Skip to content

Commit 190bf90

Browse files
author
Benjamin Muskalla
committed
Replace stringbuilder step with model
1 parent 7ddf7ff commit 190bf90

File tree

3 files changed

+12
-14
lines changed

3 files changed

+12
-14
lines changed

java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

Lines changed: 0 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -147,8 +147,6 @@ private predicate localAdditionalTaintExprStep(Expr src, Expr sink) {
147147
or
148148
comparisonStep(src, sink)
149149
or
150-
stringBuilderStep(src, sink)
151-
or
152150
serializationStep(src, sink)
153151
or
154152
formatStep(src, sink)
@@ -392,15 +390,6 @@ private predicate comparisonStep(Expr tracked, Expr sink) {
392390
)
393391
}
394392

395-
/** Flow through a `StringBuilder`. */
396-
private predicate stringBuilderStep(Expr tracked, Expr sink) {
397-
exists(StringBuilderVar sbvar, MethodAccess input, int arg |
398-
input = sbvar.getAnInput(arg) and
399-
tracked = input.getArgument(arg) and
400-
sink = sbvar.getToStringCall()
401-
)
402-
}
403-
404393
/** Flow through data serialization. */
405394
private predicate serializationStep(Expr tracked, Expr sink) {
406395
exists(ObjectOutputStreamVar v, VariableAssign def |

java/ql/src/semmle/code/java/frameworks/Strings.qll

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,9 +43,12 @@ private class StringSummaryCsv extends SummaryModelCsv {
4343
"java.io;StringWriter;true;write;;;Argument[0];Argument[-1];taint",
4444
"java.lang;AbstractStringBuilder;true;AbstractStringBuilder;(String);;Argument[0];Argument[-1];taint",
4545
"java.lang;AbstractStringBuilder;true;append;;;Argument[0];Argument[-1];taint",
46-
"java.lang;AbstractStringBuilder;true;append;;;Argument[-1];ReturnValue;taint",
46+
"java.lang;AbstractStringBuilder;true;append;;;Argument[-1];ReturnValue;value",
47+
"java.lang;AbstractStringBuilder;true;append;;;Argument[0];ReturnValue;taint",
4748
"java.lang;AbstractStringBuilder;true;insert;;;Argument[1];Argument[-1];taint",
4849
"java.lang;AbstractStringBuilder;true;insert;;;Argument[-1];ReturnValue;taint",
50+
"java.lang;AbstractStringBuilder;true;replace;;;Argument[2];ReturnValue;taint",
51+
"java.lang;AbstractStringBuilder;true;replace;;;Argument[2];Argument[-1];taint",
4952
"java.lang;AbstractStringBuilder;true;toString;;;Argument[-1];ReturnValue;taint",
5053
"java.lang;StringBuffer;true;StringBuffer;(CharSequence);;Argument[0];Argument[-1];taint",
5154
"java.lang;StringBuffer;true;StringBuffer;(String);;Argument[0];Argument[-1];taint",

java/ql/test/experimental/query-tests/security/CWE-601/SpringUrlRedirect.expected

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,11 @@ edges
55
| SpringUrlRedirect.java:36:30:36:47 | redirectUrl : String | SpringUrlRedirect.java:37:47:37:57 | redirectUrl |
66
| SpringUrlRedirect.java:41:24:41:41 | redirectUrl : String | SpringUrlRedirect.java:44:29:44:39 | redirectUrl |
77
| SpringUrlRedirect.java:49:24:49:41 | redirectUrl : String | SpringUrlRedirect.java:52:30:52:40 | redirectUrl |
8-
| SpringUrlRedirect.java:57:24:57:41 | redirectUrl : String | SpringUrlRedirect.java:58:30:58:66 | format(...) |
9-
| SpringUrlRedirect.java:62:24:62:41 | redirectUrl : String | SpringUrlRedirect.java:63:30:63:76 | format(...) |
8+
| SpringUrlRedirect.java:57:24:57:41 | redirectUrl : String | SpringUrlRedirect.java:58:55:58:65 | redirectUrl : String |
9+
| SpringUrlRedirect.java:58:30:58:66 | new ..[] { .. } [[]] : String | SpringUrlRedirect.java:58:30:58:66 | format(...) |
10+
| SpringUrlRedirect.java:58:55:58:65 | redirectUrl : String | SpringUrlRedirect.java:58:30:58:66 | new ..[] { .. } [[]] : String |
11+
| SpringUrlRedirect.java:62:24:62:41 | redirectUrl : String | SpringUrlRedirect.java:63:44:63:68 | ... + ... : String |
12+
| SpringUrlRedirect.java:63:44:63:68 | ... + ... : String | SpringUrlRedirect.java:63:30:63:76 | format(...) |
1013
| SpringUrlRedirect.java:89:38:89:55 | redirectUrl : String | SpringUrlRedirect.java:91:38:91:48 | redirectUrl : String |
1114
| SpringUrlRedirect.java:91:38:91:48 | redirectUrl : String | SpringUrlRedirect.java:91:27:91:49 | create(...) |
1215
| SpringUrlRedirect.java:96:39:96:56 | redirectUrl : String | SpringUrlRedirect.java:98:44:98:54 | redirectUrl : String |
@@ -45,8 +48,11 @@ nodes
4548
| SpringUrlRedirect.java:52:30:52:40 | redirectUrl | semmle.label | redirectUrl |
4649
| SpringUrlRedirect.java:57:24:57:41 | redirectUrl : String | semmle.label | redirectUrl : String |
4750
| SpringUrlRedirect.java:58:30:58:66 | format(...) | semmle.label | format(...) |
51+
| SpringUrlRedirect.java:58:30:58:66 | new ..[] { .. } [[]] : String | semmle.label | new ..[] { .. } [[]] : String |
52+
| SpringUrlRedirect.java:58:55:58:65 | redirectUrl : String | semmle.label | redirectUrl : String |
4853
| SpringUrlRedirect.java:62:24:62:41 | redirectUrl : String | semmle.label | redirectUrl : String |
4954
| SpringUrlRedirect.java:63:30:63:76 | format(...) | semmle.label | format(...) |
55+
| SpringUrlRedirect.java:63:44:63:68 | ... + ... : String | semmle.label | ... + ... : String |
5056
| SpringUrlRedirect.java:89:38:89:55 | redirectUrl : String | semmle.label | redirectUrl : String |
5157
| SpringUrlRedirect.java:91:27:91:49 | create(...) | semmle.label | create(...) |
5258
| SpringUrlRedirect.java:91:38:91:48 | redirectUrl : String | semmle.label | redirectUrl : String |

0 commit comments

Comments
 (0)