Java: ImproperValidationOfArray...

d10c · d10c · commit be6dbb525ef0 · 2025-07-07T17:51:42.000+02:00
diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll
@@ -18,8 +18,13 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
     any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
   }
 
-  predicate observeDiffInformedIncrementalMode() {
-    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql@28:8:28:33), Column 5 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql@29:85:29:97)
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess |
+      result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and
+      arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation)
+    )
   }
 }
 
diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll
@@ -15,8 +15,13 @@ module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSi
     any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)
   }
 
-  predicate observeDiffInformedIncrementalMode() {
-    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 25 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql@26:8:26:33), Column 5 does not select a source or sink originating from the flow call on line 25 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql@27:87:27:99)
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess |
+      result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and
+      arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation)
+    )
   }
 }
 
diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll
@@ -15,8 +15,13 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
     exists(CheckableArrayAccess arrayAccess | arrayAccess.canThrowOutOfBounds(sink.asExpr()))
   }
 
-  predicate observeDiffInformedIncrementalMode() {
-    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql@48:8:48:33)
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(CheckableArrayAccess arrayAccess |
+      result = arrayAccess.getIndexExpr().getLocation() and
+      arrayAccess.canThrowOutOfBounds(sink.asExpr())
+    )
   }
 }
 
diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayIndexQuery.qll
@@ -19,8 +19,13 @@ module ImproperValidationOfArrayIndexConfig implements DataFlow::ConfigSig {
 
   predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
 
-  predicate observeDiffInformedIncrementalMode() {
-    any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 23 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql@24:8:24:33)
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSinkLocation(DataFlow::Node sink) {
+    exists(CheckableArrayAccess arrayAccess |
+      result = arrayAccess.getIndexExpr().getLocation() and
+      arrayAccess.canThrowOutOfBounds(sink.asExpr())
+    )
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -18,8 +18,13 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {`
`18`	`18`	`any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)`
`19`	`19`	`}`
`20`	`20`
`21`		`- predicate observeDiffInformedIncrementalMode() {`
`22`		- any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql@28:8:28:33), Column 5 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql@29:85:29:97)
	`21`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`22`	`+`
	`23`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`24`	`+ exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess \|`
	`25`	`+ result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and`
	`26`	`+ arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation)`
	`27`	`+ )`
`23`	`28`	`}`
`24`	`29`	`}`
`25`	`30`
Original file line number	Diff line number	Diff line change
`@@ -15,8 +15,13 @@ module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSi`
`15`	`15`	`any(CheckableArrayAccess caa).canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), _)`
`16`	`16`	`}`
`17`	`17`
`18`		`- predicate observeDiffInformedIncrementalMode() {`
`19`		`- any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 25 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql@26:8:26:33), Column 5 does not select a source or sink originating from the flow call on line 25 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql@27:87:27:99)`
	`18`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`19`	`+`
	`20`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`21`	`+ exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess \|`
	`22`	`+ result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and`
	`23`	`+ arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation)`
	`24`	`+ )`
`20`	`25`	`}`
`21`	`26`	`}`
`22`	`27`
Original file line number	Diff line number	Diff line change
`@@ -15,8 +15,13 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {`
`15`	`15`	`exists(CheckableArrayAccess arrayAccess \| arrayAccess.canThrowOutOfBounds(sink.asExpr()))`
`16`	`16`	`}`
`17`	`17`
`18`		`- predicate observeDiffInformedIncrementalMode() {`
`19`		`- any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 26 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql@48:8:48:33)`
	`18`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`19`	`+`
	`20`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`21`	`+ exists(CheckableArrayAccess arrayAccess \|`
	`22`	`+ result = arrayAccess.getIndexExpr().getLocation() and`
	`23`	`+ arrayAccess.canThrowOutOfBounds(sink.asExpr())`
	`24`	`+ )`
`20`	`25`	`}`
`21`	`26`	`}`
`22`	`27`
Original file line number	Diff line number	Diff line change
`@@ -19,8 +19,13 @@ module ImproperValidationOfArrayIndexConfig implements DataFlow::ConfigSig {`
`19`	`19`
`20`	`20`	`predicate isBarrierIn(DataFlow::Node node) { isSource(node) }`
`21`	`21`
`22`		`- predicate observeDiffInformedIncrementalMode() {`
`23`		`- any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 23 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql@24:8:24:33)`
	`22`	`+ predicate observeDiffInformedIncrementalMode() { any() }`
	`23`	`+`
	`24`	`+ Location getASelectedSinkLocation(DataFlow::Node sink) {`
	`25`	`+ exists(CheckableArrayAccess arrayAccess \|`
	`26`	`+ result = arrayAccess.getIndexExpr().getLocation() and`
	`27`	`+ arrayAccess.canThrowOutOfBounds(sink.asExpr())`
	`28`	`+ )`
`24`	`29`	`}`
`25`	`30`	`}`
`26`	`31`