Merge pull request #15008 from igfoo/igfoo/kot-arr-taint

Kotlin: Track taint through Array.get/set

Author: igfoo

java/ql/lib/change-notes/2023-12-05-kotlin-array-get-set.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Taint tracking now understands Kotlin's `Array.get` and `Array.set` methods.

java/ql/lib/semmle/code/java/dataflow/internal/ContainerFlow.qll

@@ -4,6 +4,10 @@ import semmle.code.java.Maps
 private import semmle.code.java.dataflow.SSA
 private import DataFlowUtil
 
+private class ArrayType extends RefType {
+  ArrayType() { this.getSourceDeclaration().getASourceSupertype*() instanceof Array }
+}
+
 private class EntryType extends RefType {
   EntryType() {
     this.getSourceDeclaration().getASourceSupertype*().hasQualifiedName("java.util", "Map$Entry")
@@ -446,6 +450,14 @@ predicate arrayStoreStep(Node node1, Node node2) {
   exists(Assignment assign | assign.getSource() = node1.asExpr() |
     node2.(PostUpdateNode).getPreUpdateNode().asExpr() = assign.getDest().(ArrayAccess).getArray()
   )
+  or
+  exists(Expr arr, Call call |
+    arr = node2.asExpr() and
+    call.getArgument(1) = node1.asExpr() and
+    call.getQualifier() = arr and
+    arr.getType() instanceof ArrayType and
+    call.getCallee().getName() = "set"
+  )
 }
 
 private predicate enhancedForStmtStep(Node node1, Node node2, Type containerType) {
@@ -470,6 +482,14 @@ predicate arrayReadStep(Node node1, Node node2, Type elemType) {
     node2.asExpr() = aa
   )
   or
+  exists(Expr arr, Call call |
+    arr = node1.asExpr() and
+    call = node2.asExpr() and
+    arr.getType() instanceof ArrayType and
+    call.getCallee().getName() = "get" and
+    call.getQualifier() = arr
+  )
+  or
   exists(Array arr |
     enhancedForStmtStep(node1, node2, arr) and
     arr.getComponentType() = elemType

java/ql/test-kotlin1/library-tests/dataflow/foreach/C2.kt

@@ -8,11 +8,23 @@ class C2 {
         val l = arrayOf(taint("a"), "")
         sink(l)
         sink(l[0])
+        sink(l.get(0))
         for (i in l.indices) {
             sink(l[i])
         }
         for (s in l) {
             sink(s)
         }
     }
+
+    fun test2() {
+        val l1 = arrayOf("")
+        val l2 = arrayOf("")
+        l1[0] = taint("a")
+        l2.set(0, taint("a"))
+        sink(l1[0])
+        sink(l2[0])
+        sink(l1.get(0))
+        sink(l2.get(0))
+    }
 }

java/ql/test-kotlin1/library-tests/dataflow/foreach/test.expected

@@ -4,5 +4,10 @@
 | C1.java:10:44:10:46 | "a" | C1.java:19:20:19:20 | s |
 | C2.kt:8:32:8:32 | "a" | C2.kt:9:14:9:14 | l |
 | C2.kt:8:32:8:32 | "a" | C2.kt:10:14:10:17 | ...[...] |
-| C2.kt:8:32:8:32 | "a" | C2.kt:12:18:12:21 | ...[...] |
-| C2.kt:8:32:8:32 | "a" | C2.kt:15:18:15:18 | s |
+| C2.kt:8:32:8:32 | "a" | C2.kt:11:14:11:21 | get(...) |
+| C2.kt:8:32:8:32 | "a" | C2.kt:13:18:13:21 | ...[...] |
+| C2.kt:8:32:8:32 | "a" | C2.kt:16:18:16:18 | s |
+| C2.kt:23:24:23:24 | "a" | C2.kt:25:14:25:18 | ...[...] |
+| C2.kt:23:24:23:24 | "a" | C2.kt:27:14:27:22 | get(...) |
+| C2.kt:24:26:24:26 | "a" | C2.kt:26:14:26:18 | ...[...] |
+| C2.kt:24:26:24:26 | "a" | C2.kt:28:14:28:22 | get(...) |