Merge pull request github#6407 from bmuskalla/charSeqSubSeq

Java: Track taint for CharSequence#subSequence

Author: aschackmull

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -89,6 +89,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.JsonJava
   private import semmle.code.java.frameworks.Objects
   private import semmle.code.java.frameworks.Optional
+  private import semmle.code.java.frameworks.Strings
   private import semmle.code.java.frameworks.spring.SpringCache
   private import semmle.code.java.frameworks.spring.SpringHttp
   private import semmle.code.java.frameworks.spring.SpringUtil

java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll

@@ -84,36 +84,6 @@ abstract class TaintPreservingCallable extends Callable {
   predicate transfersTaint(int src, int sink) { none() }
 }
 
-private class StringTaintPreservingMethod extends TaintPreservingCallable {
-  StringTaintPreservingMethod() {
-    this.getDeclaringType() instanceof TypeString and
-    (
-      this.hasName([
-          "concat", "copyValueOf", "endsWith", "format", "formatted", "getBytes", "indent",
-          "intern", "join", "repeat", "split", "strip", "stripIndent", "stripLeading",
-          "stripTrailing", "substring", "toCharArray", "toLowerCase", "toString", "toUpperCase",
-          "trim"
-        ])
-      or
-      this.hasName("valueOf") and this.getParameterType(0) instanceof Array
-    )
-  }
-
-  override predicate returnsTaintFrom(int arg) {
-    arg = -1 and not this.isStatic()
-    or
-    this.hasName(["concat", "copyValueOf", "valueOf"]) and arg = 0
-    or
-    this.hasName(["format", "formatted", "join"]) and arg = [0 .. getNumberOfParameters()]
-  }
-}
-
-private class StringTaintPreservingConstructor extends Constructor, TaintPreservingCallable {
-  StringTaintPreservingConstructor() { this.getDeclaringType() instanceof TypeString }
-
-  override predicate returnsTaintFrom(int arg) { arg = 0 }
-}
-
 private class NumberTaintPreservingCallable extends TaintPreservingCallable {
   int argument;
 
@@ -133,46 +103,3 @@ private class NumberTaintPreservingCallable extends TaintPreservingCallable {
 
   override predicate returnsTaintFrom(int arg) { arg = argument }
 }
-
-/** Holds for the types `StringBuilder`, `StringBuffer`, and `StringWriter`. */
-private predicate stringBuilderType(RefType t) {
-  t instanceof StringBuildingType or
-  t.hasQualifiedName("java.io", "StringWriter")
-}
-
-private class StringBuilderTaintPreservingCallable extends TaintPreservingCallable {
-  StringBuilderTaintPreservingCallable() {
-    exists(Method m |
-      this.(Method).overrides*(m) and
-      stringBuilderType(m.getDeclaringType()) and
-      m.hasName(["append", "insert", "replace", "toString", "write"])
-    )
-    or
-    this.(Constructor).getParameterType(0) instanceof RefType and
-    stringBuilderType(this.getDeclaringType())
-  }
-
-  override predicate returnsTaintFrom(int arg) {
-    arg = -1 and
-    not this instanceof Constructor
-    or
-    this instanceof Constructor and arg = 0
-    or
-    this.hasName("append") and arg = 0
-    or
-    this.hasName("insert") and arg = 1
-    or
-    this.hasName("replace") and arg = 2
-  }
-
-  override predicate transfersTaint(int src, int sink) {
-    returnsTaintFrom(src) and
-    sink = -1 and
-    src != -1 and
-    not this instanceof Constructor
-    or
-    this.hasName("write") and
-    src = 0 and
-    sink = -1
-  }
-}

java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

@@ -147,8 +147,6 @@ private predicate localAdditionalTaintExprStep(Expr src, Expr sink) {
   or
   comparisonStep(src, sink)
   or
-  stringBuilderStep(src, sink)
-  or
   serializationStep(src, sink)
   or
   formatStep(src, sink)
@@ -392,15 +390,6 @@ private predicate comparisonStep(Expr tracked, Expr sink) {
   )
 }
 
-/** Flow through a `StringBuilder`. */
-private predicate stringBuilderStep(Expr tracked, Expr sink) {
-  exists(StringBuilderVar sbvar, MethodAccess input, int arg |
-    input = sbvar.getAnInput(arg) and
-    tracked = input.getArgument(arg) and
-    sink = sbvar.getToStringCall()
-  )
-}
-
 /** Flow through data serialization. */
 private predicate serializationStep(Expr tracked, Expr sink) {
   exists(ObjectOutputStreamVar v, VariableAssign def |

