diff --git a/java/ql/lib/semmle/code/java/frameworks/Objects.qll b/java/ql/lib/semmle/code/java/frameworks/Objects.qll index e3aa189dbd815..1c9e19a39da32 100644 --- a/java/ql/lib/semmle/code/java/frameworks/Objects.qll +++ b/java/ql/lib/semmle/code/java/frameworks/Objects.qll @@ -1,4 +1,4 @@ -/** Definitions of taint steps in Objects class of the JDK */ +/** Definitions of taint steps in `java.util.Objects` class of the JDK */ import java private import semmle.code.java.dataflow.ExternalFlow @@ -12,6 +12,7 @@ private class ObjectsSummaryCsv extends SummaryModelCsv { "java.util;Objects;false;requireNonNullElse;;;Argument[0];ReturnValue;value", "java.util;Objects;false;requireNonNullElse;;;Argument[1];ReturnValue;value", "java.util;Objects;false;requireNonNullElseGet;;;Argument[0];ReturnValue;value", + "java.util;Objects;false;requireNonNullElseGet;;;ReturnValue of Argument[1];ReturnValue;value", "java.util;Objects;false;toString;;;Argument[1];ReturnValue;value" ] } diff --git a/java/ql/lib/semmle/code/java/frameworks/Strings.qll b/java/ql/lib/semmle/code/java/frameworks/Strings.qll index bfcf34949f8c8..8f1ad8e6eeff9 100644 --- a/java/ql/lib/semmle/code/java/frameworks/Strings.qll +++ b/java/ql/lib/semmle/code/java/frameworks/Strings.qll @@ -8,22 +8,32 @@ private class StringSummaryCsv extends SummaryModelCsv { row = [ //`namespace; type; subtypes; name; signature; ext; input; output; kind` + "java.lang;String;false;codePoints;();;Argument[-1];Element of ReturnValue;taint", "java.lang;String;false;concat;(String);;Argument[0];ReturnValue;taint", "java.lang;String;false;concat;(String);;Argument[-1];ReturnValue;taint", "java.lang;String;false;copyValueOf;;;Argument[0];ReturnValue;taint", - "java.lang;String;false;endsWith;;;Argument[-1];ReturnValue;taint", + "java.lang;String;false;describeConstable;;;Argument[-1];Element of ReturnValue;value", "java.lang;String;false;format;(Locale,String,Object[]);;Argument[1];ReturnValue;taint", "java.lang;String;false;format;(Locale,String,Object[]);;ArrayElement of Argument[2];ReturnValue;taint", "java.lang;String;false;format;(String,Object[]);;Argument[0];ReturnValue;taint", "java.lang;String;false;format;(String,Object[]);;ArrayElement of Argument[1];ReturnValue;taint", "java.lang;String;false;formatted;(Object[]);;Argument[-1];ReturnValue;taint", "java.lang;String;false;formatted;(Object[]);;ArrayElement of Argument[0];ReturnValue;taint", - "java.lang;String;false;getChars;;;Argument[-1];Argument[2];taint", "java.lang;String;false;getBytes;;;Argument[-1];ReturnValue;taint", + "java.lang;String;false;getBytes;(int,int,byte[],int);;Argument[-1];Argument[2];taint", + "java.lang;String;false;getChars;;;Argument[-1];Argument[2];taint", "java.lang;String;false;indent;;;Argument[-1];ReturnValue;taint", "java.lang;String;false;intern;;;Argument[-1];ReturnValue;taint", - "java.lang;String;false;join;;;Argument[0..1];ReturnValue;taint", + "java.lang;String;false;join;;;Argument[0..1];ReturnValue;taint", // TODO: ArrayElement of Argument? + "java.lang;String;false;lines;;;Argument[-1];Element of ReturnValue;taint", "java.lang;String;false;repeat;(int);;Argument[-1];ReturnValue;taint", + "java.lang;String;false;replace;;;Argument[1];ReturnValue;taint", + "java.lang;String;false;replace;;;Argument[-1];ReturnValue;taint", + "java.lang;String;false;replaceAll;;;Argument[1];ReturnValue;taint", + "java.lang;String;false;replaceAll;;;Argument[-1];ReturnValue;taint", + "java.lang;String;false;replaceFirst;;;Argument[1];ReturnValue;taint", + "java.lang;String;false;replaceFirst;;;Argument[-1];ReturnValue;taint", + "java.lang;String;false;resolveConstantDesc;;;Argument[-1];ReturnValue;value", "java.lang;String;false;split;;;Argument[-1];ReturnValue;taint", "java.lang;String;false;String;;;Argument[0];Argument[-1];taint", "java.lang;String;false;strip;;;Argument[-1];ReturnValue;taint", @@ -35,26 +45,43 @@ private class StringSummaryCsv extends SummaryModelCsv { "java.lang;String;false;toLowerCase;;;Argument[-1];ReturnValue;taint", "java.lang;String;false;toString;;;Argument[-1];ReturnValue;value", "java.lang;String;false;toUpperCase;;;Argument[-1];ReturnValue;taint", + "java.lang;String;false;transform;;;Argument[-1];Parameter[0] of Argument[0];value", + "java.lang;String;false;transform;;;ReturnValue of Argument[0];ReturnValue;value", "java.lang;String;false;translateEscapes;;;Argument[-1];ReturnValue;taint", "java.lang;String;false;trim;;;Argument[-1];ReturnValue;taint", "java.lang;String;false;valueOf;(char);;Argument[0];ReturnValue;taint", "java.lang;String;false;valueOf;(char[],int,int);;Argument[0];ReturnValue;taint", "java.lang;String;false;valueOf;(char[]);;Argument[0];ReturnValue;taint", + // TODO: Should `append` and `write` be modelled for Appendable and Writer instead? + // Could then remove some of the modelled `append` method here and for StringBuilder "java.io;StringWriter;true;append;;;Argument[0];Argument[-1];taint", "java.io;StringWriter;true;append;;;Argument[-1];ReturnValue;value", + "java.io;StringWriter;true;getBuffer;;;Argument[-1];ReturnValue;taint", + "java.io;StringWriter;true;toString;;;Argument[-1];ReturnValue;taint", "java.io;StringWriter;true;write;;;Argument[0];Argument[-1];taint", + // Note: `AbstractStringBuilder` is a JDK internal superclass of StringBuilder and StringBuffer + // Some of the methods are not modelled because they are already modelled for CharSequence "java.lang;AbstractStringBuilder;true;AbstractStringBuilder;(String);;Argument[0];Argument[-1];taint", "java.lang;AbstractStringBuilder;true;append;;;Argument[0];Argument[-1];taint", "java.lang;AbstractStringBuilder;true;append;;;Argument[-1];ReturnValue;value", + "java.lang;AbstractStringBuilder;true;appendCodePoint;;;Argument[-1];ReturnValue;value", + "java.lang;AbstractStringBuilder;true;delete;;;Argument[-1];ReturnValue;value", + "java.lang;AbstractStringBuilder;true;deleteCharAt;;;Argument[-1];ReturnValue;value", + "java.lang;AbstractStringBuilder;true;getChars;;;Argument[-1];Argument[2];value", "java.lang;AbstractStringBuilder;true;insert;;;Argument[1];Argument[-1];taint", "java.lang;AbstractStringBuilder;true;insert;;;Argument[-1];ReturnValue;value", - "java.lang;AbstractStringBuilder;true;replace;;;Argument[-1];ReturnValue;value", "java.lang;AbstractStringBuilder;true;replace;;;Argument[2];Argument[-1];taint", - "java.lang;AbstractStringBuilder;true;toString;;;Argument[-1];ReturnValue;taint", + "java.lang;AbstractStringBuilder;true;replace;;;Argument[-1];ReturnValue;value", + "java.lang;AbstractStringBuilder;true;reverse;;;Argument[-1];ReturnValue;value", + "java.lang;AbstractStringBuilder;true;substring;;;Argument[-1];ReturnValue;value", "java.lang;StringBuffer;true;StringBuffer;(CharSequence);;Argument[0];Argument[-1];taint", "java.lang;StringBuffer;true;StringBuffer;(String);;Argument[0];Argument[-1];taint", - "java.lang;StringBuilder;true;StringBuilder;;;Argument[0];Argument[-1];taint", - "java.lang;CharSequence;true;subSequence;;;Argument[-1];ReturnValue;taint" + "java.lang;StringBuilder;true;StringBuilder;(CharSequence);;Argument[0];Argument[-1];taint", + "java.lang;StringBuilder;true;StringBuilder;(String);;Argument[0];Argument[-1];taint", + "java.lang;CharSequence;true;chars;;;Argument[-1];Element of ReturnValue;taint", + "java.lang;CharSequence;true;codePoints;;;Argument[-1];Element of ReturnValue;taint", + "java.lang;CharSequence;true;subSequence;;;Argument[-1];ReturnValue;taint", + "java.lang;CharSequence;true;toString;;;Argument[-1];ReturnValue;taint" ] } }