclaringType().hasQualifiedName("org.apache.commons.io", "FileUtils")
|
||||
@@ -167,7 +167,7 @@ private MethodAccess getSystemPropertyFromApacheFileUtils(string propertyName) {
|
||||
)
|
||||
}
|
||||
|
||||
private MethodAccess getSystemPropertyFromGuava(string propertyName) {
|
||||
private MethodCall getSystemPropertyFromGuava(string propertyName) {
|
||||
exists(EnumConstant ec |
|
||||
ec.getDeclaringType().hasQualifiedName("com.google.common.base", "StandardSystemProperty") and
|
||||
// Example: `StandardSystemProperty.JAVA_IO_TMPDIR.value()`
|
||||
@@ -177,10 +177,10 @@ private MethodAccess getSystemPropertyFromGuava(string propertyName) {
|
||||
)
|
||||
or
|
||||
// Example: `System.getProperty(StandardSystemProperty.JAVA_IO_TMPDIR.key())`
|
||||
exists(MethodAccess keyMa |
|
||||
exists(MethodCall keyMa |
|
||||
localExprFlowPlusInitializers(ec.getAnAccess(), keyMa.getQualifier()) and
|
||||
keyMa.getMethod().hasName("key") and
|
||||
localExprFlowPlusInitializers(keyMa, result.(MethodAccessSystemGetProperty).getArgument(0))
|
||||
localExprFlowPlusInitializers(keyMa, result.(MethodCallSystemGetProperty).getArgument(0))
|
||||
)
|
||||
|
|
||||
ec.hasName("JAVA_VERSION") and propertyName = "java.version"
|
||||
@@ -241,7 +241,7 @@ private MethodAccess getSystemPropertyFromGuava(string propertyName) {
|
||||
)
|
||||
}
|
||||
|
||||
private MethodAccess getSystemPropertyFromOperatingSystemMXBean(string propertyName) {
|
||||
private MethodCall getSystemPropertyFromOperatingSystemMXBean(string propertyName) {
|
||||
exists(Method m |
|
||||
m = result.getMethod() and
|
||||
m.getDeclaringType().hasQualifiedName("java.lang.management", "OperatingSystemMXBean")
|
||||
@@ -254,7 +254,7 @@ private MethodAccess getSystemPropertyFromOperatingSystemMXBean(string propertyN
|
||||
)
|
||||
}
|
||||
|
||||
private MethodAccess getSystemPropertyFromSpringProperties(string propertyName) {
|
||||
private MethodCall getSystemPropertyFromSpringProperties(string propertyName) {
|
||||
exists(Method m |
|
||||
m = result.getMethod() and
|
||||
m.getDeclaringType().hasQualifiedName("org.springframework.core", "SpringProperties") and
|
||||
|
||||
@@ -60,10 +60,10 @@ class AssertionMethod extends Method {
|
||||
AssertionMethod() { assertionMethod(this, _) }
|
||||
|
||||
/** Gets a call to the assertion method. */
|
||||
MethodAccess getACheck() { result.getMethod().getSourceDeclaration() = this }
|
||||
MethodCall getACheck() { result.getMethod().getSourceDeclaration() = this }
|
||||
|
||||
/** Gets a call to the assertion method with `checkedArg` as argument. */
|
||||
MethodAccess getACheck(Expr checkedArg) {
|
||||
MethodCall getACheck(Expr checkedArg) {
|
||||
result = this.getACheck() and checkedArg = result.getAnArgument()
|
||||
}
|
||||
}
|
||||
|
||||
@@ -24,7 +24,7 @@ class FastJsonParseMethod extends Method {
|
||||
/**
|
||||
* A call to `ParserConfig.setSafeMode`.
|
||||
*/
|
||||
class FastJsonSetSafeMode extends MethodAccess {
|
||||
class FastJsonSetSafeMode extends MethodCall {
|
||||
FastJsonSetSafeMode() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
|
||||
@@ -44,7 +44,7 @@ class ObjectMapperReadMethod extends Method {
|
||||
}
|
||||
|
||||
/** A call that enables the default typing in `ObjectMapper`. */
|
||||
class EnableJacksonDefaultTyping extends MethodAccess {
|
||||
class EnableJacksonDefaultTyping extends MethodCall {
|
||||
EnableJacksonDefaultTyping() {
|
||||
this.getMethod().getDeclaringType() instanceof ObjectMapper and
|
||||
this.getMethod().hasName("enableDefaultTyping")
|
||||
@@ -54,7 +54,7 @@ class EnableJacksonDefaultTyping extends MethodAccess {
|
||||
/** A qualifier of a call to one of the methods in `ObjectMapper` that deserialize data. */
|
||||
class ObjectMapperReadQualifier extends DataFlow::ExprNode {
|
||||
ObjectMapperReadQualifier() {
|
||||
exists(MethodAccess ma | ma.getQualifier() = this.asExpr() |
|
||||
exists(MethodCall ma | ma.getQualifier() = this.asExpr() |
|
||||
ma.getMethod() instanceof ObjectMapperReadMethod
|
||||
)
|
||||
}
|
||||
@@ -63,7 +63,7 @@ class ObjectMapperReadQualifier extends DataFlow::ExprNode {
|
||||
/** A source that sets a type validator. */
|
||||
class SetPolymorphicTypeValidatorSource extends DataFlow::ExprNode {
|
||||
SetPolymorphicTypeValidatorSource() {
|
||||
exists(MethodAccess ma, Method m | m = ma.getMethod() |
|
||||
exists(MethodCall ma, Method m | m = ma.getMethod() |
|
||||
(
|
||||
m.getDeclaringType() instanceof ObjectMapper and
|
||||
m.hasName("setPolymorphicTypeValidator")
|
||||
@@ -83,7 +83,7 @@ class SetPolymorphicTypeValidatorSource extends DataFlow::ExprNode {
|
||||
* if passed to an unsafely-configured `ObjectMapper`'s `readValue` method.
|
||||
*/
|
||||
predicate createJacksonJsonParserStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
|
||||
exists(MethodAccess ma, Method m | m = ma.getMethod() |
|
||||
exists(MethodCall ma, Method m | m = ma.getMethod() |
|
||||
(m.getDeclaringType() instanceof ObjectMapper or m.getDeclaringType() instanceof JsonFactory) and
|
||||
m.hasName("createParser") and
|
||||
ma.getArgument(0) = fromNode.asExpr() and
|
||||
@@ -98,14 +98,14 @@ predicate createJacksonJsonParserStep(DataFlow::Node fromNode, DataFlow::Node to
|
||||
* if passed to an unsafely-configured `ObjectMapper`'s `treeToValue` method.
|
||||
*/
|
||||
predicate createJacksonTreeNodeStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
|
||||
exists(MethodAccess ma, Method m | m = ma.getMethod() |
|
||||
exists(MethodCall ma, Method m | m = ma.getMethod() |
|
||||
m.getDeclaringType() instanceof ObjectMapper and
|
||||
m.hasName("readTree") and
|
||||
ma.getArgument(0) = fromNode.asExpr() and
|
||||
ma = toNode.asExpr()
|
||||
)
|
||||
or
|
||||
exists(MethodAccess ma, Method m | m = ma.getMethod() |
|
||||
exists(MethodCall ma, Method m | m = ma.getMethod() |
|
||||
m.getDeclaringType() instanceof JsonParser and
|
||||
m.hasName("readValueAsTree") and
|
||||
ma.getQualifier() = fromNode.asExpr() and
|
||||
@@ -138,7 +138,7 @@ private predicate hasFieldWithJsonTypeAnnotation(RefType type) {
|
||||
* Holds if `call` is a method call to a Jackson deserialization method such as `ObjectMapper.readValue(String, Class)`,
|
||||
* and the target deserialized class has a field with a `JsonTypeInfo` annotation that enables polymorphic typing.
|
||||
*/
|
||||
predicate hasArgumentWithUnsafeJacksonAnnotation(MethodAccess call) {
|
||||
predicate hasArgumentWithUnsafeJacksonAnnotation(MethodCall call) {
|
||||
call.getMethod() instanceof ObjectMapperReadMethod and
|
||||
exists(RefType argType, int i | i > 0 and argType = call.getArgument(i).getType() |
|
||||
hasJsonTypeInfoAnnotation(argType.(ParameterizedType).getATypeArgument())
|
||||
|
||||
@@ -437,7 +437,7 @@ private predicate isXssSafeContentTypeExpr(Expr e) { isXssSafeContentType(getCon
|
||||
private DataFlow::Node getABuilderWithExplicitContentType(Expr contentType) {
|
||||
// Base case: ResponseBuilder.type(contentType)
|
||||
result.asExpr() =
|
||||
any(MethodAccess ma |
|
||||
any(MethodCall ma |
|
||||
ma.getCallee().hasQualifiedName(getAJaxRsPackage("core"), "Response$ResponseBuilder", "type") and
|
||||
contentType = ma.getArgument(0)
|
||||
)
|
||||
@@ -451,7 +451,7 @@ private DataFlow::Node getABuilderWithExplicitContentType(Expr contentType) {
|
||||
or
|
||||
// Base case: Variant[.VariantListBuilder].mediaTypes(...)
