Model ByteArrayDataOutput

joefarebrother · joefarebrother · commit 3f3640fcbde8 · 2021-03-05T11:19:55.000Z
diff --git a/java/ql/src/semmle/code/java/frameworks/guava/IO.qll b/java/ql/src/semmle/code/java/frameworks/guava/IO.qll
@@ -37,6 +37,7 @@ private class GuavaIoCsv extends SummaryModelCsv {
         "com.google.common.io;ByteStreams;false;newDataInput;(byte[]);;Argument[0];ReturnValue;taint",
         "com.google.common.io;ByteStreams;false;newDataInput;(byte[],int);;Argument[0];ReturnValue;taint",
         "com.google.common.io;ByteStreams;false;newDataInput;(ByteArrayInputStream);;Argument[0];ReturnValue;taint",
+        "com.google.common.io;ByteStreams;false;newDataOutput;(ByteArrayOutputStream);;Argument[0];ReturnValue;taint",
         "com.google.common.io;ByteStreams;false;read;(InputStream,byte[],int,int);;Argument[0];Argument[1];taint",
         "com.google.common.io;ByteStreams;false;readFully;(InputStream,byte[]);;Argument[0];Argument[1];taint",
         "com.google.common.io;ByteStreams;false;readFully;(InputStream,byte[],int,int);;Argument[0];Argument[1];taint",
@@ -61,7 +62,21 @@ private class GuavaIoCsv extends SummaryModelCsv {
         "com.google.common.io;MoreFiles;false;getFileExtension;(Path);;Argument[0];ReturnValue;taint",
         "com.google.common.io;MoreFiles;false;getNameWithoutExtension;(Path);;Argument[0];ReturnValue;taint",
         "com.google.common.io;LineReader;false;LineReader;(Readable);;Argument[0];ReturnValue;taint",
-        "com.google.common.io;LineReader;true;readLine;();;Argument[-1];ReturnValue;taint"
+        "com.google.common.io;LineReader;true;readLine;();;Argument[-1];ReturnValue;taint",
+        "com.google.common.io;ByteArrayDataOutput;true;toByteArray;();;Argument[-1];ReturnValue;taint",
+        "com.google.common.io;ByteArrayDataOutput;true;write;(byte[]);;Argument[0];Argument[-1];taint",
+        "com.google.common.io;ByteArrayDataOutput;true;write;(byte[],int,int);;Argument[0];Argument[-1];taint",
+        "com.google.common.io;ByteArrayDataOutput;true;write;(int);;Argument[0];Argument[-1];taint",
+        "com.google.common.io;ByteArrayDataOutput;true;writeByte;(int);;Argument[0];Argument[-1];taint",
+        "com.google.common.io;ByteArrayDataOutput;true;writeBytes;(String);;Argument[0];Argument[-1];taint",
+        "com.google.common.io;ByteArrayDataOutput;true;writeChar;(int);;Argument[0];Argument[-1];taint",
+        "com.google.common.io;ByteArrayDataOutput;true;writeChars;(String);;Argument[0];Argument[-1];taint",
+        "com.google.common.io;ByteArrayDataOutput;true;writeDouble;(double);;Argument[0];Argument[-1];taint",
+        "com.google.common.io;ByteArrayDataOutput;true;writeFloat;(float);;Argument[0];Argument[-1];taint",
+        "com.google.common.io;ByteArrayDataOutput;true;writeInt;(int);;Argument[0];Argument[-1];taint",
+        "com.google.common.io;ByteArrayDataOutput;true;writeLong;(long);;Argument[0];Argument[-1];taint",
+        "com.google.common.io;ByteArrayDataOutput;true;writeShort;(int);;Argument[0];Argument[-1];taint",
+        "com.google.common.io;ByteArrayDataOutput;true;writeUTF;(String);;Argument[0];Argument[-1];taint"
       ]
   }
 }
diff --git a/java/ql/test/library-tests/frameworks/guava/TestIO.java b/java/ql/test/library-tests/frameworks/guava/TestIO.java
@@ -81,6 +81,9 @@ void test3() throws IOException {
         sink(ByteStreams.newDataInput(btaint())); // $numTaintFlow=1
         sink(ByteStreams.newDataInput(btaint()).readLine()); // $ MISSING:numTaintFlow=1
         sink(ByteStreams.newDataInput(new ByteArrayInputStream(btaint()))); // $numTaintFlow=1
+        ByteArrayOutputStream out = new ByteArrayOutputStream();
+        out.write(btaint());
+        sink(ByteStreams.newDataOutput(out)); // $numTaintFlow=1
         byte[] b1 = null, b2 = null, b3 = null;
         ByteStreams.read(itaint(), b1, 0, 42);
         sink(b1); // $numTaintFlow=1
@@ -90,6 +93,9 @@ void test3() throws IOException {
         sink(b3); // $numTaintFlow=1
         sink(ByteStreams.readBytes(itaint(), new MyByteProcessor())); // $ MISSING:numTaintFlow=1
         sink(ByteStreams.toByteArray(itaint())); // $numTaintFlow=1
+        ByteArrayDataOutput out2 = ByteStreams.newDataOutput();
+        out2.writeUTF(staint());
+        sink(out2.toByteArray()); // $numTaintFlow=1
 
         StringBuffer buf = new StringBuffer();
         CharStreams.copy(rtaint(), buf);
