Convert fluent method models to csv and generalise to the three different variants of StrBuilder.

smowton · smowton · commit 3a274424abc0 · 2021-03-26T14:31:36.000Z
diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
@@ -427,6 +427,92 @@ private class ApacheStrBuilderModel extends SummaryModelCsv {
   }
 }
 
+private class ApacheStrBuilderFluentMethodsModel extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "org.apache.commons.lang3.text;StrBuilder;false;append;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendAll;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendFixedWidthPadLeft;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendFixedWidthPadRight;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendln;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendNewLine;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendNull;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendPadding;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendSeparator;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;appendWithSeparators;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;delete;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;deleteAll;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;deleteCharAt;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;deleteFirst;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;ensureCapacity;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;insert;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;minimizeCapacity;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;replace;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;replaceAll;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;replaceFirst;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;reverse;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;setCharAt;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;setLength;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;setNewLineText;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;setNullText;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.lang3.text;StrBuilder;false;trim;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;append;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;appendAll;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;appendFixedWidthPadLeft;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;appendFixedWidthPadRight;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;appendln;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;appendNewLine;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;appendNull;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;appendPadding;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;appendSeparator;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;appendWithSeparators;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;delete;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;deleteAll;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;deleteCharAt;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;deleteFirst;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;ensureCapacity;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;insert;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;minimizeCapacity;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;replace;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;replaceAll;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;replaceFirst;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;reverse;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;setCharAt;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;setLength;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;setNewLineText;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;setNullText;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;StrBuilder;false;trim;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;append;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;appendAll;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;appendFixedWidthPadLeft;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;appendFixedWidthPadRight;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;appendln;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;appendNewLine;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;appendNull;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;appendPadding;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;appendSeparator;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;appendWithSeparators;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;delete;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;deleteAll;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;deleteCharAt;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;deleteFirst;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;ensureCapacity;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;insert;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;minimizeCapacity;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;replace;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;replaceAll;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;replaceFirst;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;reverse;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;setCharAt;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;setLength;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;setNewLineText;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;setNullText;;;Argument[-1];ReturnValue;value",
+        "org.apache.commons.text;TextStringBuilder;false;trim;;;Argument[-1];ReturnValue;value"
+      ]
+  }
+}
+
 /**
  * An Apache Commons-Lang StrBuilder method that returns `this`.
  */
diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTest.java b/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTest.java
@@ -142,6 +142,68 @@ void test() throws Exception {
         StrBuilder fluentBackflowTest2 = new StrBuilder();
         fluentBackflowTest2.append("Harmless").append(taint());
         sink(fluentBackflowTest2.toString()); // $hasTaintFlow
+
+        // Test all fluent methods are passing taint through to their result:
+        StrBuilder fluentAllMethodsTest = new StrBuilder(taint());
+        sink(fluentAllMethodsTest // $hasTaintFlow
+        .append("text")
+        .appendAll("text")
+        .appendFixedWidthPadLeft("text", 4, ' ')
+        .appendFixedWidthPadRight("text", 4, ' ')
+        .appendln("text")
+        .appendNewLine()
+        .appendNull()
+        .appendPadding(0, ' ')
+        .appendSeparator(',')
+        .appendWithSeparators(new String[] { }, ",")
+        .delete(0, 0)
+        .deleteAll(' ')
+        .deleteCharAt(0)
+        .deleteFirst("delme")
+        .ensureCapacity(100)
+        .insert(1, "insertme")
+        .minimizeCapacity()
+        .replace(0, 0, "replacement")
+        .replaceAll("find", "replace")
+        .replaceFirst("find", "replace")
+        .reverse()
+        .setCharAt(0, 'a')
+        .setLength(500)
+        .setNewLineText("newline")
+        .setNullText("NULL")
+        .trim());
+
+        // Test all fluent methods are passing taint back to their qualifier:
+        StrBuilder fluentAllMethodsTest2 = new StrBuilder();
+        fluentAllMethodsTest2
+        .append("text")
+        .appendAll("text")
+        .appendFixedWidthPadLeft("text", 4, ' ')
+        .appendFixedWidthPadRight("text", 4, ' ')
+        .appendln("text")
+        .appendNewLine()
+        .appendNull()
+        .appendPadding(0, ' ')
+        .appendSeparator(',')
+        .appendWithSeparators(new String[] { }, ",")
+        .delete(0, 0)
+        .deleteAll(' ')
+        .deleteCharAt(0)
+        .deleteFirst("delme")
+        .ensureCapacity(100)
+        .insert(1, "insertme")
+        .minimizeCapacity()
+        .replace(0, 0, "replacement")
+        .replaceAll("find", "replace")
+        .replaceFirst("find", "replace")
+        .reverse()
+        .setCharAt(0, 'a')
+        .setLength(500)
+        .setNewLineText("newline")
+        .setNullText("NULL")
+        .trim()
+        .append(taint());
+        sink(fluentAllMethodsTest2); // $hasTaintFlow
     }
 
