Initial support for capturing sink models

2025-12-20 18:56:32 +01:00 · 2021-09-24 16:12:12 +02:00
parent 364de55b8d
commit f9fea15a52
5 changed files with 81 additions and 3 deletions
--- a/java/ql/src/utils/model-generator/CaptureSinkModels.ql
+++ b/java/ql/src/utils/model-generator/CaptureSinkModels.ql
@@ -0,0 +1,37 @@
+import java
+import Telemetry.ExternalAPI
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.ExternalFlow
+import ModelGeneratorUtils
+
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "public methods calling sinks" }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(MethodAccess ma |
+      ma = source.asExpr() and
+      ma.getAnEnclosingStmt().getEnclosingCallable().isPublic() and
+      ma.getAnEnclosingStmt().getEnclosingCallable().fromSource()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) }
+}
+
+string asInputArgument(Expr source) { result = "Argument[" + source.(Argument).getPosition() + "]" }
+
+string captureSink(Callable api) {
+  exists(DataFlow::Node src, DataFlow::Node sink, Configuration config, string kind |
+    config.hasFlow(src, sink) and
+    sinkNode(sink, kind) and
+    api = src.asExpr().getEnclosingCallable() and
+    result = asSinkModel(api, asInputArgument(src.asExpr()), kind)
+  )
+}
+
+from Callable api, string sink
+where
+  sink = captureSink(api) and
+  not api.getCompilationUnit().getFile().getAbsolutePath().matches("%src/test/%")
+select sink order by sink
--- a/java/ql/src/utils/model-generator/ModelGeneratorUtils.qll
+++ b/java/ql/src/utils/model-generator/ModelGeneratorUtils.qll
@@ -16,6 +16,23 @@ string asValueModel(Callable api, string input, string output) {

 bindingset[input, output, kind]
 string asSummaryModel(Callable api, string input, string output, string kind) {
+  result =
+    asPartialModel(api) + input + ";" //
+      + output + ";" //
+      + kind + ";" //
+}
+
+bindingset[input, kind]
+string asSinkModel(Callable api, string input, string kind) {
+  result =
+    asPartialModel(api) + input + ";" //
+      + kind + ";" //
+}
+
+/**
+ * Computes the first 6 columns for CSV rows.
+ */
+private string asPartialModel(Callable api) {
  result =
    api.getCompilationUnit().getPackage().getName() + ";" //
      + api.getDeclaringType().nestedName() + ";" //
@@ -23,9 +40,6 @@ string asSummaryModel(Callable api, string input, string output, string kind) {
      + api.getName() + ";" //
      + paramsString(api) + ";" //
      + /* ext + */ ";" //
-      + input + ";" //
-      + output + ";" //
-      + kind + ";" //
 }

 string parameterAccess(Parameter p) {