Merge pull request github#5374 from joefarebrother/guava-base

aschackmull · web-flow · commit 19305a217a27 · 2021-06-15T10:58:48.000+02:00
Java: Model additional flow steps for the package `com.google.common.base` of the Guava framwork.
diff --git a/java/change-notes/2021-03-10-guava-base.md b/java/change-notes/2021-03-10-guava-base.md
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Increased coverage of the Guava framework by modelling additional classes in the `com.google.common.base` package. This may result in more results for security queries on projects where the Guava framework is used. 
diff --git a/java/ql/src/semmle/code/java/frameworks/guava/Base.qll b/java/ql/src/semmle/code/java/frameworks/guava/Base.qll
@@ -22,8 +22,17 @@ private class GuavaBaseCsv extends SummaryModelCsv {
         "com.google.common.base;Joiner;false;withKeyValueSeparator;(String);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Joiner;false;withKeyValueSeparator;(String);;Argument[-1];ReturnValue;taint",
         "com.google.common.base;Joiner;false;withKeyValueSeparator;(char);;Argument[-1];ReturnValue;taint",
-        // Note: The signatures of some of the appendTo methods involve collection flow
-        "com.google.common.base;Joiner;false;appendTo;;;Argument[-1..3];Argument[0];taint",
+        "com.google.common.base;Joiner;false;appendTo;(Appendable,Object,Object,Object[]);;Argument[1..2];Argument[0];taint",
+        "com.google.common.base;Joiner;false;appendTo;(Appendable,Object,Object,Object[]);;ArrayElement of Argument[3];Argument[0];taint",
+        "com.google.common.base;Joiner;false;appendTo;(Appendable,Iterable);;Element of Argument[1];Argument[-1];taint",
+        "com.google.common.base;Joiner;false;appendTo;(Appendable,Object[]);;ArrayElement of Argument[1];Argument[-1];taint",
+        "com.google.common.base;Joiner;false;appendTo;(Appendable,Iterator);;Element of Argument[1];Argument[-1];taint",
+        "com.google.common.base;Joiner;false;appendTo;(StringBuilder,Object,Object,Object[]);;Argument[1..2];Argument[0];taint",
+        "com.google.common.base;Joiner;false;appendTo;(StringBuilder,Object,Object,Object[]);;ArrayElement of Argument[3];Argument[0];taint",
+        "com.google.common.base;Joiner;false;appendTo;(StringBuilder,Iterable);;Element of Argument[1];Argument[-1];taint",
+        "com.google.common.base;Joiner;false;appendTo;(StringBuilder,Object[]);;ArrayElement of Argument[1];Argument[-1];taint",
+        "com.google.common.base;Joiner;false;appendTo;(StringBuilder,Iterator);;Element of Argument[1];Argument[-1];taint",
+        "com.google.common.base;Joiner;false;appendTo;;;Argument[-1];Argument[0];taint",
         "com.google.common.base;Joiner;false;appendTo;;;Argument[0];ReturnValue;value",
         "com.google.common.base;Joiner;false;join;;;Argument[-1..2];ReturnValue;taint",
         "com.google.common.base;Joiner$MapJoiner;false;useForNull;(String);;Argument[0];ReturnValue;taint",
@@ -42,7 +51,48 @@ private class GuavaBaseCsv extends SummaryModelCsv {
         "com.google.common.base;Splitter;false;splitToStream;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Splitter$MapSplitter;false;split;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Preconditions;false;checkNotNull;;;Argument[0];ReturnValue;value",
-        "com.google.common.base;MoreObjects;false;firstNonNull;;;Argument[0..1];ReturnValue;value"
+        "com.google.common.base;Verify;false;verifyNotNull;;;Argument[0];ReturnValue;value",
+        "com.google.common.base;Ascii;false;toLowerCase;(CharSequence);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Ascii;false;toLowerCase;(String);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Ascii;false;toUpperCase;(CharSequence);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Ascii;false;toUpperCase;(String);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Ascii;false;truncate;(CharSequence,int,String);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Ascii;false;truncate;(CharSequence,int,String);;Argument[2];ReturnValue;taint",
