Merge pull request #2498 from aschackmull/java/taint-getter

Java/C++/C#: Add support for taint-getter/setter summaries in data flow.
2026-04-30 03:05:15 +02:00 · 2020-01-15 09:55:19 +01:00
parent 5a5832b7de 241b8a05e4
commit f7278d36e1
31 changed files with 11254 additions and 3600 deletions
--- a/java/ql/test/library-tests/dataflow/taintgettersetter/A.java
+++ b/java/ql/test/library-tests/dataflow/taintgettersetter/A.java
@@ -0,0 +1,37 @@
+public class A {
+  String taint() { return "tainted"; }
+  void sink(Object o) { }
+
+  static String step(String s) { return s + "0"; }
+
+  static class Box {
+    String s;
+    Box(String s) {
+      this.s = s + "1";
+    }
+    String getS1() { return s + "2"; }
+    String getS2() { return step(s + "_") + "2"; }
+    void setS1(String s) { this.s = "3" + s; }
+    void setS2(String s) { this.s = "3" + step("_" + s); }
+    static Box mk(String s) {
+      Box b = new Box("");
+      b.s = step(s);
+      return b;
+    }
+  }
+
+  void foo(Box b1, Box b2) {
+    b1.setS1(taint());
+    sink(b1.getS1());
+
+    b2.setS2(taint());
+    sink(b2.getS2());
+
+    String t3 = taint();
+    Box b3 = new Box(step(t3));
+    sink(b3.s);
+
+    Box b4 = Box.mk(taint());
+    sink(b4.getS1());
+  }
+}
--- a/java/ql/test/library-tests/dataflow/taintgettersetter/taintgettersetter.expected
+++ b/java/ql/test/library-tests/dataflow/taintgettersetter/taintgettersetter.expected
@@ -0,0 +1,4 @@
+| A.java:24:14:24:20 | taint(...) | A.java:25:10:25:19 | getS1(...) |
+| A.java:27:14:27:20 | taint(...) | A.java:28:10:28:19 | getS2(...) |
+| A.java:30:17:30:23 | taint(...) | A.java:32:10:32:13 | b3.s |
+| A.java:34:21:34:27 | taint(...) | A.java:35:10:35:19 | getS1(...) |
--- a/java/ql/test/library-tests/dataflow/taintgettersetter/taintgettersetter.ql
+++ b/java/ql/test/library-tests/dataflow/taintgettersetter/taintgettersetter.ql
@@ -0,0 +1,25 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+import DataFlow
+
+class Conf extends Configuration {
+  Conf() { this = "taintgettersetter" }
+
+  override predicate isSource(Node n) { n.asExpr().(MethodAccess).getMethod().hasName("taint") }
+
+  override predicate isSink(Node n) {
+    exists(MethodAccess sink |
+      sink.getAnArgument() = n.asExpr() and sink.getMethod().hasName("sink")
+    )
+  }
+
+  override predicate isAdditionalFlowStep(Node n1, Node n2) {
+    exists(AddExpr add |
+      add.getType() instanceof TypeString and add.getAnOperand() = n1.asExpr() and n2.asExpr() = add
+    )
+  }
+}
+
+from Node src, Node sink, Conf conf
+where conf.hasFlow(src, sink)
+select src, sink