Fix modelling of Stack.push

aibaars · aibaars · commit 0d33a77ee38d · 2020-07-09T16:16:29.000+02:00
Stack.push(E) returns its argument, it does not propagate taint from
the stack to the return value.
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll b/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
@@ -127,7 +127,7 @@ private predicate taintPreservingQualifierToMethod(Method m) {
   m.(CollectionMethod).hasName(["elementAt", "elements", "firstElement", "lastElement"])
   or
   // java.util.Stack
-  m.(CollectionMethod).hasName(["peek", "pop", "push"])
+  m.(CollectionMethod).hasName(["peek", "pop"])
   or
   // java.util.Queue
   m.(CollectionMethod).hasName(["element", "poll"])
@@ -269,6 +269,9 @@ private predicate taintPreservingArgumentToQualifier(Method method, int arg) {
  * `arg`th argument is tainted.
  */
 private predicate taintPreservingArgumentToMethod(Method method, int arg) {
+  // java.util.Stack
+  method.(CollectionMethod).hasName("push") and arg = 0
+  or
   method.getDeclaringType().hasQualifiedName("java.util", "Collections") and
   (
     method
diff --git a/java/ql/test/library-tests/dataflow/collections/ContainterTest.java b/java/ql/test/library-tests/dataflow/collections/ContainterTest.java
@@ -88,8 +88,8 @@ public static void taintSteps(
 		// java.util.Stack
 		sink(stack.peek());
 		sink(stack.pop());
-		stack.push("value"); // not tainted
-		sink(stack.push(source("value")));
+		sink(stack.push("value")); // not tainted
+		sink(new Stack().push(source("value")));
 		mkSink(Stack.class).push(source("value"));
 
 		// java.util.Queue
diff --git a/java/ql/test/library-tests/dataflow/collections/flow.expected b/java/ql/test/library-tests/dataflow/collections/flow.expected
@@ -21,7 +21,6 @@
 | ContainterTest.java:34:4:34:24 | vector | ContainterTest.java:86:19:86:40 | mkSink(...) [post update] |
 | ContainterTest.java:35:4:35:22 | stack | ContainterTest.java:89:8:89:19 | peek(...) |
 | ContainterTest.java:35:4:35:22 | stack | ContainterTest.java:90:8:90:18 | pop(...) |
-| ContainterTest.java:35:4:35:22 | stack | ContainterTest.java:92:8:92:34 | push(...) |
 | ContainterTest.java:36:4:36:22 | queue | ContainterTest.java:96:8:96:22 | element(...) |
 | ContainterTest.java:36:4:36:22 | queue | ContainterTest.java:97:8:97:19 | peek(...) |
 | ContainterTest.java:36:4:36:22 | queue | ContainterTest.java:98:8:98:19 | poll(...) |
@@ -104,6 +103,7 @@
 | ContainterTest.java:83:42:83:50 | "element" | ContainterTest.java:83:3:83:22 | mkSink(...) [post update] |
 | ContainterTest.java:84:47:84:55 | "element" | ContainterTest.java:84:3:84:22 | mkSink(...) [post update] |
 | ContainterTest.java:85:44:85:52 | "element" | ContainterTest.java:85:3:85:22 | mkSink(...) [post update] |
+| ContainterTest.java:92:32:92:38 | "value" | ContainterTest.java:92:8:92:40 | push(...) |
 | ContainterTest.java:93:35:93:41 | "value" | ContainterTest.java:93:3:93:21 | mkSink(...) [post update] |
 | ContainterTest.java:100:36:100:44 | "element" | ContainterTest.java:100:3:100:21 | mkSink(...) [post update] |
 | ContainterTest.java:111:39:111:45 | "value" | ContainterTest.java:111:3:111:21 | mkSink(...) [post update] |
