Merge pull request github#12911 from atorralba/atorralba/java/filecopyutils-file-sinks

Java: Fix FileCopyUtils.copy models

Author: atorralba

java/ql/lib/change-notes/2023-04-24-spring-filecopyutils-sinks.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Changed some models of Spring's `FileCopyUtils.copy` to be path injection sinks instead of summaries.

java/ql/lib/ext/org.springframework.util.model.yml

@@ -1,4 +1,12 @@
 extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+    - ["org.springframework.util", "FileCopyUtils", False, "copy", "(byte[],File)", "", "Argument[1]", "create-file", "manual"]
+    - ["org.springframework.util", "FileCopyUtils", False, "copy", "(File,File)", "", "Argument[0]", "read-file", "manual"]
+    - ["org.springframework.util", "FileCopyUtils", False, "copy", "(File,File)", "", "Argument[1]", "create-file", "manual"]
+
   - addsTo:
       pack: codeql/java-all
       extensible: summaryModel
@@ -42,7 +50,10 @@ extensions:
       - ["org.springframework.util", "FastByteArrayOutputStream", False, "toByteArray", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["org.springframework.util", "FastByteArrayOutputStream", False, "write", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
       - ["org.springframework.util", "FastByteArrayOutputStream", False, "writeTo", "", "", "Argument[this]", "Argument[0]", "taint", "manual"]
-      - ["org.springframework.util", "FileCopyUtils", False, "copy", "", "", "Argument[0]", "Argument[1]", "taint", "manual"]
+      - ["org.springframework.util", "FileCopyUtils", False, "copy", "(byte[],OutputStream)", "", "Argument[0]", "Argument[1]", "taint", "manual"]
+      - ["org.springframework.util", "FileCopyUtils", False, "copy", "(InputStream,OutputStream)", "", "Argument[0]", "Argument[1]", "taint", "manual"]
+      - ["org.springframework.util", "FileCopyUtils", False, "copy", "(Reader,Writer)", "", "Argument[0]", "Argument[1]", "taint", "manual"]
+      - ["org.springframework.util", "FileCopyUtils", False, "copy", "(String,Writer)", "", "Argument[0]", "Argument[1]", "taint", "manual"]
       - ["org.springframework.util", "FileCopyUtils", False, "copyToByteArray", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["org.springframework.util", "FileCopyUtils", False, "copyToString", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["org.springframework.util", "FileSystemUtils", False, "copyRecursively", "(java.io.File,java.io.File)", "", "Argument[0]", "Argument[1]", "taint", "manual"]

java/ql/test/library-tests/frameworks/spring/util/Test.java

@@ -380,20 +380,6 @@ public void test() throws Exception {
 			FileCopyUtils.copy(in, out);
 			sink(out); // $hasTaintFlow
 		}
-		{
-			// "org.springframework.util;FileCopyUtils;false;copy;;;Argument[0];Argument[1];taint;manual"
-			File out = null;
-			byte[] in = (byte[])source();
-			FileCopyUtils.copy(in, out);
-			sink(out); // $hasTaintFlow
-		}
-		{
-			// "org.springframework.util;FileCopyUtils;false;copy;;;Argument[0];Argument[1];taint;manual"
-			File out = null;
-			File in = (File)source();
-			FileCopyUtils.copy(in, out);
-			sink(out); // $hasTaintFlow
-		}
 		{
 			// "org.springframework.util;FileCopyUtils;false;copyToByteArray;;;Argument[0];ReturnValue;taint;manual"
 			byte[] out = null;