Increase precision of tests to test value flow

Author: joefarebrother

java/ql/src/semmle/code/java/frameworks/guava/Base.qll

@@ -51,7 +51,7 @@ private class GuavaBaseCsv extends SummaryModelCsv {
         "com.google.common.base;Splitter;false;splitToStream;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Splitter$MapSplitter;false;split;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Preconditions;false;checkNotNull;;;Argument[0];ReturnValue;value",
-        "com.google.common.base;Verify;false;verifyNotNull;;;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Verify;false;verifyNotNull;;;Argument[0];ReturnValue;value",
         "com.google.common.base;Ascii;false;toLowerCase;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Ascii;false;toLowerCase;(String);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Ascii;false;toUpperCase;(CharSequence);;Argument[0];ReturnValue;taint",
@@ -72,9 +72,10 @@ private class GuavaBaseCsv extends SummaryModelCsv {
         "com.google.common.base;Optional;true;get;();;Element of Argument[-1];ReturnValue;value",
         "com.google.common.base;Optional;true;asSet;();;Element of Argument[-1];Element of ReturnValue;value",
         "com.google.common.base;Optional;true;of;(Object);;Argument[0];Element of ReturnValue;value",
-        "com.google.common.base;Optional;true;or;;;Element of Argument[-1];ReturnValue;value",
-        "com.google.common.base;Optional;true;or;(Optional);;Element of Argument[0];ReturnValue;value",
-        "com.google.common.base;Optional;true;or;(Supplier);;Argument[0];ReturnValue;value",
+        "com.google.common.base;Optional;true;or;(Optional);;Element of Argument[-1..0];Element of ReturnValue;value",
+        "com.google.common.base;Optional;true;or;(Supplier);;Element of Argument[-1];ReturnValue;value",
+        "com.google.common.base;Optional;true;or;(Supplier);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Optional;true;or;(Object);;Element of Argument[-1];ReturnValue;value",
         "com.google.common.base;Optional;true;or;(Object);;Argument[0];ReturnValue;value",
         "com.google.common.base;Optional;true;orNull;();;Element of Argument[-1];ReturnValue;value",
         "com.google.common.base;Optional;true;presentInstances;(Iterable);;Element of Element of Argument[0];Element of ReturnValue;value",

java/ql/test/library-tests/frameworks/guava/TestBase.java

@@ -3,6 +3,7 @@
 import java.util.Map;
 import java.util.HashMap;
 import java.util.concurrent.TimeUnit;
+import java.util.Set;
 
 class TestBase {
     String taint() { return "tainted"; }
@@ -15,7 +16,7 @@ void test1() {
         sink(Strings.padStart(x, 10, ' ')); // $numTaintFlow=1
         sink(Strings.padEnd(x, 10, ' ')); // $numTaintFlow=1
         sink(Strings.repeat(x, 3)); // $numTaintFlow=1
-        sink(Strings.emptyToNull(Strings.nullToEmpty(x))); // $numTaintFlow=1
+        sink(Strings.emptyToNull(Strings.nullToEmpty(x))); // $numValueFlow=1
         sink(Strings.lenientFormat(x, 3)); // $numTaintFlow=1
         sink(Strings.commonPrefix(x, "abc")); 
         sink(Strings.commonSuffix(x, "cde")); 
@@ -59,8 +60,8 @@ void test3() {
     }
 
     void test4() {
-        sink(Preconditions.checkNotNull(taint())); // $numTaintFlow=1
-        sink(Verify.verifyNotNull(taint())); // $numTaintFlow=1
+        sink(Preconditions.checkNotNull(taint())); // $numValueFlow=1
+        sink(Verify.verifyNotNull(taint())); // $numValueFlow=1
     }
 
