Java: remove Format and MessageFormat

Jami Cogswell · Jami Cogswell · commit e0c0c973a7e3 · 2023-03-23T18:00:21.000-04:00
diff --git a/java/ql/lib/ext/java.text.model.yml b/java/ql/lib/ext/java.text.model.yml
@@ -1,12 +1,4 @@
 extensions:
-  - addsTo:
-      pack: codeql/java-all
-      extensible: summaryModel
-    data:
-      - ["java.text", "Format", True, "format", "(Object)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["java.text", "MessageFormat", False, "format", "(String,Object[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["java.text", "MessageFormat", False, "format", "(String,Object[])", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"]
-
   - addsTo:
       pack: codeql/java-all
       extensible: neutralModel
diff --git a/java/ql/test/ext/TestModels/Test.java b/java/ql/test/ext/TestModels/Test.java
@@ -7,8 +7,6 @@
 import java.sql.DriverManager;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
-import java.text.Format;
-import java.text.MessageFormat;
 import java.util.EventObject;
 import java.util.Locale;
 import java.util.ResourceBundle;
@@ -157,16 +155,6 @@ public void test() throws Exception {
             EventObject eventObj = new EventObject(source());
             sink(eventObj.getSource()); // $hasValueFlow
 
-            // java.text
-            Format mf1 = new MessageFormat("test");
-            sink(mf1.format(source())); // $hasTaintFlow
-
-            String mf2 = MessageFormat.format((String)source(), null);
-            sink(mf2); // $hasTaintFlow
-
-            String mf3 = MessageFormat.format("test", source());
-            sink(mf3); // $hasTaintFlow
-
             // java.lang
             AssertionError assertErr = new AssertionError(source());
             sink((String)assertErr.getMessage()); // $hasValueFlow
diff --git a/java/ql/test/ext/TopJdkApis/TopJdkApis.qll b/java/ql/test/ext/TopJdkApis/TopJdkApis.qll
@@ -310,6 +310,8 @@ class TopJdkApi extends SummarizedCallableBase {
    * `java.lang.System#getProperty(String)`: needs to be modeled by regular CodeQL matching the get and set keys to reduce FPs
    * `java.lang.System#setProperty(String,String)`: needs to be modeled by regular CodeQL matching the get and set keys to reduce FPs
    * `java.lang.Throwable#printStackTrace()`: should probably not be a general step, but there might be specialised queries that care
+   * `java.text.Format#format(Object)`: similar issue as `Object.toString`; depends on the object being passed as the argument
+   * `java.text.MessageFormat#format(String,Object[])`: similar issue as `Object.toString`; depends on the object being passed as the argument
    * `java.util.Comparator#comparing(Function)`: lambda flow
    * `java.util.function.BiConsumer#accept(Object,Object)`: specialized lambda flow
    * `java.util.function.BiFunction#apply(Object,Object)`: specialized lambda flow
diff --git a/java/ql/test/ext/TopJdkApis/TopJdkApisTest.expected b/java/ql/test/ext/TopJdkApis/TopJdkApisTest.expected
@@ -2,6 +2,8 @@
 | java.lang.System#getProperty(String) | no manual model |
 | java.lang.System#setProperty(String,String) | no manual model |
 | java.lang.Throwable#printStackTrace() | no manual model |
+| java.text.Format#format(Object) | no manual model |
+| java.text.MessageFormat#format(String,Object[]) | no manual model |
 | java.util.Comparator#comparing(Function) | no manual model |
 | java.util.function.BiConsumer#accept(Object,Object) | no manual model |
 | java.util.function.BiFunction#apply(Object,Object) | no manual model |