|
||||
result.asExpr() =
|
||||
any(MethodAccess ma |
|
||||
any(MethodCall ma |
|
||||
ma.getCallee()
|
||||
.hasQualifiedName(getAJaxRsPackage("core"), ["Variant", "Variant$VariantListBuilder"],
|
||||
"mediaTypes") and
|
||||
@@ -460,7 +460,7 @@ private DataFlow::Node getABuilderWithExplicitContentType(Expr contentType) {
|
||||
or
|
||||
// Recursive case: propagate through variant list building:
|
||||
result.asExpr() =
|
||||
any(MethodAccess ma |
|
||||
any(MethodCall ma |
|
||||
(
|
||||
ma.getType()
|
||||
.(RefType)
|
||||
@@ -475,14 +475,14 @@ private DataFlow::Node getABuilderWithExplicitContentType(Expr contentType) {
|
||||
or
|
||||
// Recursive case: propagate through a List.get operation
|
||||
result.asExpr() =
|
||||
any(MethodAccess ma |
|
||||
any(MethodCall ma |
|
||||
ma.getMethod().hasQualifiedName("java.util", "List<Variant>", "get") and
|
||||
ma.getQualifier() = getABuilderWithExplicitContentType(contentType).asExpr()
|
||||
)
|
||||
or
|
||||
// Recursive case: propagate through Response.ResponseBuilder operations, including the `variant(...)` operation.
|
||||
result.asExpr() =
|
||||
any(MethodAccess ma |
|
||||
any(MethodCall ma |
|
||||
ma.getType().(RefType).hasQualifiedName(getAJaxRsPackage("core"), "Response$ResponseBuilder") and
|
||||
[ma.getQualifier(), ma.getArgument(0)] =
|
||||
getABuilderWithExplicitContentType(contentType).asExpr()
|
||||
@@ -518,7 +518,7 @@ private class SanitizedResponseBuilder extends XssSanitizer {
|
||||
this = getASanitizedBuilder()
|
||||
or
|
||||
this.asExpr() =
|
||||
any(MethodAccess ma |
|
||||
any(MethodCall ma |
|
||||
ma.getMethod().hasQualifiedName(getAJaxRsPackage("core"), "Response", "ok") and
|
||||
(
|
||||
// e.g. Response.ok(sanitizeMe, new Variant("application/json", ...))
|
||||
@@ -542,19 +542,19 @@ private class SanitizedResponseBuilder extends XssSanitizer {
|
||||
private class VulnerableEntity extends XssSinkBarrier {
|
||||
VulnerableEntity() {
|
||||
this.asExpr() =
|
||||
any(MethodAccess ma |
|
||||
any(MethodCall ma |
|
||||
(
|
||||
// Vulnerable content-type already set:
|
||||
ma.getQualifier() = getAVulnerableBuilder().asExpr()
|
||||
or
|
||||
// Vulnerable content-type set in the future:
|
||||
getAVulnerableBuilder().asExpr().(MethodAccess).getQualifier*() = ma
|
||||
getAVulnerableBuilder().asExpr().(MethodCall).getQualifier*() = ma
|
||||
) and
|
||||
ma.getMethod().hasName("entity")
|
||||
).getArgument(0)
|
||||
or
|
||||
this.asExpr() =
|
||||
any(MethodAccess ma |
|
||||
any(MethodCall ma |
|
||||
(
|
||||
isXssVulnerableContentTypeExpr(ma.getArgument(1))
|
||||
or
|
||||
|
||||
@@ -33,7 +33,7 @@ class JsonIoReadObjectMethod extends Method {
|
||||
/**
|
||||
* A call to `Map.put` method, set the value of the `USE_MAPS` key to `true`.
|
||||
*/
|
||||
class JsonIoUseMapsSetter extends MethodAccess {
|
||||
class JsonIoUseMapsSetter extends MethodCall {
|
||||
JsonIoUseMapsSetter() {
|
||||
this.getMethod().getDeclaringType().getASourceSupertype*() instanceof MapType and
|
||||
this.getMethod().hasName("put") and
|
||||
@@ -51,14 +51,14 @@ deprecated class SafeJsonIoConfig extends DataFlow2::Configuration {
|
||||
SafeJsonIoConfig() { this = "UnsafeDeserialization::SafeJsonIoConfig" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) {
|
||||
exists(MethodAccess ma |
|
||||
exists(MethodCall ma |
|
||||
ma instanceof JsonIoUseMapsSetter and
|
||||
src.asExpr() = ma.getQualifier()
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess ma |
|
||||
exists(MethodCall ma |
|
||||
ma.getMethod() instanceof JsonIoJsonToJavaMethod and
|
||||
sink.asExpr() = ma.getArgument(1)
|
||||
)
|
||||
@@ -75,14 +75,14 @@ deprecated class SafeJsonIoConfig extends DataFlow2::Configuration {
|
||||
*/
|
||||
module SafeJsonIoConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) {
|
||||
exists(MethodAccess ma |
|
||||
exists(MethodCall ma |
|
||||
ma instanceof JsonIoUseMapsSetter and
|
||||
src.asExpr() = ma.getQualifier()
|
||||
)
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess ma |
|
||||
exists(MethodCall ma |
|
||||
ma.getMethod() instanceof JsonIoJsonToJavaMethod and
|
||||
sink.asExpr() = ma.getArgument(1)
|
||||
)
|
||||
|
||||
@@ -76,7 +76,7 @@ class KryoReadObjectMethod extends Method {
|
||||
/**
|
||||
* A call to `Kryo.setRegistrationRequired` that enables white-listing.
|
||||
*/
|
||||
class KryoEnableWhiteListing extends MethodAccess {
|
||||
class KryoEnableWhiteListing extends MethodCall {
|
||||
KryoEnableWhiteListing() {
|
||||
exists(Method m |
|
||||
m = this.getMethod() and
|
||||
|
||||
@@ -17,11 +17,11 @@ class MockitoVerifyMethod extends Method {
|
||||
}
|
||||
|
||||
/**
|
||||
* A MethodAccess which is called as part of a Mockito verification setup.
|
||||
* A MethodCall which is called as part of a Mockito verification setup.
|
||||
*/
|
||||
class MockitoVerifiedMethodAccess extends MethodAccess {
|
||||
MockitoVerifiedMethodAccess() {
|
||||
this.getQualifier().(MethodAccess).getMethod() instanceof MockitoVerifyMethod
|
||||
class MockitoVerifiedMethodCall extends MethodCall {
|
||||
MockitoVerifiedMethodCall() {
|
||||
this.getQualifier().(MethodCall).getMethod() instanceof MockitoVerifyMethod
|
||||
}
|
||||
}
|
||||
|
||||
@@ -75,7 +75,7 @@ class MockitoInitedTest extends Class {
|
||||
m.calls*(initMocks)
|
||||
)
|
||||
or
|
||||
exists(MethodAccess call | call.getCallee() = initMocks |
|
||||
exists(MethodCall call | call.getCallee() = initMocks |
|
||||
call.getArgument(0).getType() = this
|
||||
)
|
||||
)
|
||||
@@ -383,12 +383,12 @@ class MockitoMockMethod extends Method {
|
||||
|
||||
class MockitoMockedObject extends Expr {
|
||||
MockitoMockedObject() {
|
||||
this.(MethodAccess).getMethod() instanceof MockitoMockMethod
|
||||
this.(MethodCall).getMethod() instanceof MockitoMockMethod
|
||||
or
|
||||
this.(VarAccess).getVariable().getAnAssignedValue() instanceof MockitoMockedObject
|
||||
or
|
||||
exists(ReturnStmt ret |
|
||||
this.(MethodAccess).getMethod() = ret.getEnclosingCallable() and
|
||||
this.(MethodCall).getMethod() = ret.getEnclosingCallable() and
|
||||
ret.getResult() instanceof MockitoMockedObject
|
||||
)
|
||||
}
|
||||
|
||||
@@ -114,7 +114,7 @@ class MyBatisInjectionSink extends DataFlow::Node {
|
||||
|
||||
private class MyBatisProviderStep extends TaintTracking::AdditionalValueStep {
|
||||
override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
|
||||
exists(MethodAccess ma, Annotation a, Method providerMethod |
|
||||
exists(MethodCall ma, Annotation a, Method providerMethod |
|
||||
exists(int i |
|
||||
ma.getArgument(pragma[only_bind_into](i)) = n1.asExpr() and
|
||||
providerMethod.getParameter(pragma[only_bind_into](i)) = n2.asParameter()
|
||||
|
||||
@@ -16,7 +16,7 @@ class SeleniumPageFactory extends Class {
|
||||
/**
|
||||
* A call to the Selenium `PageFactory.initElements` method, to construct a page object.
