Merge pull request #11779 from jcogs33/jcogs33/model-more-top-jdk-apis

Java: model top JDK APIs

Author: jcogs33

java/ql/lib/change-notes/2023-01-03-add-more-top-jdk-models.md

@@ -0,0 +1,6 @@
+---
+category: minorAnalysis
+---
+* Added more dataflow models for frequently-used JDK APIs.
+* Removed summary model for `java.lang.String#endsWith(String)` and added neutral model for this API.
+* Added additional taint step for `java.lang.String#endsWith(String)` to `ConditionalBypassFlowConfig`.

java/ql/lib/ext/java.io.model.yml

@@ -63,6 +63,7 @@ extensions:
       - ["java.io", "File", True, "getAbsolutePath", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.io", "File", True, "getCanonicalFile", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.io", "File", True, "getCanonicalPath", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["java.io", "File", True, "getName", "()", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.io", "File", True, "toPath", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.io", "File", True, "toString", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.io", "File", True, "toURI", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
@@ -74,6 +75,7 @@ extensions:
       - ["java.io", "InputStream", True, "readNBytes", "(int)", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.io", "InputStream", True, "transferTo", "(OutputStream)", "", "Argument[-1]", "Argument[0]", "taint", "manual"]
       - ["java.io", "InputStreamReader", False, "InputStreamReader", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["java.io", "IOException", False, "IOException", "(String)", "", "Argument[0]", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
       - ["java.io", "ObjectInput", True, "read", "", "", "Argument[-1]", "Argument[0]", "taint", "manual"]
       - ["java.io", "ObjectInputStream", False, "ObjectInputStream", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
       - ["java.io", "OutputStream", True, "write", "(byte[])", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
@@ -84,3 +86,9 @@ extensions:
       - ["java.io", "StringReader", False, "StringReader", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
       - ["java.io", "Writer", True, "toString", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.io", "Writer", True, "write", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data:
+      - ["java.io", "File", "exists", "()", "manual"]

java/ql/lib/ext/java.lang.model.yml

@@ -37,22 +37,24 @@ extensions:
       - ["java.lang", "CharSequence", True, "charAt", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "CharSequence", True, "subSequence", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "CharSequence", True, "toString", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["java.lang", "Exception", False, "Exception", "(String)", "", "Argument[0]", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
       - ["java.lang", "IllegalArgumentException", False, "IllegalArgumentException", "(String)", "", "Argument[0]", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
       - ["java.lang", "IllegalStateException", False, "IllegalStateException", "(String)", "", "Argument[0]", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
-      - ["java.lang", "Integer", False, "parseInt", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["java.lang", "IndexOutOfBoundsException", False, "IndexOutOfBoundsException", "(String)", "", "Argument[0]", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
       - ["java.lang", "Iterable", True, "forEach", "(Consumer)", "", "Argument[-1].Element", "Argument[0].Parameter[0]", "value", "manual"]
       - ["java.lang", "Iterable", True, "iterator", "()", "", "Argument[-1].Element", "ReturnValue.Element", "value", "manual"]
       - ["java.lang", "Iterable", True, "spliterator", "()", "", "Argument[-1].Element", "ReturnValue.Element", "value", "manual"]
       - ["java.lang", "Object", True, "clone", "", "", "Argument[-1].Element", "ReturnValue.Element", "value", "manual"]
       - ["java.lang", "Object", True, "clone", "", "", "Argument[-1].MapKey", "ReturnValue.MapKey", "value", "manual"]
       - ["java.lang", "Object", True, "clone", "", "", "Argument[-1].MapValue", "ReturnValue.MapValue", "value", "manual"]
       - ["java.lang", "RuntimeException", False, "RuntimeException", "(String)", "", "Argument[0]", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
+      - ["java.lang", "RuntimeException", False, "RuntimeException", "(String,Throwable)", "", "Argument[0]", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
+      - ["java.lang", "RuntimeException", False, "RuntimeException", "(String,Throwable)", "", "Argument[1]", "Argument[-1].SyntheticField[java.lang.Throwable.cause]", "value", "manual"]
       - ["java.lang", "RuntimeException", False, "RuntimeException", "(Throwable)", "", "Argument[0]", "Argument[-1].SyntheticField[java.lang.Throwable.cause]", "value", "manual"]
       - ["java.lang", "String", False, "String", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
       - ["java.lang", "String", False, "concat", "(String)", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "String", False, "concat", "(String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "String", False, "copyValueOf", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["java.lang", "String", False, "endsWith", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "String", False, "format", "(Locale,String,Object[])", "", "Argument[1]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "String", False, "format", "(Locale,String,Object[])", "", "Argument[2].ArrayElement", "ReturnValue", "taint", "manual"]
       - ["java.lang", "String", False, "format", "(String,Object[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]
@@ -87,34 +89,56 @@ extensions:
       - ["java.lang", "String", False, "valueOf", "(char)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "String", False, "valueOf", "(char[])", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "String", False, "valueOf", "(char[],int,int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
-      - ["java.lang", "String", False, "valueOf", "(int)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["java.lang", "StringBuffer", True, "StringBuffer", "(CharSequence)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
       - ["java.lang", "StringBuffer", True, "StringBuffer", "(String)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
       - ["java.lang", "StringBuilder", True, "StringBuilder", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
       - ["java.lang", "System", False, "arraycopy", "", "", "Argument[0]", "Argument[2]", "taint", "manual"]
       - ["java.lang", "Throwable", False, "Throwable", "(Throwable)", "", "Argument[0]", "Argument[-1].SyntheticField[java.lang.Throwable.cause]", "value", "manual"]
-      - ["java.lang", "Throwable", False, "getCause", "()", "", "Argument[-1].SyntheticField[java.lang.Throwable.cause]", "ReturnValue", "value", "manual"]
-      - ["java.lang", "Throwable", False, "getMessage", "()", "", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "ReturnValue", "value", "manual"]
+      - ["java.lang", "Throwable", True, "getCause", "()", "", "Argument[-1].SyntheticField[java.lang.Throwable.cause]", "ReturnValue", "value", "manual"]
+      - ["java.lang", "Throwable", True, "getMessage", "()", "", "Argument[-1].SyntheticField[java.lang.Throwable.message]", "ReturnValue", "value", "manual"]
 