java/ql/lib/semmle/code/java/frameworks/Objects.qll

@@ -9,7 +9,8 @@ private class ObjectsSummaryCsv extends SummaryModelCsv {
       [
         //`namespace; type; subtypes; name; signature; ext; input; output; kind`
         "java.util;Objects;false;requireNonNull;;;Argument[0];ReturnValue;value",
-        "java.util;Objects;false;requireNonNullElse;;;Argument[0..1];ReturnValue;value",
+        "java.util;Objects;false;requireNonNullElse;;;Argument[0];ReturnValue;value",
+        "java.util;Objects;false;requireNonNullElse;;;Argument[1];ReturnValue;value",
         "java.util;Objects;false;requireNonNullElseGet;;;Argument[0];ReturnValue;value",
         "java.util;Objects;false;toString;;;Argument[1];ReturnValue;value"
       ]

java/ql/lib/semmle/code/java/frameworks/Strings.qll

@@ -0,0 +1,58 @@
+/** Definitions of taint steps in String and String-related classes of the JDK */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+private class StringSummaryCsv extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //`namespace; type; subtypes; name; signature; ext; input; output; kind`
+        "java.lang;String;false;concat;(String);;Argument[0];ReturnValue;taint",
+        "java.lang;String;false;concat;(String);;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;copyValueOf;;;Argument[0];ReturnValue;taint",
+        "java.lang;String;false;endsWith;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;format;(Locale,String,Object[]);;Argument[1];ReturnValue;taint",
+        "java.lang;String;false;format;(Locale,String,Object[]);;ArrayElement of Argument[2];ReturnValue;taint",
+        "java.lang;String;false;format;(String,Object[]);;Argument[0];ReturnValue;taint",
+        "java.lang;String;false;format;(String,Object[]);;ArrayElement of Argument[1];ReturnValue;taint",
+        "java.lang;String;false;formatted;(Object[]);;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;formatted;(Object[]);;ArrayElement of Argument[0];ReturnValue;taint",
+        "java.lang;String;false;getBytes;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;indent;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;intern;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;join;;;Argument[0..1];ReturnValue;taint",
+        "java.lang;String;false;repeat;(int);;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;split;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;String;;;Argument[0];Argument[-1];taint",
+        "java.lang;String;false;strip;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;stripIndent;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;stripLeading;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;stripTrailing;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;substring;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;toCharArray;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;toLowerCase;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;toString;;;Argument[-1];ReturnValue;value",
+        "java.lang;String;false;toUpperCase;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;trim;;;Argument[-1];ReturnValue;taint",
+        "java.lang;String;false;valueOf;(char);;Argument[0];ReturnValue;taint",
+        "java.lang;String;false;valueOf;(char[],int,int);;Argument[0];ReturnValue;taint",
+        "java.lang;String;false;valueOf;(char[]);;Argument[0];ReturnValue;taint",
+        "java.io;StringWriter;true;append;;;Argument[0];Argument[-1];taint",
+        "java.io;StringWriter;true;append;;;Argument[-1];ReturnValue;value",
+        "java.io;StringWriter;true;write;;;Argument[0];Argument[-1];taint",
+        "java.lang;AbstractStringBuilder;true;AbstractStringBuilder;(String);;Argument[0];Argument[-1];taint",
+        "java.lang;AbstractStringBuilder;true;append;;;Argument[0];Argument[-1];taint",
+        "java.lang;AbstractStringBuilder;true;append;;;Argument[-1];ReturnValue;value",
+        "java.lang;AbstractStringBuilder;true;insert;;;Argument[1];Argument[-1];taint",
+        "java.lang;AbstractStringBuilder;true;insert;;;Argument[-1];ReturnValue;value",
+        "java.lang;AbstractStringBuilder;true;replace;;;Argument[-1];ReturnValue;value",
+        "java.lang;AbstractStringBuilder;true;replace;;;Argument[2];Argument[-1];taint",
+        "java.lang;AbstractStringBuilder;true;toString;;;Argument[-1];ReturnValue;taint",
+        "java.lang;StringBuffer;true;StringBuffer;(CharSequence);;Argument[0];Argument[-1];taint",
+        "java.lang;StringBuffer;true;StringBuffer;(String);;Argument[0];Argument[-1];taint",
+        "java.lang;StringBuilder;true;StringBuilder;;;Argument[0];Argument[-1];taint",
+        "java.lang;CharSequence;true;subSequence;;;Argument[-1];ReturnValue;taint"
+      ]
+  }
+}

java/ql/test/experimental/query-tests/security/CWE-094/JakartaExpressionInjection.expected