|
||||
*/
|
||||
class SeleniumInitElementsAccess extends MethodAccess {
|
||||
class SeleniumInitElementsAccess extends MethodCall {
|
||||
SeleniumInitElementsAccess() {
|
||||
this.getMethod().getDeclaringType() instanceof SeleniumPageFactory and
|
||||
this.getMethod().hasName("initElements")
|
||||
|
||||
@@ -345,7 +345,7 @@ predicate isServletRequestMethod(Method m) {
|
||||
}
|
||||
|
||||
/** Holds if `ma` is a call that gets a request parameter. */
|
||||
predicate isRequestGetParamMethod(MethodAccess ma) {
|
||||
predicate isRequestGetParamMethod(MethodCall ma) {
|
||||
ma.getMethod() instanceof ServletRequestGetParameterMethod or
|
||||
ma.getMethod() instanceof ServletRequestGetParameterMapMethod or
|
||||
ma.getMethod() instanceof HttpServletRequestGetQueryStringMethod
|
||||
|
||||
@@ -53,7 +53,7 @@ private class SafeYaml extends ClassInstanceExpr {
|
||||
}
|
||||
|
||||
/** A call to a parse method of `Yaml`. */
|
||||
private class SnakeYamlParse extends MethodAccess {
|
||||
private class SnakeYamlParse extends MethodCall {
|
||||
SnakeYamlParse() {
|
||||
exists(Method m |
|
||||
m.getDeclaringType() instanceof Yaml and
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
|
||||
private import semmle.code.java.dataflow.FlowSummary
|
||||
|
||||
private class CollectCall extends MethodAccess {
|
||||
private class CollectCall extends MethodCall {
|
||||
CollectCall() {
|
||||
this.getMethod()
|
||||
.getSourceDeclaration()
|
||||
@@ -10,7 +10,7 @@ private class CollectCall extends MethodAccess {
|
||||
}
|
||||
}
|
||||
|
||||
private class Collector extends MethodAccess {
|
||||
private class Collector extends MethodCall {
|
||||
Collector() {
|
||||
this.getMethod().getDeclaringType().hasQualifiedName("java.util.stream", "Collectors")
|
||||
}
|
||||
|
||||
@@ -27,7 +27,7 @@ class XStreamReadObjectMethod extends Method {
|
||||
/**
|
||||
* A call to `XStream.addPermission(NoTypePermission.NONE)`, which enables white-listing.
|
||||
*/
|
||||
class XStreamEnableWhiteListing extends MethodAccess {
|
||||
class XStreamEnableWhiteListing extends MethodCall {
|
||||
XStreamEnableWhiteListing() {
|
||||
exists(Method m |
|
||||
m = this.getMethod() and
|
||||
|
||||
@@ -15,7 +15,7 @@ private import semmle.code.java.dataflow.FlowSteps
|
||||
*/
|
||||
private class AsyncTaskExecuteAdditionalValueStep extends AdditionalTaintStep {
|
||||
override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
exists(ExecuteAsyncTaskMethodAccess ma, AsyncTaskRunInBackgroundMethod m |
|
||||
exists(ExecuteAsyncTaskMethodCall ma, AsyncTaskRunInBackgroundMethod m |
|
||||
DataFlow::getInstanceArgument(ma).getType() = m.getDeclaringType()
|
||||
|
|
||||
node1.asExpr() = ma.getParamsArgument() and
|
||||
@@ -76,8 +76,8 @@ private class AsyncTaskInit extends Callable {
|
||||
}
|
||||
|
||||
/** A call to the `execute` or `executeOnExecutor` methods of the `android.os.AsyncTask` class. */
|
||||
private class ExecuteAsyncTaskMethodAccess extends MethodAccess {
|
||||
ExecuteAsyncTaskMethodAccess() {
|
||||
private class ExecuteAsyncTaskMethodCall extends MethodCall {
|
||||
ExecuteAsyncTaskMethodCall() {
|
||||
this.getMethod().hasName(["execute", "executeOnExecutor"]) and
|
||||
this.getMethod().getDeclaringType().getSourceDeclaration().getASourceSupertype*() instanceof
|
||||
AsyncTask
|
||||
|
||||
@@ -8,7 +8,7 @@ import java
|
||||
* A call to a live literal method.
|
||||
* This always returns a constant expression and can be considered as such.
|
||||
*/
|
||||
class LiveLiteral extends MethodAccess {
|
||||
class LiveLiteral extends MethodCall {
|
||||
LiveLiteral() {
|
||||
this.getMethod() instanceof LiveLiteralMethod and
|
||||
not this.getEnclosingCallable() instanceof LiveLiteralMethod
|
||||
@@ -25,7 +25,7 @@ class LiveLiteral extends MethodAccess {
|
||||
* This predicate gets the constant value held by the private field.
|
||||
*/
|
||||
CompileTimeConstantExpr getValue() {
|
||||
exists(MethodAccess getterCall, VarAccess va |
|
||||
exists(MethodCall getterCall, VarAccess va |
|
||||
methodReturns(this.getMethod(), getterCall) and
|
||||
methodReturns(getterCall.getMethod(), va) and
|
||||
result = va.getVariable().getInitializer()
|
||||
|
||||
@@ -154,7 +154,7 @@ class AndroidBundle extends Class {
|
||||
*/
|
||||
class ExplicitIntent extends Expr {
|
||||
ExplicitIntent() {
|
||||
exists(MethodAccess ma, Method m |
|
||||
exists(MethodCall ma, Method m |
|
||||
ma.getMethod() = m and
|
||||
m.getDeclaringType() instanceof TypeIntent and
|
||||
m.hasName(["setPackage", "setClass", "setClassName", "setComponent"]) and
|
||||
@@ -237,8 +237,8 @@ private class NewIntent extends ClassInstanceExpr {
|
||||
}
|
||||
|
||||
/** A call to a method that starts an Android component. */
|
||||
private class StartComponentMethodAccess extends MethodAccess {
|
||||
StartComponentMethodAccess() {
|
||||
private class StartComponentMethodCall extends MethodCall {
|
||||
StartComponentMethodCall() {
|
||||
this.getMethod().overrides*(any(StartActivityMethod m)) or
|
||||
this.getMethod().overrides*(any(StartServiceMethod m)) or
|
||||
this.getMethod().overrides*(any(SendBroadcastMethod m))
|
||||
@@ -263,11 +263,11 @@ private class StartComponentMethodAccess extends MethodAccess {
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `src` reaches the intent argument `arg` of `StartComponentMethodAccess`
|
||||
* Holds if `src` reaches the intent argument `arg` of `StartComponentMethodCall`
|
||||
* through intra-procedural steps.
|
||||
*/
|
||||
private predicate reaches(Expr src, Argument arg) {
|
||||
any(StartComponentMethodAccess ma).getIntentArg() = arg and
|
||||
any(StartComponentMethodCall ma).getIntentArg() = arg and
|
||||
src = arg
|
||||
or
|
||||
exists(Expr mid, BaseSsa::BaseSsaVariable ssa, BaseSsa::BaseSsaUpdate upd |
|
||||
@@ -298,7 +298,7 @@ private predicate reaches(Expr src, Argument arg) {
|
||||
*/
|
||||
private class StartActivityIntentStep extends AdditionalValueStep {
|
||||
override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
|
||||
exists(StartComponentMethodAccess startActivity, MethodAccess getIntent |
|
||||
exists(StartComponentMethodCall startActivity, MethodCall getIntent |
|
||||
startActivity.getMethod().overrides*(any(StartActivityMethod m)) and
|
||||
getIntent.getMethod().overrides*(any(AndroidGetIntentMethod m)) and
|
||||
startActivity.targetsComponentType(getIntent.getReceiverType()) and
|
||||
@@ -309,11 +309,11 @@ private class StartActivityIntentStep extends AdditionalValueStep {
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `targetType` is targeted by an existing `StartComponentMethodAccess` call
|
||||
* Holds if `targetType` is targeted by an existing `StartComponentMethodCall` call
|
||||
* and it's identified by `id`.
|
||||
*/
|
||||
private predicate isTargetableType(AndroidComponent targetType, string id) {
|
||||
exists(StartComponentMethodAccess ma | ma.targetsComponentType(targetType)) and
|
||||
exists(StartComponentMethodCall ma | ma.targetsComponentType(targetType)) and
|
||||
targetType.getQualifiedName() = id
|
||||
}
|
||||
|
||||
@@ -327,7 +327,7 @@ private class StartActivitiesSyntheticCallable extends SyntheticCallable {
|
||||
)
|
||||
}
|
||||
|
||||
override StartComponentMethodAccess getACall() {
|
||||
override StartComponentMethodCall getACall() {
|
||||
result.getMethod().hasName("startActivities") and
|
||||
result.targetsComponentType(targetType)
|
||||
}
|
||||
@@ -396,7 +396,7 @@ private class RequiredComponentStackForStartActivities extends RequiredSummaryCo
|
||||
*/
|
||||
private class SendBroadcastReceiverIntentStep extends AdditionalValueStep {
|
||||
override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
|
||||
exists(StartComponentMethodAccess sendBroadcast, Method onReceive |
|
||||
exists(StartComponentMethodCall sendBroadcast, Method onReceive |
|
||||
sendBroadcast.getMethod().overrides*(any(SendBroadcastMethod m)) and
|
||||
onReceive.overrides*(any(AndroidReceiveIntentMethod m)) and
|
||||
sendBroadcast.targetsComponentType(onReceive.getDeclaringType()) and
|
||||
@@ -413,7 +413,7 @@ private class SendBroadcastReceiverIntentStep extends AdditionalValueStep {
|
||||
*/
|
||||
private class StartServiceIntentStep extends AdditionalValueStep {
|
||||
override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
|
||||
exists(StartComponentMethodAccess startService, Method serviceIntent |
|
||||
exists(StartComponentMethodCall startService, Method serviceIntent |
|
||||
startService.getMethod().overrides*(any(StartServiceMethod m)) and
|
||||
serviceIntent.overrides*(any(AndroidServiceIntentMethod m)) and
|
||||
startService.targetsComponentType(serviceIntent.getDeclaringType()) and
|
||||
|
||||
@@ -37,7 +37,7 @@ class OnActivityResultIncomingIntent extends DataFlow::Node {
|
||||
or
|
||||
// A fragment calls `startActivityForResult`
|
||||
// and the activity it belongs to defines `onActivityResult`.
