Java: Extend String dataflow models

github · Nov 1, 2021 · 55288d1 · 55288d1
1 parent e88bbfd
commit 55288d1
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 8 deletions.
diff --git a/java/ql/lib/semmle/code/java/frameworks/Objects.qll b/java/ql/lib/semmle/code/java/frameworks/Objects.qll
@@ -1,4 +1,4 @@
-/** Definitions of taint steps in Objects class of the JDK */
+/** Definitions of taint steps in `java.util.Objects` class of the JDK */
 
 import java
 private import semmle.code.java.dataflow.ExternalFlow
@@ -12,6 +12,7 @@ private class ObjectsSummaryCsv extends SummaryModelCsv {
         "java.util;Objects;false;requireNonNullElse;;;Argument[0];ReturnValue;value",
         "java.util;Objects;false;requireNonNullElse;;;Argument[1];ReturnValue;value",
         "java.util;Objects;false;requireNonNullElseGet;;;Argument[0];ReturnValue;value",
+        "java.util;Objects;false;requireNonNullElseGet;;;ReturnValue of Argument[1];ReturnValue;value",
         "java.util;Objects;false;toString;;;Argument[1];ReturnValue;value"
       ]
   }

diff --git a/java/ql/lib/semmle/code/java/frameworks/Strings.qll b/java/ql/lib/semmle/code/java/frameworks/Strings.qll
@@ -8,22 +8,32 @@ private class StringSummaryCsv extends SummaryModelCsv {
     row =
       [
         //`namespace; type; subtypes; name; signature; ext; input; output; kind`
+        "java.lang;String;false;codePoints;();;Argument[-1];Element of ReturnValue;taint",
         "java.lang;String;false;concat;(String);;Argument[0];ReturnValue;taint",
         "java.lang;String;false;concat;(String);;Argument[-1];ReturnValue;taint",
         "java.lang;String;false;copyValueOf;;;Argument[0];ReturnValue;taint",
-        "java.lang;String;false;endsWith;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;describeConstable;;;Argument[-1];Element of ReturnValue;value",
         "java.lang;String;false;format;(Locale,String,Object[]);;Argument[1];ReturnValue;taint",
         "java.lang;String;false;format;(Locale,String,Object[]);;ArrayElement of Argument[2];ReturnValue;taint",
         "java.lang;String;false;format;(String,Object[]);;Argument[0];ReturnValue;taint",
         "java.lang;String;false;format;(String,Object[]);;ArrayElement of Argument[1];ReturnValue;taint",
         "java.lang;String;false;formatted;(Object[]);;Argument[-1];ReturnValue;taint",
         "java.lang;String;false;formatted;(Object[]);;ArrayElement of Argument[0];ReturnValue;taint",
-        "java.lang;String;false;getChars;;;Argument[-1];Argument[2];taint",
         "java.lang;String;false;getBytes;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;getBytes;(int,int,byte[],int);;Argument[-1];Argument[2];taint",
+        "java.lang;String;false;getChars;;;Argument[-1];Argument[2];taint",
         "java.lang;String;false;indent;;;Argument[-1];ReturnValue;taint",
         "java.lang;String;false;intern;;;Argument[-1];ReturnValue;taint",
-        "java.lang;String;false;join;;;Argument[0..1];ReturnValue;taint",
+        "java.lang;String;false;join;;;Argument[0..1];ReturnValue;taint", // TODO: ArrayElement of Argument?
+        "java.lang;String;false;lines;;;Argument[-1];Element of ReturnValue;taint",
         "java.lang;String;false;repeat;(int);;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;replace;;;Argument[1];ReturnValue;taint",
+        "java.lang;String;false;replace;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;replaceAll;;;Argument[1];ReturnValue;taint",
+        "java.lang;String;false;replaceAll;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;replaceFirst;;;Argument[1];ReturnValue;taint",
+        "java.lang;String;false;replaceFirst;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;resolveConstantDesc;;;Argument[-1];ReturnValue;value",
         "java.lang;String;false;split;;;Argument[-1];ReturnValue;taint",
         "java.lang;String;false;String;;;Argument[0];Argument[-1];taint",
         "java.lang;String;false;strip;;;Argument[-1];ReturnValue;taint",
