Add Expr::getUnderlyingExpr predicate

atorralba · atorralba · commit 85fab200867f · 2022-05-25T10:56:18.000+02:00
diff --git a/java/ql/lib/change-notes/2022-05-12-get-underlying-expr.md b/java/ql/lib/change-notes/2022-05-12-get-underlying-expr.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* The QL predicate `Expr::getUnderlyingExpr` has been added. It can be used to look through casts and not-null expressions and obtain the underlying expression to which they apply.
diff --git a/java/ql/lib/semmle/code/java/Expr.qll b/java/ql/lib/semmle/code/java/Expr.qll
@@ -100,6 +100,18 @@ class Expr extends ExprParent, @expr {
 
   /** Holds if this expression is parenthesized. */
   predicate isParenthesized() { isParenthesized(this, _) }
+
+  /**
+   * Gets the underlying expression looking through casts and not-nulls, if any.
+   * Otherwise just gets this expression.
+   */
+  Expr getUnderlyingExpr() {
+    if this instanceof CastingExpr or this instanceof NotNullExpr
+    then
+      result = this.(CastingExpr).getExpr().getUnderlyingExpr() or
+      result = this.(NotNullExpr).getExpr().getUnderlyingExpr()
+    else result = this
+  }
 }
 
 /**
diff --git a/java/ql/lib/semmle/code/java/security/CleartextStorageSharedPrefsQuery.qll b/java/ql/lib/semmle/code/java/security/CleartextStorageSharedPrefsQuery.qll
@@ -51,7 +51,7 @@ private predicate sharedPreferencesInput(DataFlow::Node editor, Expr input) {
   exists(MethodAccess m |
     m.getMethod() instanceof PutSharedPreferenceMethod and
     input = m.getArgument(1) and
-    editor.asExpr() = m.getQualifier()
+    editor.asExpr() = m.getQualifier().getUnderlyingExpr()
   )
 }
 
@@ -61,7 +61,7 @@ private predicate sharedPreferencesInput(DataFlow::Node editor, Expr input) {
  */
 private predicate sharedPreferencesStore(DataFlow::Node editor, MethodAccess m) {
   m.getMethod() instanceof StoreSharedPreferenceMethod and
-  editor.asExpr() = m.getQualifier()
+  editor.asExpr() = m.getQualifier().getUnderlyingExpr()
 }
 
 /** Flow from `SharedPreferences.Editor` to either a setter or a store method. */
diff --git a/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccess.qll b/java/ql/lib/semmle/code/java/security/UnsafeAndroidAccess.qll
@@ -75,15 +75,18 @@ private predicate webViewLoadUrl(Argument urlArg, WebViewRef webview) {
     loadUrl.getArgument(0) = urlArg and
     loadUrl.getMethod() instanceof WebViewLoadUrlMethod
   |
+    webview.getAnAccess() = DataFlow::exprNode(loadUrl.getQualifier().getUnderlyingExpr())
+    or
     webview.getAnAccess() = DataFlow::getInstanceArgument(loadUrl)
     or
     // `webview` is received as a parameter of an event method in a custom `WebViewClient`,
     // so we need to find `WebViews` that use that specific `WebViewClient`.
     exists(WebViewClientEventMethod eventMethod, MethodAccess setWebClient |
       setWebClient.getMethod() instanceof WebViewSetWebViewClientMethod and
       setWebClient.getArgument(0).getType() = eventMethod.getDeclaringType() and
-      loadUrl.getQualifier() = eventMethod.getWebViewParameter().getAnAccess()
+      loadUrl.getQualifier().getUnderlyingExpr() = eventMethod.getWebViewParameter().getAnAccess()
     |
+      webview.getAnAccess() = DataFlow::exprNode(setWebClient.getQualifier().getUnderlyingExpr()) or
       webview.getAnAccess() = DataFlow::getInstanceArgument(setWebClient)
     )
   )

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: feature
 +---
 +* The QL predicate `Expr::getUnderlyingExpr` has been added. It can be used to look through casts and not-null expressions and obtain the underlying expression to which they apply.
Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ private predicate sharedPreferencesInput(DataFlow::Node editor, Expr input) {`
`51`	`51`	`exists(MethodAccess m \|`
`52`	`52`	`m.getMethod() instanceof PutSharedPreferenceMethod and`
`53`	`53`	`input = m.getArgument(1) and`
`54`		`- editor.asExpr() = m.getQualifier()`
	`54`	`+ editor.asExpr() = m.getQualifier().getUnderlyingExpr()`
`55`	`55`	`)`
`56`	`56`	`}`
`57`	`57`
`@@ -61,7 +61,7 @@ private predicate sharedPreferencesInput(DataFlow::Node editor, Expr input) {`
`61`	`61`	`*/`
`62`	`62`	`private predicate sharedPreferencesStore(DataFlow::Node editor, MethodAccess m) {`
`63`	`63`	`m.getMethod() instanceof StoreSharedPreferenceMethod and`
`64`		`- editor.asExpr() = m.getQualifier()`
	`64`	`+ editor.asExpr() = m.getQualifier().getUnderlyingExpr()`
`65`	`65`	`}`
`66`	`66`
`67`	`67`	/** Flow from `SharedPreferences.Editor` to either a setter or a store method. */
Original file line number	Diff line number	Diff line change
`@@ -75,15 +75,18 @@ private predicate webViewLoadUrl(Argument urlArg, WebViewRef webview) {`
`75`	`75`	`loadUrl.getArgument(0) = urlArg and`
`76`	`76`	`loadUrl.getMethod() instanceof WebViewLoadUrlMethod`
`77`	`77`	`\|`
	`78`	`+ webview.getAnAccess() = DataFlow::exprNode(loadUrl.getQualifier().getUnderlyingExpr())`
	`79`	`+ or`
`78`	`80`	`webview.getAnAccess() = DataFlow::getInstanceArgument(loadUrl)`
`79`	`81`	`or`
`80`	`82`	// `webview` is received as a parameter of an event method in a custom `WebViewClient`,
`81`	`83`	// so we need to find `WebViews` that use that specific `WebViewClient`.
`82`	`84`	`exists(WebViewClientEventMethod eventMethod, MethodAccess setWebClient \|`
`83`	`85`	`setWebClient.getMethod() instanceof WebViewSetWebViewClientMethod and`
`84`	`86`	`setWebClient.getArgument(0).getType() = eventMethod.getDeclaringType() and`
`85`		`- loadUrl.getQualifier() = eventMethod.getWebViewParameter().getAnAccess()`
	`87`	`+ loadUrl.getQualifier().getUnderlyingExpr() = eventMethod.getWebViewParameter().getAnAccess()`
`86`	`88`	`\|`
	`89`	`+ webview.getAnAccess() = DataFlow::exprNode(setWebClient.getQualifier().getUnderlyingExpr()) or`
`87`	`90`	`webview.getAnAccess() = DataFlow::getInstanceArgument(setWebClient)`
`88`	`91`	`)`
`89`	`92`	`)`