|
||||
exists(MethodAccess ma |
|
||||
exists(MethodCall ma |
|
||||
ma.getMethod().hasName(["add", "attach", "replace"]) and
|
||||
ma.getMethod()
|
||||
.getDeclaringType()
|
||||
@@ -71,7 +71,7 @@ private module ImplicitStartActivityForResultConfig implements DataFlow::ConfigS
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess startActivityForResult |
|
||||
exists(MethodCall startActivityForResult |
|
||||
startActivityForResult.getMethod().hasName("startActivityForResult") and
|
||||
startActivityForResult.getMethod().getDeclaringType().getAnAncestor() instanceof
|
||||
ActivityOrFragment and
|
||||
@@ -83,7 +83,7 @@ private module ImplicitStartActivityForResultConfig implements DataFlow::ConfigS
|
||||
|
||||
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
// Wrapping the Intent in a chooser
|
||||
exists(MethodAccess ma, Method m |
|
||||
exists(MethodCall ma, Method m |
|
||||
ma.getMethod() = m and
|
||||
m.hasName("createChooser") and
|
||||
m.getDeclaringType() instanceof TypeIntent
|
||||
|
||||
@@ -8,7 +8,7 @@ class PendingIntent extends Class {
|
||||
}
|
||||
|
||||
/** A call to a method that creates a `PendingIntent`. */
|
||||
class PendingIntentCreation extends MethodAccess {
|
||||
class PendingIntentCreation extends MethodCall {
|
||||
PendingIntentCreation() {
|
||||
exists(Method m |
|
||||
this.getMethod() = m and
|
||||
|
||||
@@ -6,7 +6,7 @@ private import semmle.code.java.dataflow.FlowSources
|
||||
|
||||
private class EditableToStringStep extends AdditionalTaintStep {
|
||||
override predicate step(DataFlow::Node n1, DataFlow::Node n2) {
|
||||
exists(MethodAccess ma |
|
||||
exists(MethodCall ma |
|
||||
ma.getMethod().hasName("toString") and
|
||||
ma.getReceiverType().getASourceSupertype*().hasQualifiedName("android.text", "Editable") and
|
||||
n1.asExpr() = ma.getQualifier() and
|
||||
|
||||
@@ -79,7 +79,7 @@ private module SafeDigesterFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeDigester }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess ma |
|
||||
exists(MethodCall ma |
|
||||
sink.asExpr() = ma.getQualifier() and ma.getMethod().getDeclaringType() instanceof Digester
|
||||
)
|
||||
}
|
||||
|
||||
@@ -21,7 +21,7 @@ import semmle.code.java.frameworks.spring.Spring
|
||||
/**
|
||||
* A method call to a ProcessorDefinition element.
|
||||
*/
|
||||
class ProcessorDefinitionElement extends MethodAccess {
|
||||
class ProcessorDefinitionElement extends MethodCall {
|
||||
ProcessorDefinitionElement() {
|
||||
this.getMethod()
|
||||
.getDeclaringType()
|
||||
@@ -114,7 +114,7 @@ deprecated class CamelJavaDSLBeanRefDecl = CamelJavaDslBeanRefDecl;
|
||||
*
|
||||
* An expression that represents a call to a bean, or particular method on a bean.
|
||||
*/
|
||||
class CamelJavaDslMethodDecl extends MethodAccess {
|
||||
class CamelJavaDslMethodDecl extends MethodCall {
|
||||
CamelJavaDslMethodDecl() {
|
||||
this.getMethod()
|
||||
.getDeclaringType()
|
||||
|
||||
@@ -14,7 +14,7 @@ private module TypeLiteralToParseAsFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source.asExpr() instanceof TypeLiteral }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess ma |
|
||||
exists(MethodCall ma |
|
||||
ma.getAnArgument() = sink.asExpr() and
|
||||
ma.getMethod() instanceof ParseAsMethod
|
||||
)
|
||||
|
||||
@@ -26,7 +26,7 @@ class GsonDeserializeMethod extends Method {
|
||||
* where `T` is a concrete type implementing `Parcelable`.
|
||||
*/
|
||||
predicate intentFlowsToParcel(DataFlow::Node intentNode, DataFlow::Node parcelNode) {
|
||||
exists(MethodAccess getParcelableExtraCall, CreateFromParcelMethod cfpm, Type createdType |
|
||||
exists(MethodCall getParcelableExtraCall, CreateFromParcelMethod cfpm, Type createdType |
|
||||
intentNode.asExpr() = getParcelableExtraCall.getQualifier() and
|
||||
getParcelableExtraCall.getMethod() instanceof IntentGetParcelableExtraMethod and
|
||||
DataFlow::localExprFlow(getParcelableExtraCall, any(Expr e | e.getType() = createdType)) and
|
||||
|
||||
@@ -22,7 +22,7 @@ abstract class GsonDeserializableType extends Type { }
|
||||
/** A type whose values are explicitly deserialized in a call to a Gson method. */
|
||||
private class ExplicitlyReadGsonDeserializableType extends GsonDeserializableType {
|
||||
ExplicitlyReadGsonDeserializableType() {
|
||||
exists(MethodAccess ma |
|
||||
exists(MethodCall ma |
|
||||
// A call to a Gson read method...
|
||||
ma.getMethod() instanceof GsonReadValueMethod and
|
||||
// ...where `this` is used in the final argument, indicating that this type will be deserialized.
|
||||
|
||||
@@ -16,7 +16,7 @@ class HudsonWebMethod extends Method {
|
||||
private class HudsonUtilXssSanitizer extends XssSanitizer {
|
||||
HudsonUtilXssSanitizer() {
|
||||
this.asExpr()
|
||||
.(MethodAccess)
|
||||
.(MethodCall)
|
||||
.getMethod()
|
||||
// Not including xmlEscape because it only accounts for >, <, and &.
|
||||
// It does not account for ", or ', which makes it an incomplete XSS sanitizer.
|
||||
|
||||
@@ -68,7 +68,7 @@ private class JacksonReadValueMethod extends Method, TaintPreservingCallable {
|
||||
/** A type whose values are explicitly serialized in a call to a Jackson method. */
|
||||
private class ExplicitlyWrittenJacksonSerializableType extends JacksonSerializableType {
|
||||
ExplicitlyWrittenJacksonSerializableType() {
|
||||
exists(MethodAccess ma |
|
||||
exists(MethodCall ma |
|
||||
// A call to a Jackson write method...
|
||||
ma.getMethod() instanceof JacksonWriteValueMethod and
|
||||
// ...where `this` is used in the final argument, indicating that this type will be serialized.
|
||||
@@ -91,7 +91,7 @@ private module TypeLiteralToJacksonDatabindFlowConfig implements DataFlow::Confi
|
||||
predicate isSource(DataFlow::Node source) { source.asExpr() instanceof TypeLiteral }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess ma, Method m, int i |
|
||||
exists(MethodCall ma, Method m, int i |
|
||||
ma.getArgument(i) = sink.asExpr() and
|
||||
m = ma.getMethod() and
|
||||
m.getParameterType(i) instanceof TypeClass and
|
||||
@@ -116,7 +116,7 @@ private class ExplicitlyReadJacksonDeserializableType extends JacksonDeserializa
|
||||
ExplicitlyReadJacksonDeserializableType() {
|
||||
usesType(getSourceWithFlowToJacksonDatabind().getReferencedType(), this)
|
||||
or
|
||||
exists(MethodAccess ma |
|
||||
exists(MethodCall ma |
|
||||
// A call to a Jackson read method...
|
||||
ma.getMethod() instanceof JacksonReadValueMethod and
|
||||
// ...where `this` is used in the final argument, indicating that this type will be deserialized.
|
||||
@@ -177,7 +177,7 @@ private class JacksonDeserializedTaintStep extends AdditionalTaintStep {
|
||||
* This informs Jackson to treat the annotations on the second class argument as if they were on
|
||||
* the first class argument. This allows adding annotations to library classes, for example.