@@ -1,6 +1,8 @@
 edges
 | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | JakartaExpressionInjection.java:23:54:23:58 | bytes [post update] : byte[] |
-| JakartaExpressionInjection.java:23:54:23:58 | bytes [post update] : byte[] | JakartaExpressionInjection.java:25:31:25:40 | expression : String |
+| JakartaExpressionInjection.java:23:54:23:58 | bytes [post update] : byte[] | JakartaExpressionInjection.java:24:48:24:52 | bytes : byte[] |
+| JakartaExpressionInjection.java:24:37:24:59 | new String(...) : String | JakartaExpressionInjection.java:25:31:25:40 | expression : String |
+| JakartaExpressionInjection.java:24:48:24:52 | bytes : byte[] | JakartaExpressionInjection.java:24:37:24:59 | new String(...) : String |
 | JakartaExpressionInjection.java:25:31:25:40 | expression : String | JakartaExpressionInjection.java:32:24:32:33 | expression : String |
 | JakartaExpressionInjection.java:25:31:25:40 | expression : String | JakartaExpressionInjection.java:40:24:40:33 | expression : String |
 | JakartaExpressionInjection.java:25:31:25:40 | expression : String | JakartaExpressionInjection.java:48:24:48:33 | expression : String |
@@ -20,6 +22,8 @@ edges
 nodes
 | JakartaExpressionInjection.java:23:25:23:47 | getInputStream(...) : InputStream | semmle.label | getInputStream(...) : InputStream |
 | JakartaExpressionInjection.java:23:54:23:58 | bytes [post update] : byte[] | semmle.label | bytes [post update] : byte[] |
+| JakartaExpressionInjection.java:24:37:24:59 | new String(...) : String | semmle.label | new String(...) : String |
+| JakartaExpressionInjection.java:24:48:24:52 | bytes : byte[] | semmle.label | bytes : byte[] |
 | JakartaExpressionInjection.java:25:31:25:40 | expression : String | semmle.label | expression : String |
 | JakartaExpressionInjection.java:32:24:32:33 | expression : String | semmle.label | expression : String |
 | JakartaExpressionInjection.java:34:28:34:37 | expression | semmle.label | expression |

java/ql/test/experimental/query-tests/security/CWE-094/JythonInjection.expected

@@ -2,7 +2,8 @@ edges
 | JythonInjection.java:28:23:28:50 | getParameter(...) : String | JythonInjection.java:36:30:36:33 | code |
 | JythonInjection.java:53:23:53:50 | getParameter(...) : String | JythonInjection.java:58:44:58:47 | code |
 | JythonInjection.java:73:23:73:50 | getParameter(...) : String | JythonInjection.java:81:35:81:38 | code |
-| JythonInjection.java:97:23:97:50 | getParameter(...) : String | JythonInjection.java:106:61:106:75 | getBytes(...) |
+| JythonInjection.java:97:23:97:50 | getParameter(...) : String | JythonInjection.java:106:61:106:64 | code : String |
+| JythonInjection.java:106:61:106:64 | code : String | JythonInjection.java:106:61:106:75 | getBytes(...) |
 nodes
 | JythonInjection.java:28:23:28:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JythonInjection.java:36:30:36:33 | code | semmle.label | code |
@@ -11,6 +12,7 @@ nodes
 | JythonInjection.java:73:23:73:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | JythonInjection.java:81:35:81:38 | code | semmle.label | code |
 | JythonInjection.java:97:23:97:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| JythonInjection.java:106:61:106:64 | code : String | semmle.label | code : String |
 | JythonInjection.java:106:61:106:75 | getBytes(...) | semmle.label | getBytes(...) |
 | JythonInjection.java:131:40:131:63 | getInputStream(...) | semmle.label | getInputStream(...) |
 subpaths

java/ql/test/experimental/query-tests/security/CWE-094/ScriptInjection.expected

@@ -1,7 +1,8 @@
 edges
 | RhinoServlet.java:28:23:28:50 | getParameter(...) : String | RhinoServlet.java:32:55:32:58 | code |
 | RhinoServlet.java:81:23:81:50 | getParameter(...) : String | RhinoServlet.java:83:54:83:57 | code |
-| RhinoServlet.java:88:23:88:50 | getParameter(...) : String | RhinoServlet.java:89:74:89:88 | getBytes(...) |
+| RhinoServlet.java:88:23:88:50 | getParameter(...) : String | RhinoServlet.java:89:74:89:77 | code : String |
+| RhinoServlet.java:89:74:89:77 | code : String | RhinoServlet.java:89:74:89:88 | getBytes(...) |
 | ScriptEngineTest.java:20:44:20:55 | input : String | ScriptEngineTest.java:24:37:24:41 | input |
 | ScriptEngineTest.java:27:51:27:62 | input : String | ScriptEngineTest.java:31:31:31:35 | input |
 | ScriptEngineTest.java:35:58:35:69 | input : String | ScriptEngineTest.java:39:31:39:35 | input |
@@ -26,6 +27,7 @@ nodes
 | RhinoServlet.java:81:23:81:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | RhinoServlet.java:83:54:83:57 | code | semmle.label | code |
 | RhinoServlet.java:88:23:88:50 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| RhinoServlet.java:89:74:89:77 | code : String | semmle.label | code : String |
 | RhinoServlet.java:89:74:89:88 | getBytes(...) | semmle.label | getBytes(...) |
 | ScriptEngineTest.java:20:44:20:55 | input : String | semmle.label | input : String |
 | ScriptEngineTest.java:24:37:24:41 | input | semmle.label | input |