 }
diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTextTest.java b/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrBuilderTextTest.java
@@ -128,6 +128,82 @@ void test() throws Exception {
         StrBuilder sb72 = new StrBuilder(); sb72.append(taint()); sink(sb72.toCharArray(0, 0)); // $hasTaintFlow
         StrBuilder sb73 = new StrBuilder(); sb73.append(taint()); sink(sb73.toStringBuffer()); // $hasTaintFlow
         StrBuilder sb74 = new StrBuilder(); sb74.append(taint()); sink(sb74.toStringBuilder()); // $hasTaintFlow
+
+        // Tests for fluent methods (those returning `this`):
+
+        StrBuilder fluentTest = new StrBuilder();
+        sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $hasTaintFlow
+
+        StrBuilder fluentBackflowTest = new StrBuilder();
+        fluentBackflowTest.append("Harmless").append(taint()).append("Also harmless");
+        sink(fluentBackflowTest.toString()); // $hasTaintFlow
+
+        // Test the case where the fluent method contributing taint is at the end of a statement:
+        StrBuilder fluentBackflowTest2 = new StrBuilder();
+        fluentBackflowTest2.append("Harmless").append(taint());
+        sink(fluentBackflowTest2.toString()); // $hasTaintFlow
+
+        // Test all fluent methods are passing taint through to their result:
+        StrBuilder fluentAllMethodsTest = new StrBuilder(taint());
+        sink(fluentAllMethodsTest // $hasTaintFlow
+        .append("text")
+        .appendAll("text")
+        .appendFixedWidthPadLeft("text", 4, ' ')
+        .appendFixedWidthPadRight("text", 4, ' ')
+        .appendln("text")
+        .appendNewLine()
+        .appendNull()
+        .appendPadding(0, ' ')
+        .appendSeparator(',')
+        .appendWithSeparators(new String[] { }, ",")
+        .delete(0, 0)
+        .deleteAll(' ')
+        .deleteCharAt(0)
+        .deleteFirst("delme")
+        .ensureCapacity(100)
+        .insert(1, "insertme")
+        .minimizeCapacity()
+        .replace(0, 0, "replacement")
+        .replaceAll("find", "replace")
+        .replaceFirst("find", "replace")
+        .reverse()
+        .setCharAt(0, 'a')
+        .setLength(500)
+        .setNewLineText("newline")
+        .setNullText("NULL")
+        .trim());
+
+        // Test all fluent methods are passing taint back to their qualifier:
+        StrBuilder fluentAllMethodsTest2 = new StrBuilder();
+        fluentAllMethodsTest2
+        .append("text")
+        .appendAll("text")
+        .appendFixedWidthPadLeft("text", 4, ' ')
+        .appendFixedWidthPadRight("text", 4, ' ')
+        .appendln("text")
+        .appendNewLine()
+        .appendNull()
+        .appendPadding(0, ' ')
+        .appendSeparator(',')
+        .appendWithSeparators(new String[] { }, ",")
+        .delete(0, 0)
+        .deleteAll(' ')
+        .deleteCharAt(0)
+        .deleteFirst("delme")
+        .ensureCapacity(100)
+        .insert(1, "insertme")
+        .minimizeCapacity()
+        .replace(0, 0, "replacement")
+        .replaceAll("find", "replace")
+        .replaceFirst("find", "replace")
+        .reverse()
+        .setCharAt(0, 'a')
+        .setLength(500)
+        .setNewLineText("newline")
+        .setNullText("NULL")
+        .trim()
+        .append(taint());
+        sink(fluentAllMethodsTest2); // $hasTaintFlow
     }
 