|
||||
*/
|
||||
class JacksonAddMixinCall extends MethodAccess {
|
||||
class JacksonAddMixinCall extends MethodCall {
|
||||
JacksonAddMixinCall() {
|
||||
exists(Method m |
|
||||
m = this.getMethod() and
|
||||
|
||||
@@ -52,7 +52,7 @@ private module SafeValidatorFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SafeValidator }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess ma |
|
||||
exists(MethodCall ma |
|
||||
sink.asExpr() = ma.getQualifier() and
|
||||
ma.getMethod().getDeclaringType() instanceof Validator
|
||||
)
|
||||
|
||||
@@ -135,7 +135,7 @@ class ForbiddenThisCallable extends ForbiddenCallable {
|
||||
ThisAccess forbiddenThisUse(Callable c) {
|
||||
result.getEnclosingCallable() = c and
|
||||
(
|
||||
exists(MethodAccess ma | ma.getAnArgument() = result) or
|
||||
exists(MethodCall ma | ma.getAnArgument() = result) or
|
||||
exists(ReturnStmt rs | rs.getResult() = result)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
import java
|
||||
|
||||
/** A call to Kotlin's `apply` method. */
|
||||
class KotlinApply extends MethodAccess {
|
||||
class KotlinApply extends MethodCall {
|
||||
ExtensionMethod m;
|
||||
|
||||
KotlinApply() {
|
||||
|
||||
@@ -8,7 +8,7 @@ class StringsKt extends RefType {
|
||||
}
|
||||
|
||||
/** A call to the extension method `String.toRegex` from `kotlin.text`. */
|
||||
class KtToRegex extends MethodAccess {
|
||||
class KtToRegex extends MethodCall {
|
||||
KtToRegex() {
|
||||
this.getMethod().getDeclaringType() instanceof StringsKt and
|
||||
this.getMethod().hasName("toRegex")
|
||||
|
||||
@@ -126,7 +126,7 @@ class PlayMvcHttpRequestHeaderMethods extends Method {
|
||||
/**
|
||||
* Gets a reference to the `getQueryString` method.
|
||||
*/
|
||||
MethodAccess getAQueryStringAccess() {
|
||||
MethodCall getAQueryStringAccess() {
|
||||
this.hasName("getQueryString") and result = this.getAReference()
|
||||
}
|
||||
}
|
||||
@@ -140,10 +140,10 @@ class PlayMvcResultsMethods extends Method {
|
||||
/**
|
||||
* Gets a reference to the `play.mvc.Results.ok` method.
|
||||
*/
|
||||
MethodAccess getAnOkAccess() { this.hasName("ok") and result = this.getAReference() }
|
||||
MethodCall getAnOkAccess() { this.hasName("ok") and result = this.getAReference() }
|
||||
|
||||
/**
|
||||
* Gets a reference to the `play.mvc.Results.redirect` method.
|
||||
*/
|
||||
MethodAccess getARedirectAccess() { this.hasName("redirect") and result = this.getAReference() }
|
||||
MethodCall getARedirectAccess() { this.hasName("redirect") and result = this.getAReference() }
|
||||
}
|
||||
|
||||
@@ -307,7 +307,7 @@ class SpringModelPlainMap extends SpringModel {
|
||||
SpringModelPlainMap() { this.getType() instanceof MapType }
|
||||
|
||||
override RefType getATypeInModel() {
|
||||
exists(MethodAccess methodCall |
|
||||
exists(MethodCall methodCall |
|
||||
methodCall.getQualifier() = this.getAnAccess() and
|
||||
methodCall.getCallee().hasName("put")
|
||||
|
|
||||
@@ -327,7 +327,7 @@ class SpringModelModel extends SpringModel {
|
||||
}
|
||||
|
||||
override RefType getATypeInModel() {
|
||||
exists(MethodAccess methodCall |
|
||||
exists(MethodCall methodCall |
|
||||
methodCall.getQualifier() = this.getAnAccess() and
|
||||
methodCall.getCallee().hasName("addAttribute")
|
||||
|
|
||||
|
||||
@@ -164,14 +164,14 @@ private predicate isXssSafeContentTypeExpr(Expr e) {
|
||||
|
||||
private DataFlow::Node getABodyBuilderWithExplicitContentType(Expr contentType) {
|
||||
result.asExpr() =
|
||||
any(MethodAccess ma |
|
||||
any(MethodCall ma |
|
||||
ma.getCallee()
|
||||
.hasQualifiedName("org.springframework.http", "ResponseEntity$BodyBuilder", "contentType") and
|
||||
contentType = ma.getArgument(0)
|
||||
)
|
||||
or
|
||||
result.asExpr() =
|
||||
any(MethodAccess ma |
|
||||
any(MethodCall ma |
|
||||
ma.getQualifier() = getABodyBuilderWithExplicitContentType(contentType).asExpr() and
|
||||
ma.getType()
|
||||
.(RefType)
|
||||
@@ -192,7 +192,7 @@ private DataFlow::Node getAVulnerableBodyBuilder() {
|
||||
private class SanitizedBodyCall extends XSS::XssSanitizer {
|
||||
SanitizedBodyCall() {
|
||||
this.asExpr() =
|
||||
any(MethodAccess ma |
|
||||
any(MethodCall ma |
|
||||
ma.getQualifier() = getASanitizedBodyBuilder().asExpr() and
|
||||
ma.getCallee().hasName("body")
|
||||
).getArgument(0)
|
||||
@@ -210,7 +210,7 @@ private class SanitizedBodyCall extends XSS::XssSanitizer {
|
||||
private class ExplicitlyVulnerableBodyArgument extends XSS::XssSinkBarrier {
|
||||
ExplicitlyVulnerableBodyArgument() {
|
||||
this.asExpr() =
|
||||
any(MethodAccess ma |
|
||||
any(MethodCall ma |
|
||||
ma.getQualifier() = getAVulnerableBodyBuilder().asExpr() and
|
||||
ma.getCallee().hasName("body")
|
||||
).getArgument(0)
|
||||
|
||||
@@ -31,7 +31,7 @@ class ModelAndView extends Class {
|
||||
}
|
||||
|
||||
/** A call to the Spring `ModelAndView.setViewName` method. */
|
||||
class SpringModelAndViewSetViewNameCall extends MethodAccess {
|
||||
class SpringModelAndViewSetViewNameCall extends MethodCall {
|
||||
SpringModelAndViewSetViewNameCall() {
|
||||
this.getMethod().getDeclaringType() instanceof ModelAndView and
|
||||
this.getMethod().hasName("setViewName")
|
||||
|
||||
@@ -40,7 +40,7 @@ abstract class IsSpecificUnixVariant extends Guard { }
|
||||
/**
|
||||
* Holds when `ma` compares the current OS against the string constant `osString`.
|
||||
*/
|
||||
private predicate isOsFromSystemProp(MethodAccess ma, string osString) {
|
||||
private predicate isOsFromSystemProp(MethodCall ma, string osString) {
|
||||
TaintTracking::localExprTaint(getSystemProperty("os.name"), ma.getQualifier()) and // Call from System.getProperty (or equivalent) to some partial match method
|
||||
exists(StringPartialMatchMethod m, CompileTimeConstantExpr matchedStringConstant |
|
||||
m = ma.getMethod() and
|
||||
@@ -50,7 +50,7 @@ private predicate isOsFromSystemProp(MethodAccess ma, string osString) {
|
||||
)
|
||||
}
|
||||
|
||||
private class IsWindowsFromSystemProp extends IsWindowsGuard instanceof MethodAccess {
|
||||
private class IsWindowsFromSystemProp extends IsWindowsGuard instanceof MethodCall {
|
||||
IsWindowsFromSystemProp() { isOsFromSystemProp(this, any(string s | s.regexpMatch("windows?"))) }
|
||||
}
|
||||
|
||||
@@ -97,7 +97,7 @@ private class IsUnixFromFileSeparator extends IsUnixGuard {
|
||||
}
|
||||
}
|
||||
|
||||
private class IsUnixFromSystemProp extends IsSpecificUnixVariant instanceof MethodAccess {
|
||||
private class IsUnixFromSystemProp extends IsSpecificUnixVariant instanceof MethodCall {
|
||||
IsUnixFromSystemProp() {
|
||||
isOsFromSystemProp(this, any(string s | s.regexpMatch(["mac.*", "linux.*"])))
|
||||
}
|
||||
@@ -144,7 +144,7 @@ private class IsSpecificUnixVariantFromApacheCommons extends IsSpecificUnixVaria
|
||||
* ([source](https://en.wikipedia.org/wiki/POSIX#POSIX-oriented_operating_systems)).
|
||||
* Looks for calls to `contains("posix")` on the `supportedFileAttributeViews()` method returned by `FileSystem`.