   - addsTo:
       pack: codeql/java-all
       extensible: neutralModel
     data:
+      - ["java.lang", "AbstractStringBuilder", "length", "()", "manual"]
+      - ["java.lang", "Boolean", "equals", "(Object)", "manual"]
+      - ["java.lang", "Class", "getClassLoader", "()", "manual"]
       - ["java.lang", "Class", "getName", "()", "manual"]
       - ["java.lang", "Class", "getSimpleName", "()", "manual"]
+      - ["java.lang", "Class", "isAssignableFrom", "(Class)", "manual"]
       - ["java.lang", "Enum", "Enum", "(String,int)", "manual"]
       - ["java.lang", "Enum", "equals", "(Object)", "manual"]
       - ["java.lang", "Enum", "name", "()", "manual"]
       - ["java.lang", "Enum", "toString", "()", "manual"]
+      - ["java.lang", "Long", "equals", "(Object)", "manual"]
       - ["java.lang", "Object", "equals", "(Object)", "manual"]
       - ["java.lang", "Object", "getClass", "()", "manual"]
       - ["java.lang", "Object", "hashCode", "()", "manual"]
       - ["java.lang", "Object", "toString", "()", "manual"]
       - ["java.lang", "String", "contains", "(CharSequence)", "manual"]
+      - ["java.lang", "String", "endsWith", "(String)", "manual"]
       - ["java.lang", "String", "equals", "(Object)", "manual"]
       - ["java.lang", "String", "equalsIgnoreCase", "(String)", "manual"]
       - ["java.lang", "String", "hashCode", "()", "manual"]
+      - ["java.lang", "String", "indexOf", "(String)", "manual"]
       - ["java.lang", "String", "isEmpty", "()", "manual"]
       - ["java.lang", "String", "length", "()", "manual"]
       - ["java.lang", "String", "startsWith", "(String)", "manual"]
       - ["java.lang", "System", "currentTimeMillis", "()", "manual"]
+      - ["java.lang", "System", "nanoTime", "()", "manual"]
+      - ["java.lang", "Thread", "currentThread", "()", "manual"]
+      - ["java.lang", "Thread", "sleep", "(long)", "manual"]
+
+      # The below APIs have numeric flow and are currently being stored as neutral models.
+      # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
+      - ["java.lang", "Integer", "intValue", "()", "manual"]       # taint-numeric
+      - ["java.lang", "Integer", "parseInt", "(String)", "manual"] # taint-numeric
+      - ["java.lang", "Integer", "toString", "(int)", "manual"]    # taint-numeric
+      - ["java.lang", "Integer", "valueOf", "(int)", "manual"]     # taint-numeric
+      - ["java.lang", "Long", "longValue", "()", "manual"]         # taint-numeric
+      - ["java.lang", "Long", "parseLong", "(String)", "manual"]   # taint-numeric
+      - ["java.lang", "Long", "toString", "()", "manual"]          # taint-numeric
+      - ["java.lang", "Math", "min", "(int,int)", "manual"]        # value-numeric
+      - ["java.lang", "String", "valueOf", "(int)", "manual"]      # taint-numeric
+      - ["java.lang", "String", "valueOf", "(long)", "manual"]     # taint-numeric

