Java: Add support for flow through side-effects on static fields.

aschackmull · aschackmull · commit bf3dbc24dea9 · 2024-05-23T12:57:57.000+02:00
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
@@ -40,8 +40,11 @@ private predicate fieldStep(Node node1, Node node2) {
   exists(Field f |
     // Taint fields through assigned values only if they're static
     f.isStatic() and
-    f.getAnAssignedValue() = node1.asExpr() and
     node2.(FieldValueNode).getField() = f
+  |
+    f.getAnAssignedValue() = node1.asExpr()
+    or
+    f.getAnAccess() = node1.(PostUpdateNode).getPreUpdateNode().asExpr()
   )
   or
   exists(Field f, FieldRead fr |
diff --git a/java/ql/test/library-tests/dataflow/fields/G.java b/java/ql/test/library-tests/dataflow/fields/G.java
@@ -0,0 +1,21 @@
+public class G {
+  static Object[] f;
+
+  void sink(Object o) { }
+
+  void runsink() {
+    sink(f[0]);
+  }
+
+  void test1() {
+    f[0] = new Object();
+  }
+
+  void test2() {
+    addObj(f);
+  }
+
+  void addObj(Object[] xs) {
+    xs[0] = new Object();
+  }
+}
diff --git a/java/ql/test/library-tests/dataflow/fields/flow.expected b/java/ql/test/library-tests/dataflow/fields/flow.expected
@@ -29,3 +29,5 @@
 | F.java:5:14:5:25 | new Object(...) | F.java:20:10:20:17 | f.Field1 |
 | F.java:10:16:10:27 | new Object(...) | F.java:15:10:15:17 | f.Field1 |
 | F.java:24:9:24:20 | new Object(...) | F.java:33:10:33:17 | f.Field1 |
+| G.java:11:12:11:23 | new Object(...) | G.java:7:10:7:13 | ...[...] |
+| G.java:19:13:19:24 | new Object(...) | G.java:7:10:7:13 | ...[...] |
