Merge pull request github#9963 from intrigus-lgtm/java/model-set-properties

aschackmull · web-flow · commit cbd6d24b9cfa · 2022-08-10T14:51:00.000+02:00
Model `java.util.Properties.setProperty`
diff --git a/java/ql/lib/change-notes/2022-08-03-properties.md b/java/ql/lib/change-notes/2022-08-03-properties.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added a data-flow model for the `setProperty` method of `java.util.Properties`. Additional results may be found where relevant data is stored in and then retrieved from a `Properties` instance.
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/ContainerFlow.qll b/java/ql/lib/semmle/code/java/dataflow/internal/ContainerFlow.qll
@@ -244,6 +244,9 @@ private class ContainerFlowSummaries extends SummaryModelCsv {
         "java.util;Properties;true;getProperty;(String);;Argument[-1].MapValue;ReturnValue;value;manual",
         "java.util;Properties;true;getProperty;(String,String);;Argument[-1].MapValue;ReturnValue;value;manual",
         "java.util;Properties;true;getProperty;(String,String);;Argument[1];ReturnValue;value;manual",
+        "java.util;Properties;true;setProperty;(String,String);;Argument[-1].MapValue;ReturnValue;value;manual",
+        "java.util;Properties;true;setProperty;(String,String);;Argument[0];Argument[-1].MapKey;value;manual",
+        "java.util;Properties;true;setProperty;(String,String);;Argument[1];Argument[-1].MapValue;value;manual",
         "java.util;Scanner;true;Scanner;;;Argument[0];Argument[-1];taint;manual",
         "java.util;Scanner;true;findInLine;;;Argument[-1];ReturnValue;taint;manual",
         "java.util;Scanner;true;findWithinHorizon;;;Argument[-1];ReturnValue;taint;manual",
diff --git a/java/ql/test/library-tests/dataflow/collections/Test.java b/java/ql/test/library-tests/dataflow/collections/Test.java
@@ -88,4 +88,23 @@ public void run4() {
     Properties clean = new Properties();
     sink(clean.getProperty("key", tainted)); // Flow
   }
+
+  public void run5() {
+    Properties p = new Properties();
+    p.setProperty("key", tainted);
+    sink(p.getProperty("key")); // Flow
+    sink(p.getProperty("key", "defaultValue")); // Flow
+  }
+
+  public void run6() {
+    Properties p = new Properties();
+    sink(p.put("key", tainted)); // No flow
+    sink(p.put("key", "notTainted")); // Flow
+  }
+
+  public void run7() {
+    Properties p = new Properties();
+    sink(p.setProperty("key", tainted)); // No flow
+    sink(p.setProperty("key", "notTainted")); // Flow
+  }
 }
diff --git a/java/ql/test/library-tests/dataflow/collections/flow.expected b/java/ql/test/library-tests/dataflow/collections/flow.expected
@@ -14,3 +14,7 @@
 | Test.java:84:18:84:24 | tainted | Test.java:85:10:85:29 | getProperty(...) |
 | Test.java:84:18:84:24 | tainted | Test.java:86:10:86:45 | getProperty(...) |
 | Test.java:89:35:89:41 | tainted | Test.java:89:10:89:42 | getProperty(...) |
+| Test.java:94:26:94:32 | tainted | Test.java:95:10:95:29 | getProperty(...) |
+| Test.java:94:26:94:32 | tainted | Test.java:96:10:96:45 | getProperty(...) |
+| Test.java:101:23:101:29 | tainted | Test.java:102:10:102:35 | put(...) |
+| Test.java:107:31:107:37 | tainted | Test.java:108:10:108:43 | setProperty(...) |

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added a data-flow model for the `setProperty` method of `java.util.Properties`. Additional results may be found where relevant data is stored in and then retrieved from a `Properties` instance.