Skip to content

Commit 4012656

Browse files
tamasvajktamasvajk
committed
Java: migrate 'qualifier to arg' taint steps to CSV
1 parent c08230c commit 4012656

File tree

2 files changed

+11
-22
lines changed

2 files changed

+11
-22
lines changed

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -182,7 +182,16 @@ private predicate sourceModelCsv(string row) {
182182

183183
private predicate sinkModelCsv(string row) { none() }
184184

185-
private predicate summaryModelCsv(string row) { none() }
185+
private predicate summaryModelCsv(string row) {
186+
row =
187+
[
188+
// qualifier to arg
189+
"java.io;InputStream;true;read;(byte[]);;Argument[-1];Argument[0];taint",
190+
"java.io;InputStream;true;read;(byte[],int,int);;Argument[-1];Argument[0];taint",
191+
"java.io;ByteArrayOutputStream;false;writeTo;;;Argument[-1];Argument[0];taint",
192+
"java.io;Reader;true;read;;;Argument[-1];Argument[0];taint"
193+
]
194+
}
186195

187196
/**
188197
* A unit class for adding additional source model rows.

java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

Lines changed: 1 addition & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -267,32 +267,12 @@ private int argToParam(Call call, int arg) {
267267
/** Access to a method that passes taint from qualifier to argument. */
268268
private predicate qualifierToArgumentStep(Expr tracked, Expr sink) {
269269
exists(MethodAccess ma, int arg |
270-
taintPreservingQualifierToArgument(ma.getMethod(), argToParam(ma, arg)) and
270+
ma.getMethod().(TaintPreservingCallable).transfersTaint(-1, argToParam(ma, arg)) and
271271
tracked = ma.getQualifier() and
272272
sink = ma.getArgument(arg)
273273
)
274274
}
275275

276-
/** Methods that passes tainted data from qualifier to argument. */
277-
private predicate taintPreservingQualifierToArgument(Method m, int arg) {
278-
m.getDeclaringType().hasQualifiedName("java.io", "ByteArrayOutputStream") and
279-
m.hasName("writeTo") and
280-
arg = 0
281-
or
282-
exists(Method read |
283-
m.overrides*(read) and
284-
read.getDeclaringType().hasQualifiedName("java.io", "InputStream") and
285-
read.hasName("read") and
286-
arg = 0
287-
)
288-
or
289-
m.getDeclaringType().getASupertype*().hasQualifiedName("java.io", "Reader") and
290-
m.hasName("read") and
291-
arg = 0
292-
or
293-
m.(TaintPreservingCallable).transfersTaint(-1, arg)
294-
}
295-
296276
/** Access to a method that passes taint from the qualifier. */
297277
private predicate qualifierToMethodStep(Expr tracked, MethodAccess sink) {
298278
(taintPreservingQualifierToMethod(sink.getMethod()) or unsafeEscape(sink)) and

0 commit comments

Comments
 (0)