java/ql/lib/ext/java.math.model.yml

@@ -1,6 +1,12 @@
 extensions:
   - addsTo:
       pack: codeql/java-all
-      extensible: summaryModel
+      extensible: neutralModel
     data:
-      - ["java.math", "BigDecimal", False, "BigDecimal", "(String)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
+      - ["java.math", "BigDecimal", "compareTo", "(BigDecimal)", "manual"]
+
+      # The below APIs have numeric flow and are currently being stored as neutral models.
+      # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
+      - ["java.math", "BigDecimal", "BigDecimal", "(String)", "manual"] # taint-numeric
+      - ["java.math", "BigDecimal", "valueOf", "(double)", "manual"]    # taint-numeric
+      - ["java.math", "BigDecimal", "valueOf", "(long)", "manual"]      # taint-numeric

java/ql/lib/ext/java.sql.model.yml

@@ -19,4 +19,16 @@ extensions:
       pack: codeql/java-all
       extensible: summaryModel
     data:
+      - ["java.sql", "PreparedStatement", True, "setString", "(int,String)", "", "Argument[1]", "Argument[-1]", "value", "manual"]
       - ["java.sql", "ResultSet", True, "getString", "(String)", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data:
+      - ["java.sql", "ResultSet", "next", "()", "manual"]
+
+      # The below APIs have numeric flow and are currently being stored as neutral models.
+      # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
+      - ["java.sql", "PreparedStatement", "setInt", "(int,int)", "manual"] # value-numeric
+      - ["java.sql", "ResultSet", "getInt", "(String)", "manual"]          # taint-numeric

java/ql/lib/ext/java.text.model.yml

@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data:
+      # The below APIs have numeric flow and are currently being stored as neutral models.
+      # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
+      - ["java.text", "DateFormat", "format", "(Date)", "manual"]                   # taint-numeric
+      - ["java.text", "SimpleDateFormat", "SimpleDateFormat", "(String)", "manual"] # taint-numeric

java/ql/lib/ext/java.time.model.yml

@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data:
+      - ["java.time", "Instant", "now", "()", "manual"]
+      - ["java.time", "ZonedDateTime", "now", "()", "manual"]
+
+      # The below APIs have numeric flow and are currently being stored as neutral models.
+      # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
+      - ["java.time", "LocalDate", "of", "(int,int,int)", "manual"] # taint-numeric

java/ql/lib/ext/java.util.concurrent.atomic.model.yml

@@ -0,0 +1,16 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["java.util.concurrent.atomic", "AtomicReference", False, "AtomicReference", "(Object)", "", "Argument[0]", "Argument[-1].SyntheticField[java.util.concurrent.atomic.AtomicReference.value]", "value", "manual"]
+      - ["java.util.concurrent.atomic", "AtomicReference", False, "get", "()", "", "Argument[-1].SyntheticField[java.util.concurrent.atomic.AtomicReference.value]", "ReturnValue", "value", "manual"]
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data:
+      # The below APIs have numeric flow and are currently being stored as neutral models.
+      # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
+      - ["java.util.concurrent.atomic", "AtomicInteger", "AtomicInteger", "(int)", "manual"] # value-numeric
+      - ["java.util.concurrent.atomic", "AtomicInteger", "get", "()", "manual"]              # value-numeric