@@ -35,26 +45,43 @@ private class StringSummaryCsv extends SummaryModelCsv {
         "java.lang;String;false;toLowerCase;;;Argument[-1];ReturnValue;taint",
         "java.lang;String;false;toString;;;Argument[-1];ReturnValue;value",
         "java.lang;String;false;toUpperCase;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;transform;;;Argument[-1];Parameter[0] of Argument[0];value",
+        "java.lang;String;false;transform;;;ReturnValue of Argument[0];ReturnValue;value",
         "java.lang;String;false;translateEscapes;;;Argument[-1];ReturnValue;taint",
         "java.lang;String;false;trim;;;Argument[-1];ReturnValue;taint",
         "java.lang;String;false;valueOf;(char);;Argument[0];ReturnValue;taint",
         "java.lang;String;false;valueOf;(char[],int,int);;Argument[0];ReturnValue;taint",
         "java.lang;String;false;valueOf;(char[]);;Argument[0];ReturnValue;taint",
+        // TODO: Should `append` and `write` be modelled for Appendable and Writer instead?
+        // Could then remove some of the modelled `append` method here and for StringBuilder
         "java.io;StringWriter;true;append;;;Argument[0];Argument[-1];taint",
         "java.io;StringWriter;true;append;;;Argument[-1];ReturnValue;value",
+        "java.io;StringWriter;true;getBuffer;;;Argument[-1];ReturnValue;taint",
+        "java.io;StringWriter;true;toString;;;Argument[-1];ReturnValue;taint",
         "java.io;StringWriter;true;write;;;Argument[0];Argument[-1];taint",
+        // Note: `AbstractStringBuilder` is a JDK internal superclass of StringBuilder and StringBuffer
+        // Some of the methods are not modelled because they are already modelled for CharSequence
         "java.lang;AbstractStringBuilder;true;AbstractStringBuilder;(String);;Argument[0];Argument[-1];taint",
         "java.lang;AbstractStringBuilder;true;append;;;Argument[0];Argument[-1];taint",
         "java.lang;AbstractStringBuilder;true;append;;;Argument[-1];ReturnValue;value",
+        "java.lang;AbstractStringBuilder;true;appendCodePoint;;;Argument[-1];ReturnValue;value",
+        "java.lang;AbstractStringBuilder;true;delete;;;Argument[-1];ReturnValue;value",
+        "java.lang;AbstractStringBuilder;true;deleteCharAt;;;Argument[-1];ReturnValue;value",
+        "java.lang;AbstractStringBuilder;true;getChars;;;Argument[-1];Argument[2];value",
         "java.lang;AbstractStringBuilder;true;insert;;;Argument[1];Argument[-1];taint",
         "java.lang;AbstractStringBuilder;true;insert;;;Argument[-1];ReturnValue;value",
-        "java.lang;AbstractStringBuilder;true;replace;;;Argument[-1];ReturnValue;value",
         "java.lang;AbstractStringBuilder;true;replace;;;Argument[2];Argument[-1];taint",
-        "java.lang;AbstractStringBuilder;true;toString;;;Argument[-1];ReturnValue;taint",
+        "java.lang;AbstractStringBuilder;true;replace;;;Argument[-1];ReturnValue;value",
+        "java.lang;AbstractStringBuilder;true;reverse;;;Argument[-1];ReturnValue;value",
+        "java.lang;AbstractStringBuilder;true;substring;;;Argument[-1];ReturnValue;value",
         "java.lang;StringBuffer;true;StringBuffer;(CharSequence);;Argument[0];Argument[-1];taint",
         "java.lang;StringBuffer;true;StringBuffer;(String);;Argument[0];Argument[-1];taint",
-        "java.lang;StringBuilder;true;StringBuilder;;;Argument[0];Argument[-1];taint",
-        "java.lang;CharSequence;true;subSequence;;;Argument[-1];ReturnValue;taint"
+        "java.lang;StringBuilder;true;StringBuilder;(CharSequence);;Argument[0];Argument[-1];taint",
+        "java.lang;StringBuilder;true;StringBuilder;(String);;Argument[0];Argument[-1];taint",
+        "java.lang;CharSequence;true;chars;;;Argument[-1];Element of ReturnValue;taint",
+        "java.lang;CharSequence;true;codePoints;;;Argument[-1];Element of ReturnValue;taint",
+        "java.lang;CharSequence;true;subSequence;;;Argument[-1];ReturnValue;taint",
+        "java.lang;CharSequence;true;toString;;;Argument[-1];ReturnValue;taint"
       ]
   }
 }