|
||||
*/
|
||||
private class IsUnixFromPosixFromFileSystem extends IsUnixGuard instanceof MethodAccess {
|
||||
private class IsUnixFromPosixFromFileSystem extends IsUnixGuard instanceof MethodCall {
|
||||
IsUnixFromPosixFromFileSystem() {
|
||||
exists(Method m | m = this.getMethod() |
|
||||
m.getDeclaringType()
|
||||
@@ -158,7 +158,7 @@ private class IsUnixFromPosixFromFileSystem extends IsUnixGuard instanceof Metho
|
||||
supportedFileAttributeViewsMethod.hasName("supportedFileAttributeViews") and
|
||||
supportedFileAttributeViewsMethod.getDeclaringType() instanceof TypeFileSystem
|
||||
|
|
||||
DataFlow::localExprFlow(any(MethodAccess ma |
|
||||
DataFlow::localExprFlow(any(MethodCall ma |
|
||||
ma.getMethod() = supportedFileAttributeViewsMethod
|
||||
), super.getQualifier())
|
||||
)
|
||||
|
||||
@@ -54,14 +54,14 @@ private class RegexFlowSink extends DataFlow::Node {
|
||||
|
||||
/** Gets the string expression that a regex that flows here is matched against, if any. */
|
||||
Expr getStringArgument() {
|
||||
exists(MethodAccess ma |
|
||||
exists(MethodCall ma |
|
||||
this.asExpr() = argOf(ma, _) and
|
||||
result = argOf(ma, strArg)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
private Expr argOf(MethodAccess ma, int arg) {
|
||||
private Expr argOf(MethodCall ma, int arg) {
|
||||
arg = -1 and result = ma.getQualifier()
|
||||
or
|
||||
result = ma.getArgument(arg)
|
||||
@@ -83,7 +83,7 @@ class RegexAdditionalFlowStep extends Unit {
|
||||
// TODO: This may be able to be done with models-as-data if query-specific flow steps beome supported.
|
||||
private class JdkRegexFlowStep extends RegexAdditionalFlowStep {
|
||||
override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
exists(MethodAccess ma, Method m, string package, string type, string name, int arg |
|
||||
exists(MethodCall ma, Method m, string package, string type, string name, int arg |
|
||||
ma.getMethod().getSourceDeclaration().overrides*(m) and
|
||||
m.hasQualifiedName(package, type, name) and
|
||||
node1.asExpr() = argOf(ma, arg) and
|
||||
@@ -109,7 +109,7 @@ private class JdkRegexFlowStep extends RegexAdditionalFlowStep {
|
||||
|
||||
private class GuavaRegexFlowStep extends RegexAdditionalFlowStep {
|
||||
override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
exists(MethodAccess ma, Method m, string package, string type, string name, int arg |
|
||||
exists(MethodCall ma, Method m, string package, string type, string name, int arg |
|
||||
ma.getMethod().getSourceDeclaration().overrides*(m) and
|
||||
m.hasQualifiedName(package, type, name) and
|
||||
node1.asExpr() = argOf(ma, arg) and
|
||||
|
||||
@@ -40,7 +40,7 @@ private predicate trustedDomainViaXml(string domainName) {
|
||||
|
||||
/** Holds if the given domain name is trusted by an OkHttp `CertificatePinner`. */
|
||||
private predicate trustedDomainViaOkHttp(string domainName) {
|
||||
exists(CompileTimeConstantExpr domainExpr, MethodAccess certPinnerAdd |
|
||||
exists(CompileTimeConstantExpr domainExpr, MethodCall certPinnerAdd |
|
||||
domainExpr.getStringValue().replaceAll("*.", "") = domainName and // strip wildcard patterns like *.example.com
|
||||
certPinnerAdd.getMethod().hasQualifiedName("okhttp3", "CertificatePinner$Builder", "add") and
|
||||
DataFlow::localExprFlow(domainExpr, certPinnerAdd.getArgument(0))
|
||||
@@ -59,8 +59,8 @@ predicate trustedDomain(string domainName) {
|
||||
* that uses a socket factory derived from a `TrustManager`.
|
||||
* `default` is true if the default SSL socket factory for all URLs is being set.
|
||||
*/
|
||||
private predicate trustedSocketFactory(MethodAccess setSocketFactory, boolean default) {
|
||||
exists(MethodAccess getSocketFactory, MethodAccess initSslContext |
|
||||
private predicate trustedSocketFactory(MethodCall setSocketFactory, boolean default) {
|
||||
exists(MethodCall getSocketFactory, MethodCall initSslContext |
|
||||
exists(Method m | setSocketFactory.getMethod() = m |
|
||||
default = true and m instanceof SetDefaultConnectionFactoryMethod
|
||||
or
|
||||
@@ -80,17 +80,17 @@ private predicate trustedSocketFactory(MethodAccess setSocketFactory, boolean de
|
||||
* that is trusted due to its SSL socket factory being set.
|
||||
*/
|
||||
private predicate trustedUrlConnection(Expr url) {
|
||||
exists(MethodAccess openCon |
|
||||
exists(MethodCall openCon |
|
||||
openCon.getMethod().getASourceOverriddenMethod*() instanceof UrlOpenConnectionMethod and
|
||||
url = openCon.getQualifier() and
|
||||
exists(MethodAccess setSocketFactory |
|
||||
exists(MethodCall setSocketFactory |
|
||||
trustedSocketFactory(setSocketFactory, false) and
|
||||
TaintTracking::localExprTaint(openCon, setSocketFactory.getQualifier())
|
||||
)
|
||||
)
|
||||
or
|
||||
trustedSocketFactory(_, true) and
|
||||
exists(MethodAccess open, Method m |
|
||||
exists(MethodCall open, Method m |
|
||||
m instanceof UrlOpenConnectionMethod or m instanceof UrlOpenStreamMethod
|
||||
|
|
||||
open.getMethod().getASourceOverriddenMethod*() = m and
|
||||
|
||||
@@ -41,14 +41,14 @@ private class DefaultIntentRedirectionSink extends IntentRedirectionSink {
|
||||
private class DefaultIntentRedirectionSanitizer extends IntentRedirectionSanitizer {
|
||||
DefaultIntentRedirectionSanitizer() {
|
||||
this.getType() instanceof TypeIntent and
|
||||
exists(MethodAccess ma, Method m, Guard g, boolean branch |
|
||||
exists(MethodCall ma, Method m, Guard g, boolean branch |
|
||||
ma.getMethod() = m and
|
||||
m.getDeclaringType() instanceof TypeComponentName and
|
||||
m.hasName("getPackageName") and
|
||||
g.isEquality(ma, _, branch) and
|
||||
g.controls(this.asExpr().getBasicBlock(), branch)
|
||||
) and
|
||||
exists(MethodAccess ma, Method m, Guard g, boolean branch |
|
||||
exists(MethodCall ma, Method m, Guard g, boolean branch |
|
||||
ma.getMethod() = m and
|
||||
m.getDeclaringType() instanceof TypeComponentName and
|
||||
m.hasName("getClassName") and
|
||||
|
||||
@@ -103,7 +103,7 @@ private module TaintedIntentComponentConfig implements DataFlow::ConfigSig {
|
||||
private module TaintedIntentComponentFlow = TaintTracking::Global<TaintedIntentComponentConfig>;
|
||||
|
||||
/** A call to a method that changes the component of an `Intent`. */
|
||||
private class IntentSetComponent extends MethodAccess {
|
||||
private class IntentSetComponent extends MethodCall {
|
||||
int sinkArg;
|
||||
|
||||
IntentSetComponent() {
|
||||
|
||||
@@ -20,7 +20,7 @@ private class SensitiveInfoExpr extends Expr {
|
||||
}
|
||||
|
||||
private predicate maybeNullArg(Expr ex) {
|
||||
exists(DataFlow::Node src, DataFlow::Node sink, MethodAccess ma |
|
||||
exists(DataFlow::Node src, DataFlow::Node sink, MethodCall ma |
|
||||
ex = ma.getAnArgument() and
|
||||
sink.asExpr() = ex and
|
||||
src.asExpr() instanceof NullLiteral
|
||||
@@ -30,7 +30,7 @@ private predicate maybeNullArg(Expr ex) {
|
||||
}
|
||||
|
||||
private predicate maybeEmptyArrayArg(Expr ex) {
|
||||
exists(DataFlow::Node src, DataFlow::Node sink, MethodAccess ma |
|
||||
exists(DataFlow::Node src, DataFlow::Node sink, MethodCall ma |
|
||||
ex = ma.getAnArgument() and
|
||||
sink.asExpr() = ex and
|
||||
src.asExpr().(ArrayCreationExpr).getFirstDimensionSize() = 0
|
||||
@@ -43,7 +43,7 @@ private predicate maybeEmptyArrayArg(Expr ex) {
|
||||
* Holds if a `sendBroadcast` call doesn't specify receiver permission.
|
||||
*/
|
||||
private predicate isSensitiveBroadcastSink(DataFlow::Node sendBroadcastCallArg) {
|
||||
exists(MethodAccess ma, string name | ma.getMethod().hasName(name) |
|
||||
exists(MethodCall ma, string name | ma.getMethod().hasName(name) |
|
||||
ma.getMethod().getDeclaringType().getASourceSupertype*() instanceof TypeContext and
|
||||
sendBroadcastCallArg.asExpr() = ma.getAnArgument() and
|
||||
(
|
||||
@@ -105,7 +105,7 @@ private predicate isSensitiveBroadcastSink(DataFlow::Node sendBroadcastCallArg)
|
||||
* Holds if `arg` is an argument in a use of a `startActivity` or `startService` method that sends an Intent to another application.