 }
diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/TextStringBuilderTest.java b/java/ql/test/library-tests/frameworks/apache-commons-lang3/TextStringBuilderTest.java
@@ -129,6 +129,82 @@ void test() throws Exception {
         TextStringBuilder sb72 = new TextStringBuilder(); sb72.append(taint()); sink(sb72.toCharArray(0, 0)); // $hasTaintFlow
         TextStringBuilder sb73 = new TextStringBuilder(); sb73.append(taint()); sink(sb73.toStringBuffer()); // $hasTaintFlow
         TextStringBuilder sb74 = new TextStringBuilder(); sb74.append(taint()); sink(sb74.toStringBuilder()); // $hasTaintFlow
+
+        // Tests for fluent methods (those returning `this`):
+
+        TextStringBuilder fluentTest = new TextStringBuilder();
+        sink(fluentTest.append("Harmless").append(taint()).append("Also harmless").toString()); // $hasTaintFlow
+
+        TextStringBuilder fluentBackflowTest = new TextStringBuilder();
+        fluentBackflowTest.append("Harmless").append(taint()).append("Also harmless");
+        sink(fluentBackflowTest.toString()); // $hasTaintFlow
+
+        // Test the case where the fluent method contributing taint is at the end of a statement:
+        TextStringBuilder fluentBackflowTest2 = new TextStringBuilder();
+        fluentBackflowTest2.append("Harmless").append(taint());
+        sink(fluentBackflowTest2.toString()); // $hasTaintFlow
+
+        // Test all fluent methods are passing taint through to their result:
+        TextStringBuilder fluentAllMethodsTest = new TextStringBuilder(taint());
+        sink(fluentAllMethodsTest // $hasTaintFlow
+        .append("text")
+        .appendAll("text")
+        .appendFixedWidthPadLeft("text", 4, ' ')
+        .appendFixedWidthPadRight("text", 4, ' ')
+        .appendln("text")
+        .appendNewLine()
+        .appendNull()
+        .appendPadding(0, ' ')
+        .appendSeparator(',')
+        .appendWithSeparators(new String[] { }, ",")
+        .delete(0, 0)
+        .deleteAll(' ')
+        .deleteCharAt(0)
+        .deleteFirst("delme")
+        .ensureCapacity(100)
+        .insert(1, "insertme")
+        .minimizeCapacity()
+        .replace(0, 0, "replacement")
+        .replaceAll("find", "replace")
+        .replaceFirst("find", "replace")
+        .reverse()
+        .setCharAt(0, 'a')
+        .setLength(500)
+        .setNewLineText("newline")
+        .setNullText("NULL")
+        .trim());
+
+        // Test all fluent methods are passing taint back to their qualifier:
+        TextStringBuilder fluentAllMethodsTest2 = new TextStringBuilder();
+        fluentAllMethodsTest2
+        .append("text")
+        .appendAll("text")
+        .appendFixedWidthPadLeft("text", 4, ' ')
+        .appendFixedWidthPadRight("text", 4, ' ')
+        .appendln("text")
+        .appendNewLine()
+        .appendNull()
+        .appendPadding(0, ' ')
+        .appendSeparator(',')
+        .appendWithSeparators(new String[] { }, ",")
+        .delete(0, 0)
+        .deleteAll(' ')
+        .deleteCharAt(0)
+        .deleteFirst("delme")
+        .ensureCapacity(100)
+        .insert(1, "insertme")
+        .minimizeCapacity()
+        .replace(0, 0, "replacement")
+        .replaceAll("find", "replace")
+        .replaceFirst("find", "replace")
+        .reverse()
+        .setCharAt(0, 'a')
+        .setLength(500)
+        .setNewLineText("newline")
+        .setNullText("NULL")
+        .trim()
+        .append(taint());
+        sink(fluentAllMethodsTest2); // $hasTaintFlow
     }
 
 }
