Merge pull request github#6215 from aschackmull/java/fix-csv-subtype-interpretation

Java: Fix CSV subtype interpretation

Author: smowton

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

@@ -274,7 +274,7 @@ private predicate summaryModelCsv(string row) {
       "java.io;File;false;toURI;;;Argument[-1];ReturnValue;taint",
       "java.io;File;false;toPath;;;Argument[-1];ReturnValue;taint",
       "java.nio.file;Path;false;toFile;;;Argument[-1];ReturnValue;taint",
-      "java.io;Reader;true;readLine;;;Argument[-1];ReturnValue;taint",
+      "java.io;BufferedReader;true;readLine;;;Argument[-1];ReturnValue;taint",
       "java.io;Reader;true;read;();;Argument[-1];ReturnValue;taint",
       // arg to return
       "java.util;Base64$Encoder;false;encode;(byte[]);;Argument[0];ReturnValue;taint",
@@ -285,8 +285,12 @@ private predicate summaryModelCsv(string row) {
       "java.util;Base64$Decoder;false;decode;(ByteBuffer);;Argument[0];ReturnValue;taint",
       "java.util;Base64$Decoder;false;decode;(String);;Argument[0];ReturnValue;taint",
       "java.util;Base64$Decoder;false;wrap;(InputStream);;Argument[0];ReturnValue;taint",
-      "org.apache.commons.codec;Encoder;true;encode;;;Argument[0];ReturnValue;taint",
-      "org.apache.commons.codec;Decoder;true;decode;;;Argument[0];ReturnValue;taint",
+      "org.apache.commons.codec;Encoder;true;encode;(Object);;Argument[0];ReturnValue;taint",
+      "org.apache.commons.codec;Decoder;true;decode;(Object);;Argument[0];ReturnValue;taint",
+      "org.apache.commons.codec;BinaryEncoder;true;encode;(byte[]);;Argument[0];ReturnValue;taint",
+      "org.apache.commons.codec;BinaryDecoder;true;decode;(byte[]);;Argument[0];ReturnValue;taint",
+      "org.apache.commons.codec;StringEncoder;true;encode;(String);;Argument[0];ReturnValue;taint",
+      "org.apache.commons.codec;StringDecoder;true;decode;(String);;Argument[0];ReturnValue;taint",
       "org.apache.commons.io;IOUtils;false;buffer;;;Argument[0];ReturnValue;taint",
       "org.apache.commons.io;IOUtils;false;readLines;;;Argument[0];ReturnValue;taint",
       "org.apache.commons.io;IOUtils;false;readFully;(InputStream,int);;Argument[0];ReturnValue;taint",
@@ -586,14 +590,6 @@ private predicate elementSpec(
   summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _)
 }
 
-bindingset[namespace, type, subtypes]
-private RefType interpretType(string namespace, string type, boolean subtypes) {
-  exists(RefType t |
-    t.hasQualifiedName(namespace, type) and
-    if subtypes = true then result.getASourceSupertype*() = t else result = t
-  )
-}
-
 private string paramsStringPart(Callable c, int i) {
   i = -1 and result = "("
   or
@@ -614,9 +610,13 @@ private Element interpretElement0(
   string namespace, string type, boolean subtypes, string name, string signature
 ) {
   elementSpec(namespace, type, subtypes, name, signature, _) and
-  exists(RefType t | t = interpretType(namespace, type, subtypes) |
+  exists(RefType t | t.hasQualifiedName(namespace, type) |
     exists(Member m |
-      result = m and
+      (
+        result = m
+        or
+        subtypes = true and result.(SrcMethod).overridesOrInstantiates+(m)
+      ) and
       m.getDeclaringType() = t and
       m.hasName(name)
     |
@@ -625,7 +625,7 @@ private Element interpretElement0(
       paramsString(m) = signature
     )
     or
-    result = t and
+    (if subtypes = true then result.(SrcRefType).getASourceSupertype*() = t else result = t) and
     name = "" and
     signature = ""
   )

java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll

@@ -115,9 +115,9 @@ private class ContainerFlowSummaries extends SummaryModelCsv {
         "java.util;Map;true;get;;;MapValue of Argument[-1];ReturnValue;value",
         "java.util;Map;true;getOrDefault;;;MapValue of Argument[-1];ReturnValue;value",
         "java.util;Map;true;getOrDefault;;;Argument[1];ReturnValue;value",
-        "java.util;Map;true;put;;;MapValue of Argument[-1];ReturnValue;value",
-        "java.util;Map;true;put;;;Argument[0];MapKey of Argument[-1];value",
-        "java.util;Map;true;put;;;Argument[1];MapValue of Argument[-1];value",
+        "java.util;Map;true;put;(Object,Object);;MapValue of Argument[-1];ReturnValue;value",
+        "java.util;Map;true;put;(Object,Object);;Argument[0];MapKey of Argument[-1];value",
+        "java.util;Map;true;put;(Object,Object);;Argument[1];MapValue of Argument[-1];value",
         "java.util;Map;true;putIfAbsent;;;MapValue of Argument[-1];ReturnValue;value",
         "java.util;Map;true;putIfAbsent;;;Argument[0];MapKey of Argument[-1];value",
         "java.util;Map;true;putIfAbsent;;;Argument[1];MapValue of Argument[-1];value",

java/ql/test/library-tests/frameworks/JaxWs/JakartaRsFlow.java

@@ -166,6 +166,10 @@ void testAbstractMultivaluedMap(Map<String, List<String>> map1, Map<String, List
     map2.put("key", list);
     AbstractMultivaluedMap<String, String> amm2 = new MyAbstractMultivaluedMapJak<String, String>(map2);
     sink(amm2.get("key").get(0)); // $ hasValueFlow
+
+    AbstractMultivaluedMap<String, String> amm3 = new MyAbstractMultivaluedMapJak<String, String>(null);
+    amm3.put("key", list);
+    sink(amm3.get("key").get(0)); // $ hasValueFlow
   }
 
   void testMultivaluedHashMap(Map<String, String> map1, Map<String, String> map2,
@@ -407,4 +411,4 @@ void testUriBuilder() throws Exception {
 
 class DummyJakarta {
   private static Set<String> foo() { return null; }
-}
+}

java/ql/test/stubs/jsr311-api-1.1.1/javax/ws/rs/core/Cookie.java

@@ -151,4 +151,8 @@ public String getDomain() {
     public String getPath() {
         return null;
     }
+
+    public String toString() {
+        return null;
+    }
 }