Merge pull request #7599 from bmuskalla/modelWriter

Benjamin Muskalla · web-flow · commit 7e215a5193f8 · 2022-01-18T11:55:27.000+01:00
Java: Model Appenable and Writer
diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -91,6 +91,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.guava.Guava
   private import semmle.code.java.frameworks.jackson.JacksonSerializability
   private import semmle.code.java.frameworks.javaee.jsf.JSFRenderer
+  private import semmle.code.java.frameworks.JavaIo
   private import semmle.code.java.frameworks.JavaxJson
   private import semmle.code.java.frameworks.JaxWS
   private import semmle.code.java.frameworks.JoddJson
diff --git a/java/ql/lib/semmle/code/java/frameworks/JavaIo.qll b/java/ql/lib/semmle/code/java/frameworks/JavaIo.qll
@@ -0,0 +1,20 @@
+/** Definitions of taint steps in Objects class of the JDK */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+private class JavaIoSummaryCsv extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //`namespace; type; subtypes; name; signature; ext; input; output; kind`
+        "java.lang;Appendable;true;append;;;Argument[0];Argument[-1];taint",
+        "java.lang;Appendable;true;append;;;Argument[-1];ReturnValue;value",
+        "java.io;Writer;true;write;;;Argument[0];Argument[-1];taint",
+        "java.io;Writer;true;toString;;;Argument[-1];ReturnValue;taint",
+        "java.io;CharArrayWriter;true;toCharArray;;;Argument[-1];ReturnValue;taint",
+        "java.nio.channels;ReadableByteChannel;true;read;(ByteBuffer);;Argument[-1];Argument[0];taint",
+        "java.nio.channels;Channels;false;newChannel;(InputStream);;Argument[0];ReturnValue;taint"
+      ]
+  }
+}
diff --git a/java/ql/lib/semmle/code/java/frameworks/Strings.qll b/java/ql/lib/semmle/code/java/frameworks/Strings.qll
@@ -40,9 +40,6 @@ private class StringSummaryCsv extends SummaryModelCsv {
         "java.lang;String;false;valueOf;(char);;Argument[0];ReturnValue;taint",
         "java.lang;String;false;valueOf;(char[],int,int);;Argument[0];ReturnValue;taint",
         "java.lang;String;false;valueOf;(char[]);;Argument[0];ReturnValue;taint",
-        "java.io;StringWriter;true;append;;;Argument[0];Argument[-1];taint",
-        "java.io;StringWriter;true;append;;;Argument[-1];ReturnValue;value",
-        "java.io;StringWriter;true;write;;;Argument[0];Argument[-1];taint",
         "java.lang;AbstractStringBuilder;true;AbstractStringBuilder;(String);;Argument[0];Argument[-1];taint",
         "java.lang;AbstractStringBuilder;true;append;;;Argument[0];Argument[-1];taint",
         "java.lang;AbstractStringBuilder;true;append;;;Argument[-1];ReturnValue;value",
diff --git a/java/ql/test/library-tests/dataflow/taint/JavaIo.java b/java/ql/test/library-tests/dataflow/taint/JavaIo.java
@@ -0,0 +1,44 @@
+import java.io.*;
+import java.nio.ByteBuffer;
+import java.nio.channels.Channels;
+import java.nio.channels.ReadableByteChannel;
+
+public class JavaIo {
+  public static String taint() { return "tainted"; }
+  
+  public static void sink(Object o) { }
+
+  void testWritingChars() throws IOException {
+    StringWriter w = new StringWriter();
+    char[] chars = taint().toCharArray();
+    sink(w.toString());
+    w.write(chars);
+    sink(w.toString());
+    sink(w.getBuffer().toString());
+  }
+
+  void testAppendingToWriter() throws IOException {
+    Writer w = new StringWriter();
+    CharSequence seq = taint();
+    sink(w.toString());
+    w.append("harmless").append(seq);
+    sink(w.toString());
+  }
+  
+  void testCharArrayWriter() throws IOException {
+    CharArrayWriter w = new CharArrayWriter();
+    CharSequence seq = taint();
+    sink(w.toCharArray());
+    w.append("harmless").append(seq);
+    sink(w.toCharArray());
+  }
+
+  void testByteChannelToBuffer() throws IOException {
+    ReadableByteChannel c = Channels.newChannel(new ByteArrayInputStream(taint().getBytes()));
+    ByteBuffer buf = ByteBuffer.allocate(10);
+    sink(buf);
+    c.read(buf);
+    sink(buf);
+  }
+
+}
diff --git a/java/ql/test/library-tests/dataflow/taint/test.expected b/java/ql/test/library-tests/dataflow/taint/test.expected
@@ -44,6 +44,10 @@
 | CharSeq.java:7:26:7:32 | taint(...) | CharSeq.java:8:12:8:14 | seq |
 | CharSeq.java:7:26:7:32 | taint(...) | CharSeq.java:11:12:11:21 | seqFromSeq |
 | CharSeq.java:7:26:7:32 | taint(...) | CharSeq.java:14:12:14:24 | stringFromSeq |
+| JavaIo.java:13:20:13:26 | taint(...) | JavaIo.java:16:10:16:21 | toString(...) |
+| JavaIo.java:13:20:13:26 | taint(...) | JavaIo.java:17:10:17:33 | toString(...) |
+| JavaIo.java:30:24:30:30 | taint(...) | JavaIo.java:33:10:33:24 | toCharArray(...) |
+| JavaIo.java:37:74:37:80 | taint(...) | JavaIo.java:41:10:41:12 | buf |
 | MethodFlow.java:7:22:7:28 | taint(...) | MethodFlow.java:8:10:8:16 | tainted |
 | MethodFlow.java:9:31:9:37 | taint(...) | MethodFlow.java:10:10:10:17 | tainted2 |
 | MethodFlow.java:11:35:11:41 | taint(...) | MethodFlow.java:12:10:12:17 | tainted3 |