+        "com.google.common.base;CaseFormat;true;to;(CaseFormat,String);;Argument[1];ReturnValue;taint",
+        "com.google.common.base;Converter;true;apply;(Object);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Converter;true;convert;(Object);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Converter;true;convertAll;(Iterable);;Element of Argument[0];Element of ReturnValue;taint",
+        "com.google.common.base;Supplier;true;get;();;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Suppliers;false;ofInstance;(Object);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Suppliers;false;memoize;(Supplier);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Suppliers;false;memoizeWithExpiration;(Supplier,long,TimeUnit);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Suppliers;false;synchronizedSupplier;(Supplier);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Optional;true;fromJavaUtil;(Optional);;Element of Argument[0];Element of ReturnValue;value",
+        "com.google.common.base;Optional;true;fromNullable;(Object);;Argument[0];Element of ReturnValue;value",
+        "com.google.common.base;Optional;true;get;();;Element of Argument[-1];ReturnValue;value",
+        "com.google.common.base;Optional;true;asSet;();;Element of Argument[-1];Element of ReturnValue;value",
+        "com.google.common.base;Optional;true;of;(Object);;Argument[0];Element of ReturnValue;value",
+        "com.google.common.base;Optional;true;or;(Optional);;Element of Argument[-1..0];Element of ReturnValue;value",
+        "com.google.common.base;Optional;true;or;(Supplier);;Element of Argument[-1];ReturnValue;value",
+        "com.google.common.base;Optional;true;or;(Supplier);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Optional;true;or;(Object);;Element of Argument[-1];ReturnValue;value",
+        "com.google.common.base;Optional;true;or;(Object);;Argument[0];ReturnValue;value",
+        "com.google.common.base;Optional;true;orNull;();;Element of Argument[-1];ReturnValue;value",
+        "com.google.common.base;Optional;true;presentInstances;(Iterable);;Element of Element of Argument[0];Element of ReturnValue;value",
+        "com.google.common.base;Optional;true;toJavaUtil;();;Element of Argument[-1];Element of ReturnValue;value",
+        "com.google.common.base;Optional;true;toJavaUtil;(Optional);;Element of Argument[0];Element of ReturnValue;value",
+        "com.google.common.base;MoreObjects;false;firstNonNull;(Object,Object);;Argument[0..1];ReturnValue;value",
+        "com.google.common.base;MoreObjects;false;toStringHelper;(String);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;MoreObjects$ToStringHelper;false;add;;;Argument[0];ReturnValue;taint",
+        "com.google.common.base;MoreObjects$ToStringHelper;false;add;;;Argument[0];Argument[-1];taint",
+        "com.google.common.base;MoreObjects$ToStringHelper;false;add;;;Argument[-1];ReturnValue;value",
+        "com.google.common.base;MoreObjects$ToStringHelper;false;add;(String,Object);;Argument[1];ReturnValue;taint",
+        "com.google.common.base;MoreObjects$ToStringHelper;false;add;(String,Object);;Argument[1];Argument[-1];taint",
+        "com.google.common.base;MoreObjects$ToStringHelper;false;addValue;;;Argument[-1];ReturnValue;value",
+        "com.google.common.base;MoreObjects$ToStringHelper;false;addValue;(Object);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;MoreObjects$ToStringHelper;false;addValue;(Object);;Argument[0];Argument[-1];taint",
+        "com.google.common.base;MoreObjects$ToStringHelper;false;omitNullValues;();;Argument[-1];ReturnValue;value",
+        "com.google.common.base;MoreObjects$ToStringHelper;false;toString;();;Argument[-1];ReturnValue;taint"
       ]
   }
 }
diff --git a/java/ql/test/library-tests/frameworks/guava/TestBase.java b/java/ql/test/library-tests/frameworks/guava/TestBase.java
@@ -2,6 +2,8 @@
 