|
||||
*/
|
||||
private predicate isStartActivityOrServiceSink(DataFlow::Node arg) {
|
||||
exists(MethodAccess ma, string name | ma.getMethod().hasName(name) |
|
||||
exists(MethodCall ma, string name | ma.getMethod().hasName(name) |
|
||||
arg.asExpr() = ma.getArgument(0) and
|
||||
ma.getMethod().getDeclaringType().getASourceSupertype*() instanceof TypeContext and
|
||||
// startActivity(Intent intent)
|
||||
|
||||
@@ -15,7 +15,7 @@ class OnReceivedSslErrorMethod extends Method {
|
||||
}
|
||||
|
||||
/** A call to `SslErrorHandler.proceed` */
|
||||
private class SslProceedCall extends MethodAccess {
|
||||
private class SslProceedCall extends MethodCall {
|
||||
SslProceedCall() {
|
||||
this.getMethod().hasQualifiedName("android.webkit", "SslErrorHandler", "proceed")
|
||||
}
|
||||
|
||||
@@ -50,7 +50,7 @@ class SetDataMethod extends Method {
|
||||
/** A dataflow sink for the URI of an intent. */
|
||||
class SetDataSink extends DataFlow::ExprNode {
|
||||
SetDataSink() {
|
||||
exists(MethodAccess ma |
|
||||
exists(MethodCall ma |
|
||||
this.getExpr() = ma.getQualifier() and
|
||||
ma.getMethod() instanceof SetDataMethod
|
||||
)
|
||||
@@ -72,7 +72,7 @@ class UriConstructorMethod extends Method {
|
||||
class ExternalApkSource extends DataFlow::Node {
|
||||
ExternalApkSource() {
|
||||
sourceNode(this, "android-external-storage-dir") or
|
||||
this.asExpr().(MethodAccess).getMethod() instanceof UriConstructorMethod or
|
||||
this.asExpr().(MethodCall).getMethod() instanceof UriConstructorMethod or
|
||||
this.asExpr().(StringLiteral).getValue().matches("file://%") or
|
||||
this instanceof ThreatModelFlowSource
|
||||
}
|
||||
|
||||
@@ -13,7 +13,7 @@ module ApkInstallationConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node node) { node instanceof ExternalApkSource }
|
||||
|
||||
predicate isSink(DataFlow::Node node) {
|
||||
exists(MethodAccess ma |
|
||||
exists(MethodCall ma |
|
||||
ma.getMethod() instanceof SetDataMethod and
|
||||
ma.getArgument(0) = node.asExpr() and
|
||||
(
|
||||
@@ -57,7 +57,7 @@ private module InstallPackageActionConfig implements DataFlow::StateConfigSig {
|
||||
node2.asExpr() = cc
|
||||
)
|
||||
or
|
||||
exists(MethodAccess ma |
|
||||
exists(MethodCall ma |
|
||||
ma.getMethod() instanceof SetActionMethod and
|
||||
node1.asExpr() = ma.getArgument(0) and
|
||||
node2.asExpr() = ma.getQualifier()
|
||||
@@ -95,7 +95,7 @@ private module PackageArchiveMimeTypeConfig implements DataFlow::StateConfigSig
|
||||
) {
|
||||
state1 instanceof MimeTypeUnset and
|
||||
state2 instanceof HasPackageArchiveMimeType and
|
||||
exists(MethodAccess ma |
|
||||
exists(MethodCall ma |
|
||||
ma.getQualifier() = node2.asExpr() and
|
||||
(
|
||||
ma.getMethod() instanceof SetTypeMethod and
|
||||
|
||||
@@ -35,7 +35,7 @@ private Guard sizeGuard(SsaVariable v, boolean branch, boolean upper) {
|
||||
branch = false and upper = true
|
||||
)
|
||||
or
|
||||
exists(MethodAccess ma |
|
||||
exists(MethodCall ma |
|
||||
ma.getMethod() instanceof MethodAbs and
|
||||
ma.getArgument(0) = ssaRead(v, 0) and
|
||||
(
|
||||
@@ -67,7 +67,7 @@ private Guard sizeGuard(SsaVariable v, boolean branch, boolean upper) {
|
||||
result.isEquality(ssaRead(v, 0), _, branch) and
|
||||
(upper = true or upper = false)
|
||||
or
|
||||
exists(MethodAccess call, Method m, int ix |
|
||||
exists(MethodCall call, Method m, int ix |
|
||||
call = result and
|
||||
call.getArgument(ix) = ssaRead(v, 0) and
|
||||
call.getMethod().getSourceDeclaration() = m and
|
||||
@@ -112,7 +112,7 @@ predicate guardedLessThanSomething(Expr e) {
|
||||
or
|
||||
negative(e)
|
||||
or
|
||||
e.(MethodAccess).getMethod() instanceof MethodMathMin
|
||||
e.(MethodCall).getMethod() instanceof MethodMathMin
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -127,7 +127,7 @@ predicate guardedGreaterThanSomething(Expr e) {
|
||||
or
|
||||
positive(e)
|
||||
or
|
||||
e.(MethodAccess).getMethod() instanceof MethodMathMax
|
||||
e.(MethodCall).getMethod() instanceof MethodMathMax
|
||||
}
|
||||
|
||||
/** Holds if `e` occurs in a context where it will be upcast to a wider type. */
|
||||
|
||||
@@ -12,9 +12,9 @@ private class LocalDatabaseCleartextStorageSink extends CleartextStorageSink {
|
||||
}
|
||||
|
||||
/** The creation of an object that can be used to store data in a local database. */
|
||||
class LocalDatabaseOpenMethodAccess extends Storable, Call {
|
||||
LocalDatabaseOpenMethodAccess() {
|
||||
exists(Method m | this.(MethodAccess).getMethod() = m |
|
||||
class LocalDatabaseOpenMethodCall extends Storable, Call {
|
||||
LocalDatabaseOpenMethodCall() {
|
||||
exists(Method m | this.(MethodCall).getMethod() = m |
|
||||
m.getDeclaringType().getASupertype*() instanceof TypeSQLiteOpenHelper and
|
||||
m.hasName("getWritableDatabase")
|
||||
or
|
||||
@@ -77,7 +77,7 @@ private predicate localDatabaseInput(DataFlow::Node database, Argument input) {
|
||||
* either through the use of prepared statements, via the `ContentValues` class, or
|
||||
* directly executing a raw SQL query.
|
||||
*/
|
||||
private predicate localDatabaseStore(DataFlow::Node database, MethodAccess store) {
|
||||
private predicate localDatabaseStore(DataFlow::Node database, MethodCall store) {
|
||||
exists(Method m | store.getMethod() = m |
|
||||
m instanceof LocalDatabaseInputStoreMethod and
|
||||
database.asExpr() = store.getQualifier()
|
||||
@@ -95,7 +95,7 @@ private predicate localDatabaseStore(DataFlow::Node database, MethodAccess store
|
||||
|
||||
private module LocalDatabaseFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
source.asExpr() instanceof LocalDatabaseOpenMethodAccess
|
||||
source.asExpr() instanceof LocalDatabaseOpenMethodCall
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
|
||||
@@ -88,7 +88,7 @@ private module ClassStoreFlowConfig implements DataFlow::ConfigSig {
|
||||
private module ClassStoreFlow = DataFlow::Global<ClassStoreFlowConfig>;
|
||||
|
||||
private predicate serializableStore(DataFlow::Node instance, Expr store) {
|
||||
exists(MethodAccess m |
|
||||
exists(MethodCall m |
|
||||
store = m and
|
||||
m.getMethod() instanceof WriteObjectMethod and
|
||||
instance.asExpr() = m.getArgument(0)
|
||||
@@ -96,7 +96,7 @@ private predicate serializableStore(DataFlow::Node instance, Expr store) {
|
||||
}
|
||||
|
||||
private predicate marshallableStore(DataFlow::Node instance, Expr store) {
|
||||
exists(MethodAccess m |
|
||||
exists(MethodCall m |
|
||||
store = m and
|
||||
m.getMethod() instanceof JaxbMarshalMethod and
|
||||
instance.asExpr() = m.getArgument(0)
|
||||
|
||||
@@ -28,7 +28,7 @@ class Cookie extends Storable, ClassInstanceExpr {
|
||||
}
|
||||
|
||||
private predicate cookieStore(DataFlow::Node cookie, Expr store) {
|
||||
exists(MethodAccess m, Method def |
|
||||
exists(MethodCall m, Method def |
|
||||
m.getMethod() = def and
|
||||
def.getName() = "addCookie" and
|
||||
def.getDeclaringType().hasQualifiedName("javax.servlet.http", "HttpServletResponse") and
|
||||
|
||||
@@ -7,7 +7,7 @@ import semmle.code.java.security.CleartextStorageQuery
|
||||
|
||||
private class PropertiesCleartextStorageSink extends CleartextStorageSink {
|
||||
PropertiesCleartextStorageSink() {
|
||||
exists(MethodAccess m |
|
||||
exists(MethodCall m |
|
||||
m.getMethod() instanceof PropertiesSetPropertyMethod and this.asExpr() = m.getArgument(1)
|
||||
)
|
||||
}
|
||||
@@ -35,7 +35,7 @@ class Properties extends Storable, ClassInstanceExpr {
|
||||
}
|
||||
|
||||
private predicate propertiesInput(DataFlow::Node prop, Expr input) {
|
||||
exists(MethodAccess m |
|
||||
exists(MethodCall m |
|
||||
m.getMethod() instanceof PropertiesSetPropertyMethod and
|
||||
input = m.getArgument(1) and
|
||||
prop.asExpr() = m.getQualifier()
|
||||
@@ -43,7 +43,7 @@ private predicate propertiesInput(DataFlow::Node prop, Expr input) {
|
||||
}
|
||||
|
||||
private predicate propertiesStore(DataFlow::Node prop, Expr store) {
|
||||
exists(MethodAccess m |
|
||||
exists(MethodCall m |
|
||||
m.getMethod() instanceof PropertiesStoreMethod and
|
||||
store = m and
|
||||
prop.asExpr() = m.getQualifier()
|
||||
|
||||
@@ -65,15 +65,15 @@ private class DefaultCleartextStorageSanitizer extends CleartextStorageSanitizer
|
||||
* encryption (reversible and non-reversible) from both JDK and third parties, this class simply
|
||||
* checks method name to take a best guess to reduce false positives.