java/ql/lib/ext/java.util.concurrent.model.yml

@@ -21,3 +21,14 @@ extensions:
       - ["java.util.concurrent", "TransferQueue", True, "transfer", "(Object)", "", "Argument[0]", "Argument[-1].Element", "value", "manual"]
       - ["java.util.concurrent", "TransferQueue", True, "tryTransfer", "(Object)", "", "Argument[0]", "Argument[-1].Element", "value", "manual"]
       - ["java.util.concurrent", "TransferQueue", True, "tryTransfer", "(Object,long,TimeUnit)", "", "Argument[0]", "Argument[-1].Element", "value", "manual"]
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data:
+      - ["java.util.concurrent", "CountDownLatch", "countDown", "()", "manual"]
+
+      # The below APIs have numeric flow and are currently being stored as neutral models.
+      # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
+      - ["java.util.concurrent", "CountDownLatch", "CountDownLatch", "(int)", "manual"] # value-numeric
+      - ["java.util.concurrent", "CountDownLatch", "getCount", "()", "manual"]          # value-numeric

java/ql/lib/ext/java.util.model.yml

@@ -335,6 +335,8 @@ extensions:
       - ["java.util", "Stack", True, "peek", "()", "", "Argument[-1].Element", "ReturnValue", "value", "manual"]
       - ["java.util", "Stack", True, "pop", "()", "", "Argument[-1].Element", "ReturnValue", "value", "manual"]
       - ["java.util", "Stack", True, "push", "(Object)", "", "Argument[0]", "Argument[-1].Element", "value", "manual"]
+      - ["java.util", "StringJoiner", False, "add", "(CharSequence)", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      - ["java.util", "StringJoiner", False, "add", "(CharSequence)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["java.util", "StringTokenizer", False, "StringTokenizer", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
       - ["java.util", "StringTokenizer", False, "nextElement", "()", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.util", "StringTokenizer", False, "nextToken", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
@@ -360,8 +362,13 @@ extensions:
       pack: codeql/java-all
       extensible: neutralModel
     data:
-      - ["java.util", "Collections", "emptyList", "()", "manual"]
+      - ["java.util", "ArrayList", "ArrayList", "(int)", "manual"]
+      - ["java.util", "ArrayList", "size", "()", "manual"]
+      - ["java.util", "Collection", "isEmpty", "()", "manual"]
       - ["java.util", "Collection", "size", "()", "manual"]
+      - ["java.util", "Collections", "emptyList", "()", "manual"]
+      - ["java.util", "Collections", "emptyMap", "()", "manual"]
+      - ["java.util", "Collections", "emptySet", "()", "manual"]
       - ["java.util", "Iterator", "hasNext", "()", "manual"]
       - ["java.util", "List", "contains", "(Object)", "manual"]
       - ["java.util", "List", "isEmpty", "()", "manual"]
@@ -371,10 +378,21 @@ extensions:
       - ["java.util", "Map", "size", "()", "manual"]
       - ["java.util", "Objects", "equals", "(Object,Object)", "manual"]
       - ["java.util", "Objects", "hash", "(Object[])", "manual"]
+      - ["java.util", "Objects", "nonNull", "(Object)", "manual"]
       - ["java.util", "Optional", "empty", "()", "manual"]
       - ["java.util", "Optional", "isPresent", "()", "manual"]
       - ["java.util", "Set", "contains", "(Object)", "manual"]
       - ["java.util", "Set", "isEmpty", "()", "manual"]
       - ["java.util", "Set", "size", "()", "manual"]
       - ["java.util", "UUID", "randomUUID", "()", "manual"]
       - ["java.util", "UUID", "toString", "()", "manual"]
+
+      # The below APIs are currently being stored as neutral models since `WithoutElement` has not yet been implemented for Java.
+      # When `WithoutElement` is implemented, these should be changed to summary models of the form `Argument[-1].WithoutElement -> Argument[-1]`.
+      - ["java.util", "List", "clear", "()", "manual"]
+      - ["java.util", "Map", "clear", "()", "manual"]
+
+      # The below APIs have numeric flow and are currently being stored as neutral models.
+      # These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
+      - ["java.util", "Date", "Date", "(long)", "manual"] # taint-numeric
+      - ["java.util", "Date", "getTime", "()", "manual"]  # taint-numeric