 import java.util.Map;
 import java.util.HashMap;
+import java.util.concurrent.TimeUnit;
+import java.util.Set;
 
 class TestBase {
     String taint() { return "tainted"; }
@@ -14,7 +16,7 @@ void test1() {
         sink(Strings.padStart(x, 10, ' ')); // $numTaintFlow=1
         sink(Strings.padEnd(x, 10, ' ')); // $numTaintFlow=1
         sink(Strings.repeat(x, 3)); // $numTaintFlow=1
-        sink(Strings.emptyToNull(Strings.nullToEmpty(x))); // $numTaintFlow=1
+        sink(Strings.emptyToNull(Strings.nullToEmpty(x))); // $numValueFlow=1
         sink(Strings.lenientFormat(x, 3)); // $numTaintFlow=1
         sink(Strings.commonPrefix(x, "abc")); 
         sink(Strings.commonSuffix(x, "cde")); 
@@ -58,12 +60,50 @@ void test3() {
     }
 
     void test4() {
-        sink(Preconditions.checkNotNull(taint())); // $numTaintFlow=1
+        sink(Preconditions.checkNotNull(taint())); // $numValueFlow=1
+        sink(Verify.verifyNotNull(taint())); // $numValueFlow=1
     }
 
     void test5() {
-        sink(MoreObjects.firstNonNull(taint(), taint())); // $numTaintFlow=2
-        sink(MoreObjects.firstNonNull(null, taint())); // $numTaintFlow=1
-        sink(MoreObjects.firstNonNull(taint(), null)); // $numTaintFlow=1
+        sink(Ascii.toLowerCase(taint())); // $numTaintFlow=1
+        sink(Ascii.toUpperCase(taint())); // $numTaintFlow=1
+        sink(Ascii.truncate(taint(), 3, "...")); // $numTaintFlow=1
+        sink(Ascii.truncate("abcabcabc", 3, taint())); // $numTaintFlow=1
+        sink(CaseFormat.LOWER_CAMEL.to(CaseFormat.UPPER_UNDERSCORE, taint())); // $numTaintFlow=1
+        sink(CaseFormat.LOWER_HYPHEN.converterTo(CaseFormat.UPPER_CAMEL).convert(taint())); // $numTaintFlow=1
+        sink(CaseFormat.LOWER_UNDERSCORE.converterTo(CaseFormat.LOWER_HYPHEN).reverse().convert(taint())); // $numTaintFlow=1
+    }
+
+    void test6() {
+        sink(Suppliers.memoize(Suppliers.memoizeWithExpiration(Suppliers.synchronizedSupplier(Suppliers.ofInstance(taint())), 3, TimeUnit.HOURS))); // $numTaintFlow=1
+    }
+
+    void test7() {
+        sink(MoreObjects.firstNonNull(taint(), taint())); // $numValueFlow=2
+        sink(MoreObjects.firstNonNull(null, taint())); // $numValueFlow=1
+        sink(MoreObjects.firstNonNull(taint(), null)); // $numValueFlow=1
+        sink(MoreObjects.toStringHelper(taint()).add("x", 3).omitNullValues().toString()); // $numTaintFlow=1
+        sink(MoreObjects.toStringHelper((Object) taint()).toString());
+        sink(MoreObjects.toStringHelper("a").add("x", 3).add(taint(), 4).toString()); // $numTaintFlow=1
+        sink(MoreObjects.toStringHelper("a").add("x", taint()).toString()); // $numTaintFlow=1
+        sink(MoreObjects.toStringHelper("a").addValue(taint()).toString()); // $numTaintFlow=1
+        MoreObjects.ToStringHelper h = MoreObjects.toStringHelper("a");
+        h.add("x", 3).add(taint(), 4);
+        sink(h.add("z",5).toString()); // $numTaintFlow=1
+    }
+
+    void test8() {
+        Optional<String> x = Optional.of(taint());
+        sink(x); // $numTaintFlow=1
+        sink(x.get()); // $numValueFlow=1
+        sink(x.or("hi")); // $numValueFlow=1
+        sink(x.orNull()); // $numValueFlow=1
+        sink(x.asSet().toArray()[0]); // $numValueFlow=1
+        sink(Optional.fromJavaUtil(x.toJavaUtil()).get()); // $numValueFlow=1
+        sink(Optional.fromJavaUtil(Optional.toJavaUtil(x)).get()); // $numValueFlow=1
+        sink(Optional.fromNullable(taint()).get()); // $numValueFlow=1
+        sink(Optional.absent().or(x).get()); // $numValueFlow=1
+        sink(Optional.absent().or(taint())); // $numValueFlow=1
+        sink(Optional.presentInstances(Set.of(x)).iterator().next()); // $numValueFlow=1
     }
 }
diff --git a/java/ql/test/library-tests/frameworks/guava/TestIO.java b/java/ql/test/library-tests/frameworks/guava/TestIO.java
@@ -106,7 +106,7 @@ void test3() throws IOException {
     }
 
