[Java] JDK Collection lambda models

JLLeitschuh · JLLeitschuh · commit d4b18fe6a3d8 · 2021-10-19T15:57:58.000-04:00
Adds support for data flow tracking through simple JDK collection functional APIs. - `Iterable::forEach` - `Iterator::forEachRemaining` - `Map::forEach` Replaces github#5871 Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/ContainerFlow.qll b/java/ql/lib/semmle/code/java/dataflow/internal/ContainerFlow.qll
@@ -104,7 +104,9 @@ private class ContainerFlowSummaries extends SummaryModelCsv {
         "java.util;Map$Entry;true;setValue;;;Argument[0];MapValue of Argument[-1];value",
         "java.lang;Iterable;true;iterator;();;Element of Argument[-1];Element of ReturnValue;value",
         "java.lang;Iterable;true;spliterator;();;Element of Argument[-1];Element of ReturnValue;value",
+        "java.lang;Iterable;true;forEach;(Consumer);;Element of Argument[-1];Parameter[0] of Argument[0];value",
         "java.util;Iterator;true;next;;;Element of Argument[-1];ReturnValue;value",
+        "java.util;Iterator;true;forEachRemaining;(Consumer);;Element of Argument[-1];Parameter[0] of Argument[0];value",
         "java.util;ListIterator;true;previous;;;Element of Argument[-1];ReturnValue;value",
         "java.util;ListIterator;true;add;(Object);;Argument[0];Element of Argument[-1];value",
         "java.util;ListIterator;true;set;(Object);;Argument[0];Element of Argument[-1];value",
@@ -135,6 +137,8 @@ private class ContainerFlowSummaries extends SummaryModelCsv {
         "java.util;Map;true;merge;(Object,Object,BiFunction);;Argument[1];MapValue of Argument[-1];value",
         "java.util;Map;true;putAll;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value",
         "java.util;Map;true;putAll;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "java.util;Map;true;forEach;(BiConsumer);;MapKey of Argument[-1];Parameter[0] of Argument[0];value",
+        "java.util;Map;true;forEach;(BiConsumer);;MapValue of Argument[-1];Parameter[1] of Argument[0];value",
         "java.util;Collection;true;parallelStream;();;Element of Argument[-1];Element of ReturnValue;value",
         "java.util;Collection;true;stream;();;Element of Argument[-1];Element of ReturnValue;value",
         "java.util;Collection;true;toArray;;;Element of Argument[-1];ArrayElement of ReturnValue;value",
diff --git a/java/ql/test/library-tests/dataflow/collections/Test.java b/java/ql/test/library-tests/dataflow/collections/Test.java
@@ -25,5 +25,57 @@ public void run() {
     Iterator<String> it = m.values().iterator();
     String x5 = it.next();
     sink(x5); // Flow
+
+    it.forEachRemaining(x6 -> {
+      sink(x6); // Flow
+    });
+
+    m.forEach((x7_k, x8_v) -> {
+      sink(x7_k); // No flow
+      sink(x8_v); // Flow
+    });
+
+    m.entrySet().forEach(entry -> {
+      String x9 = entry.getKey();
+      String x10 = entry.getValue();
+      sink(x9); // No flow
+      sink(x10); // Flow
+    });    
+  }
+
+  public void run2() {
+    HashMap<String, String> m = new HashMap<>();
+
+    m.put(tainted, tainted);
+    
+    m.forEach((x11_k, x12_v) -> {
+      sink(x11_k); // Flow
+      sink(x12_v); // Flow
+    });
+
+    m.entrySet().forEach(entry -> {
+      String x13 = entry.getKey();
+      String x14 = entry.getValue();
+      sink(x13); // Flow
+      sink(x14); // Flow
+    });
+  }
+
+  public void run3() {
+    Set<String> s = new HashSet<>();
+    String x15 = s.iterator().next();
+    sink(x15); // No flow
+
+    s.forEach(x16 -> {
+      sink(x16); // No flow
+    });
+
+    s.add(tainted);
+    String x17 = s.iterator().next();
+    sink(x17); // Flow
+
+    s.forEach(x18 -> {
+      sink(x18); // Flow
+    });
   }
 }
diff --git a/java/ql/test/library-tests/dataflow/collections/flow.expected b/java/ql/test/library-tests/dataflow/collections/flow.expected
@@ -2,3 +2,12 @@
 | Test.java:13:18:13:24 | tainted | Test.java:18:10:18:11 | x3 |
 | Test.java:13:18:13:24 | tainted | Test.java:22:12:22:13 | x4 |
 | Test.java:13:18:13:24 | tainted | Test.java:27:10:27:11 | x5 |
+| Test.java:13:18:13:24 | tainted | Test.java:30:12:30:13 | x6 |
+| Test.java:13:18:13:24 | tainted | Test.java:35:12:35:15 | x8_v |
+| Test.java:13:18:13:24 | tainted | Test.java:42:12:42:14 | x10 |
+| Test.java:49:11:49:17 | tainted | Test.java:52:12:52:16 | x11_k |
+| Test.java:49:11:49:17 | tainted | Test.java:59:12:59:14 | x13 |
+| Test.java:49:20:49:26 | tainted | Test.java:53:12:53:16 | x12_v |
+| Test.java:49:20:49:26 | tainted | Test.java:60:12:60:14 | x14 |
+| Test.java:73:11:73:17 | tainted | Test.java:75:10:75:12 | x17 |
+| Test.java:73:11:73:17 | tainted | Test.java:78:12:78:14 | x18 |