     void test5() {
@@ -78,9 +79,9 @@ void test6() {
     }
 
     void test7() {
-        sink(MoreObjects.firstNonNull(taint(), taint())); // $numTaintFlow=2
-        sink(MoreObjects.firstNonNull(null, taint())); // $numTaintFlow=1
-        sink(MoreObjects.firstNonNull(taint(), null)); // $numTaintFlow=1
+        sink(MoreObjects.firstNonNull(taint(), taint())); // $numValueFlow=2
+        sink(MoreObjects.firstNonNull(null, taint())); // $numValueFlow=1
+        sink(MoreObjects.firstNonNull(taint(), null)); // $numValueFlow=1
         sink(MoreObjects.toStringHelper(taint()).add("x", 3).omitNullValues().toString()); // $numTaintFlow=1
         sink(MoreObjects.toStringHelper((Object) taint()).toString());
         sink(MoreObjects.toStringHelper("a").add("x", 3).add(taint(), 4).toString()); // $numTaintFlow=1
@@ -94,16 +95,15 @@ void test7() {
     void test8() {
         Optional<String> x = Optional.of(taint());
         sink(x); // $numTaintFlow=1
-        sink(x.get()); // $numTaintFlow=1
-        sink(x.or("hi")); // $numTaintFlow=1
-        sink(x.orNull()); // $numTaintFlow=1
-        sink(x.asSet()); // $numTaintFlow=1
-        sink(Optional.fromJavaUtil(x.toJavaUtil())); // $numTaintFlow=1
-        sink(Optional.fromJavaUtil(Optional.toJavaUtil(x))); // $numTaintFlow=1
-        sink(x.asSet()); // $numTaintFlow=1
-        sink(Optional.fromNullable(taint())); // $numTaintFlow=1
-        sink(Optional.absent().or(x)); // $numTaintFlow=1
-        sink(Optional.absent().or(taint())); // $numTaintFlow=1
-        sink(Optional.presentInstances(Optional.of(x).asSet())); // $numTaintFlow=1
+        sink(x.get()); // $numValueFlow=1
+        sink(x.or("hi")); // $numValueFlow=1
+        sink(x.orNull()); // $numValueFlow=1
+        sink(x.asSet().toArray()[0]); // $numValueFlow=1
+        sink(Optional.fromJavaUtil(x.toJavaUtil()).get()); // $numValueFlow=1
+        sink(Optional.fromJavaUtil(Optional.toJavaUtil(x)).get()); // $numValueFlow=1
+        sink(Optional.fromNullable(taint()).get()); // $numValueFlow=1
+        sink(Optional.absent().or(x).get()); // $numValueFlow=1
+        sink(Optional.absent().or(taint())); // $numValueFlow=1
+        sink(Optional.presentInstances(Set.of(x)).iterator().next()); // $numValueFlow=1
     }
 }

java/ql/test/library-tests/frameworks/guava/TestIO.java

@@ -106,7 +106,7 @@ void test3() throws IOException {
     }
 
     void test4() throws IOException {
-        sink(Closer.create().register((Closeable) taint())); // $numTaintFlow=1
+        sink(Closer.create().register((Closeable) taint())); // $numValueFlow=1
         sink(new LineReader(rtaint()).readLine()); // $numTaintFlow=1
         sink(Files.simplifyPath(staint())); // $numTaintFlow=1
         sink(Files.getFileExtension(staint())); // $numTaintFlow=1

java/ql/test/library-tests/frameworks/guava/flow.ql

@@ -2,8 +2,20 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import TestUtilities.InlineExpectationsTest
 
-class Conf extends TaintTracking::Configuration {
-  Conf() { this = "qltest:frameworks:guava" }
+class TaintFlowConf extends TaintTracking::Configuration {
+  TaintFlowConf() { this = "qltest:frameworks:guava-taint" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+  }
+}
+
+class ValueFlowConf extends DataFlow::Configuration {
+  ValueFlowConf() { this = "qltest:frameworks:guava-value" }
 
   override predicate isSource(DataFlow::Node n) {
     n.asExpr().(MethodAccess).getMethod().hasName("taint")
@@ -17,15 +29,28 @@ class Conf extends TaintTracking::Configuration {
 class HasFlowTest extends InlineExpectationsTest {
   HasFlowTest() { this = "HasFlowTest" }
 
-  override string getARelevantTag() { result = "numTaintFlow" }
+  override string getARelevantTag() { result = ["numTaintFlow", "numValueFlow"] }
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "numTaintFlow" and
-    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf, int num | conf.hasFlow(src, sink) |
+    exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf tconf, int num |
+      tconf.hasFlow(src, sink)
+    |
+      not any(ValueFlowConf vconf).hasFlow(src, sink) and
+      value = num.toString() and
+      sink.getLocation() = location and
+      element = sink.toString() and
+      num = strictcount(DataFlow::Node src2 | tconf.hasFlow(src2, sink))
+    )
+    or
+    tag = "numValueFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf vconf, int num |
+      vconf.hasFlow(src, sink)
+    |
       value = num.toString() and
       sink.getLocation() = location and
       element = sink.toString() and
-      num = strictcount(DataFlow::Node src2 | conf.hasFlow(src2, sink))
+      num = strictcount(DataFlow::Node src2 | vconf.hasFlow(src2, sink))
     )
   }
 }