     void test4() throws IOException {
-        sink(Closer.create().register((Closeable) taint())); // $numTaintFlow=1
+        sink(Closer.create().register((Closeable) taint())); // $numValueFlow=1
         sink(new LineReader(rtaint()).readLine()); // $numTaintFlow=1
         sink(Files.simplifyPath(staint())); // $numTaintFlow=1
         sink(Files.getFileExtension(staint())); // $numTaintFlow=1
diff --git a/java/ql/test/library-tests/frameworks/guava/flow.ql b/java/ql/test/library-tests/frameworks/guava/flow.ql
@@ -2,8 +2,20 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import TestUtilities.InlineExpectationsTest
 
-class Conf extends TaintTracking::Configuration {
-  Conf() { this = "qltest:frameworks:guava" }
+class TaintFlowConf extends TaintTracking::Configuration {
+  TaintFlowConf() { this = "qltest:frameworks:guava-taint" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+  }
+}
+
+class ValueFlowConf extends DataFlow::Configuration {
+  ValueFlowConf() { this = "qltest:frameworks:guava-value" }
 
   override predicate isSource(DataFlow::Node n) {
     n.asExpr().(MethodAccess).getMethod().hasName("taint")
@@ -17,15 +29,28 @@ class Conf extends TaintTracking::Configuration {
 class HasFlowTest extends InlineExpectationsTest {
   HasFlowTest() { this = "HasFlowTest" }
 