|
||||
*/
|
||||
private class EncryptedSensitiveMethodAccess extends MethodAccess {
|
||||
EncryptedSensitiveMethodAccess() {
|
||||
private class EncryptedSensitiveMethodCall extends MethodCall {
|
||||
EncryptedSensitiveMethodCall() {
|
||||
this.getMethod().getName().toLowerCase().matches(["%encrypt%", "%hash%", "%digest%"])
|
||||
}
|
||||
}
|
||||
|
||||
/** Flow configuration for encryption methods flowing to inputs of persistent storage. */
|
||||
private module EncryptedValueFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof EncryptedSensitiveMethodAccess }
|
||||
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof EncryptedSensitiveMethodCall }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof SensitiveExpr }
|
||||
}
|
||||
|
||||
@@ -7,7 +7,7 @@ import semmle.code.java.security.CleartextStorageQuery
|
||||
|
||||
private class SharedPrefsCleartextStorageSink extends CleartextStorageSink {
|
||||
SharedPrefsCleartextStorageSink() {
|
||||
exists(MethodAccess m |
|
||||
exists(MethodCall m |
|
||||
m.getMethod() instanceof PutSharedPreferenceMethod and
|
||||
this.asExpr() = m.getArgument(1)
|
||||
)
|
||||
@@ -18,10 +18,10 @@ private class SharedPrefsCleartextStorageSink extends CleartextStorageSink {
|
||||
* The call to get a `SharedPreferences.Editor` object, which can set shared preferences and be
|
||||
* stored to the device.
|
||||
*/
|
||||
class SharedPreferencesEditorMethodAccess extends Storable, MethodAccess {
|
||||
SharedPreferencesEditorMethodAccess() {
|
||||
class SharedPreferencesEditorMethodCall extends Storable, MethodCall {
|
||||
SharedPreferencesEditorMethodCall() {
|
||||
this.getMethod() instanceof GetSharedPreferencesEditorMethod and
|
||||
not DataFlow::localExprFlow(any(MethodAccess ma |
|
||||
not DataFlow::localExprFlow(any(MethodCall ma |
|
||||
ma.getMethod() instanceof CreateEncryptedSharedPreferencesMethod
|
||||
), this.getQualifier())
|
||||
}
|
||||
@@ -48,7 +48,7 @@ class SharedPreferencesEditorMethodAccess extends Storable, MethodAccess {
|
||||
* called on `editor`, which is an instance of `SharedPreferences$Editor`.
|
||||
*/
|
||||
private predicate sharedPreferencesInput(DataFlow::Node editor, Expr input) {
|
||||
exists(MethodAccess m |
|
||||
exists(MethodCall m |
|
||||
m.getMethod() instanceof PutSharedPreferenceMethod and
|
||||
input = m.getArgument(1) and
|
||||
editor.asExpr() = m.getQualifier().getUnderlyingExpr()
|
||||
@@ -59,7 +59,7 @@ private predicate sharedPreferencesInput(DataFlow::Node editor, Expr input) {
|
||||
* Holds if `m` is a store method called on `editor`,
|
||||
* which is an instance of `SharedPreferences$Editor`.
|
||||
*/
|
||||
private predicate sharedPreferencesStore(DataFlow::Node editor, MethodAccess m) {
|
||||
private predicate sharedPreferencesStore(DataFlow::Node editor, MethodCall m) {
|
||||
m.getMethod() instanceof StoreSharedPreferenceMethod and
|
||||
editor.asExpr() = m.getQualifier().getUnderlyingExpr()
|
||||
}
|
||||
@@ -67,7 +67,7 @@ private predicate sharedPreferencesStore(DataFlow::Node editor, MethodAccess m)
|
||||
/** Flow from `SharedPreferences.Editor` to either a setter or a store method. */
|
||||
private module SharedPreferencesFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) {
|
||||
src.asExpr() instanceof SharedPreferencesEditorMethodAccess
|
||||
src.asExpr() instanceof SharedPreferencesEditorMethodCall
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
|
||||
@@ -74,7 +74,7 @@ private class CommandArgumentList extends SsaExplicitUpdate {
|
||||
exists(RValue mid |
|
||||
mid = this.getAUseBeforeFirstAdd() and
|
||||
adjacentUseUse(mid, result) and
|
||||
not exists(MethodAccess ma |
|
||||
not exists(MethodCall ma |
|
||||
mid = ma.getQualifier() and
|
||||
ma.getMethod().hasName("add")
|
||||
)
|
||||
@@ -84,26 +84,26 @@ private class CommandArgumentList extends SsaExplicitUpdate {
|
||||
/**
|
||||
* Gets an addition to this list, i.e. a call to an `add` or `addAll` method.
|
||||
*/
|
||||
MethodAccess getAnAdd() {
|
||||
MethodCall getAnAdd() {
|
||||
result.getQualifier() = this.getAUse() and
|
||||
result.getMethod().getName().matches("add%")
|
||||
}
|
||||
|
||||
/** Gets an addition to this list which could be its first element. */
|
||||
MethodAccess getAFirstAdd() {
|
||||
MethodCall getAFirstAdd() {
|
||||
result = this.getAnAdd() and
|
||||
result.getQualifier() = this.getAUseBeforeFirstAdd()
|
||||
}
|
||||
|
||||
/** Gets an addition to this list which is not the first element. */
|
||||
MethodAccess getASubsequentAdd() {
|
||||
MethodCall getASubsequentAdd() {
|
||||
result = this.getAnAdd() and
|
||||
not result = this.getAFirstAdd()
|
||||
}
|
||||
|
||||
/** Holds if the first element of this list is a shell command. */
|
||||
predicate isShell() {
|
||||
exists(MethodAccess ma | ma = this.getAFirstAdd() and isShell(ma.getArgument(0)))
|
||||
exists(MethodCall ma | ma = this.getAFirstAdd() and isShell(ma.getArgument(0)))
|
||||
}
|
||||
}
|
||||
|
||||
@@ -173,7 +173,7 @@ private Expr firstElementOf(Expr arr) {
|
||||
or
|
||||
exists(CommandArgArrayImmutableFirst caa | arr = caa.getAUse() | result = caa.getFirstElement())
|
||||
or
|
||||
exists(MethodAccess ma, Method m |
|
||||
exists(MethodCall ma, Method m |
|
||||
arr = ma and
|
||||
ma.getMethod() = m and
|
||||
m.getDeclaringType().hasQualifiedName("java.util", "Arrays") and
|
||||
|
||||
@@ -11,7 +11,7 @@ import semmle.code.java.controlflow.Guards
|
||||
/**
|
||||
* Holds if `ma` is controlled by the condition expression `e`.
|
||||
*/
|
||||
predicate conditionControlsMethod(MethodAccess ma, Expr e) {
|
||||
predicate conditionControlsMethod(MethodCall ma, Expr e) {
|
||||
exists(ConditionBlock cb, SensitiveExecutionMethod m, boolean cond |
|
||||
ma.getMethod() = m and
|
||||
cb.controls(ma.getBasicBlock(), cond) and
|
||||
@@ -28,7 +28,7 @@ predicate conditionControlsMethod(MethodAccess ma, Expr e) {
|
||||
* `endsWith` method of the `java.lang.String` class.
|
||||
*/
|
||||
private predicate endsWithStep(DataFlow::Node node1, DataFlow::Node node2) {
|
||||
exists(MethodAccess ma |
|
||||
exists(MethodCall ma |
|
||||
ma.getMethod().getDeclaringType() instanceof TypeString and
|
||||
ma.getMethod().getName() = "endsWith" and
|
||||
ma.getQualifier() = node1.asExpr() and
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user