-  override string getARelevantTag() { result = "numTaintFlow" }
+  override string getARelevantTag() { result = ["numTaintFlow", "numValueFlow"] }
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "numTaintFlow" and
-    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf, int num | conf.hasFlow(src, sink) |
+    exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf tconf, int num |
+      tconf.hasFlow(src, sink)
+    |
+      not any(ValueFlowConf vconf).hasFlow(src, sink) and
+      value = num.toString() and
+      sink.getLocation() = location and
+      element = sink.toString() and
+      num = strictcount(DataFlow::Node src2 | tconf.hasFlow(src2, sink))
+    )
+    or
+    tag = "numValueFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf vconf, int num |
+      vconf.hasFlow(src, sink)
+    |
       value = num.toString() and
       sink.getLocation() = location and
       element = sink.toString() and
-      num = strictcount(DataFlow::Node src2 | conf.hasFlow(src2, sink))
+      num = strictcount(DataFlow::Node src2 | vconf.hasFlow(src2, sink))
     )
   }
 }
diff --git a/java/ql/test/stubs/guava-30.0/com/google/common/base/Ascii.java b/java/ql/test/stubs/guava-30.0/com/google/common/base/Ascii.java
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2010 The Guava Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package com.google.common.base;
+
+public final class Ascii {
+  public static String toLowerCase(String string) {
+    return null;
+  }
+
+  public static String toLowerCase(CharSequence chars) {
+    return null;
+  }
+
+  public static char toLowerCase(char c) {
+    return '0';
+  }
+
+  public static String toUpperCase(String string) {
+    return null;
+  }
+
+  public static String toUpperCase(CharSequence chars) {
+    return null;
+  }
+
+  public static char toUpperCase(char c) {
+    return '0';
+  }
+
+  public static boolean isLowerCase(char c) {
+    return false;
+  }
+
+  public static boolean isUpperCase(char c) {
+    return false;
+  }
+
+  public static String truncate(CharSequence seq, int maxLength, String truncationIndicator) {
+    return null;
+  }
+
+  public static boolean equalsIgnoreCase(CharSequence s1, CharSequence s2) {
+    return false;
+  }
+
+}
diff --git a/java/ql/test/stubs/guava-30.0/com/google/common/base/CaseFormat.java b/java/ql/test/stubs/guava-30.0/com/google/common/base/CaseFormat.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2006 The Guava Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package com.google.common.base;
+
+public enum CaseFormat {
+  LOWER_HYPHEN,
+  LOWER_UNDERSCORE,
+  LOWER_CAMEL,
+  UPPER_CAMEL,
+  UPPER_UNDERSCORE;
+
+  public final String to(CaseFormat format, String str) {
+    return null;
+  }
+
+  public Converter<String, String> converterTo(CaseFormat targetFormat) {
+    return null;
+  }
+
+}
diff --git a/java/ql/test/stubs/guava-30.0/com/google/common/base/Converter.java b/java/ql/test/stubs/guava-30.0/com/google/common/base/Converter.java
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2008 The Guava Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package com.google.common.base;
+import org.checkerframework.checker.nullness.qual.Nullable;
+
+public abstract class Converter<A, B> implements Function<A, B> {
+  public final @Nullable B convert(@Nullable A a) {
+    return null;
+  }
+
+  public Iterable<B> convertAll(final Iterable<? extends A> fromIterable) {
+    return null;
+  }
+
+  public Converter<B, A> reverse() {
+    return null;
+  }
+
+  public final <C> Converter<A, C> andThen(Converter<B, C> secondConverter) {
+    return null;
+  }
+
+  @Override
+  public final @Nullable B apply(@Nullable A a) {
+    return null;
+  }
+
+  @Override
+  public boolean equals(@Nullable Object object) {
+    return false;
+  }
+
+  public static <A, B> Converter<A, B> from(
+      Function<? super A, ? extends B> forwardFunction,
+      Function<? super B, ? extends A> backwardFunction) {
+    return null;
+  }
+
+  public static <T> Converter<T, T> identity() {
+    return null;
+  }
+
+}
diff --git a/java/ql/test/stubs/guava-30.0/com/google/common/base/MoreObjects.java b/java/ql/test/stubs/guava-30.0/com/google/common/base/MoreObjects.java
diff --git a/java/ql/test/stubs/guava-30.0/com/google/common/base/Optional.java b/java/ql/test/stubs/guava-30.0/com/google/common/base/Optional.java
diff --git a/java/ql/test/stubs/guava-30.0/com/google/common/base/Suppliers.java b/java/ql/test/stubs/guava-30.0/com/google/common/base/Suppliers.java
diff --git a/java/ql/test/stubs/guava-30.0/com/google/common/base/Verify.java b/java/ql/test/stubs/guava-30.0/com/google/common/base/Verify.java

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* Increased coverage of the Guava framework by modelling additional classes in the `com.google.common.base` package. This may result in more results for security queries on projects where the Guava framework is used.
Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ void test3() throws IOException {`
`106`	`106`	`}`
`107`	`107`
`108`	`108`	`void test4() throws IOException {`
`109`		`- sink(Closer.create().register((Closeable) taint())); // $numTaintFlow=1`
	`109`	`+ sink(Closer.create().register((Closeable) taint())); // $numValueFlow=1`
`110`	`110`	`sink(new LineReader(rtaint()).readLine()); // $numTaintFlow=1`
`111`	`111`	`sink(Files.simplifyPath(staint())); // $numTaintFlow=1`
`112`	`112`	`sink(Files.getFileExtension(staint())); // $numTaintFlow=1`