Merge pull request github#5456 from aschackmull/java/adopt-flow-summary

Java: Use shared flow summary library for CSV models.

Author: aschackmull

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

@@ -67,6 +67,7 @@
 import java
 private import semmle.code.java.dataflow.DataFlow::DataFlow
 private import internal.DataFlowPrivate
+private import FlowSummary
 
 /**
  * A module importing the frameworks that provide external flow data,
@@ -459,7 +460,8 @@ module CsvValidation {
       summaryModel(_, _, _, _, _, _, input, _, _) and pred = "summary"
     |
       specSplit(input, part, _) and
-      not part.regexpMatch("|Argument|ReturnValue") and
+      not part.regexpMatch("|ReturnValue|ArrayElement|Element|MapKey|MapValue") and
+      not (part = "Argument" and pred = "sink") and
       not parseArg(part, _) and
       msg = "Unrecognized input specification \"" + part + "\" in " + pred + " model."
     )
@@ -470,7 +472,8 @@ module CsvValidation {
       summaryModel(_, _, _, _, _, _, _, output, _) and pred = "summary"
     |
       specSplit(output, part, _) and
-      not part.regexpMatch("|Argument|Parameter|ReturnValue") and
+      not part.regexpMatch("|ReturnValue|ArrayElement|Element|MapKey|MapValue") and
+      not (part = ["Argument", "Parameter"] and pred = "source") and
       not parseArg(part, _) and
       not parseParam(part, _) and
       msg = "Unrecognized output specification \"" + part + "\" in " + pred + " model."
@@ -675,6 +678,75 @@ private predicate summaryElementRef(Top ref, string input, string output, string
   )
 }
 
+private SummaryComponent interpretComponent(string c) {
+  specSplit(_, c, _) and
+  (
+    exists(int pos | parseArg(c, pos) and result = SummaryComponent::argument(pos))
+    or
+    exists(int pos | parseParam(c, pos) and result = SummaryComponent::parameter(pos))
+    or
+    c = "ReturnValue" and result = SummaryComponent::return()
+    or
+    c = "ArrayElement" and result = SummaryComponent::content(any(ArrayContent c0))
+    or
+    c = "Element" and result = SummaryComponent::content(any(CollectionContent c0))
+    or
+    c = "MapKey" and result = SummaryComponent::content(any(MapKeyContent c0))
+    or
+    c = "MapValue" and result = SummaryComponent::content(any(MapValueContent c0))
+  )
+}
+
+private predicate interpretSpec(string spec, int idx, SummaryComponentStack stack) {
+  exists(string c |
+    summaryElement(_, spec, _, _) or
+    summaryElement(_, _, spec, _)
+  |
+    len(spec, idx + 1) and
+    specSplit(spec, c, idx) and
+    stack = SummaryComponentStack::singleton(interpretComponent(c))
+  )
+  or
+  exists(SummaryComponent head, SummaryComponentStack tail |
+    interpretSpec(spec, idx, head, tail) and
+    stack = SummaryComponentStack::push(head, tail)
+  )
+}
+
+private predicate interpretSpec(
+  string output, int idx, SummaryComponent head, SummaryComponentStack tail
+) {
+  exists(string c |
+    interpretSpec(output, idx + 1, tail) and
+    specSplit(output, c, idx) and
+    head = interpretComponent(c)
+  )
+}
+
+private class MkStack extends RequiredSummaryComponentStack {
+  MkStack() { interpretSpec(_, _, _, this) }
+
+  override predicate required(SummaryComponent c) { interpretSpec(_, _, c, this) }
+}
+
+private class SummarizedCallableExternal extends SummarizedCallable {
+  SummarizedCallableExternal() { summaryElement(this, _, _, _) }
+
+  override predicate propagatesFlow(
+    SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
+  ) {
+    exists(string inSpec, string outSpec, string kind |
+      summaryElement(this, inSpec, outSpec, kind) and
+      interpretSpec(inSpec, 0, input) and
+      interpretSpec(outSpec, 0, output)
+    |
+      kind = "value" and preservesValue = true
+      or
+      kind = "taint" and preservesValue = false
+    )
+  }
+}
+
 private newtype TAstOrNode =
   TAst(Top t) or
   TNode(Node n)
@@ -761,15 +833,3 @@ predicate sinkNode(Node node, string kind) {
     interpretInput(input, 0, ref, TNode(node))
   )
 }
-
-/**
- * Holds if `node1` to `node2` is specified as a flow step with the given kind
- * in a CSV flow model.
- */
-predicate summaryStep(Node node1, Node node2, string kind) {
-  exists(Top ref, string input, string output |
-    summaryElementRef(ref, input, output, kind) and
-    interpretInput(input, 0, ref, TNode(node1)) and
-    interpretOutput(output, 0, ref, TNode(node2))
-  )
-}

java/ql/src/semmle/code/java/dataflow/FlowSummary.qll

@@ -7,8 +7,10 @@ private import internal.FlowSummaryImpl as Impl
 private import internal.DataFlowDispatch
 private import internal.DataFlowPrivate
 
-// import all instances below
-private module Summaries { }
+// import all instances of SummarizedCallable below
+private module Summaries {
+  private import semmle.code.java.dataflow.ExternalFlow
+}
 
 class SummaryComponent = Impl::Public::SummaryComponent;
 

java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll

@@ -84,8 +84,10 @@ private predicate instanceFieldAssign(Expr src, FieldAccess fa) {
 
 private newtype TContent =
   TFieldContent(InstanceField f) or
+  TArrayContent() or
   TCollectionContent() or
-  TArrayContent()
+  TMapKeyContent() or
+  TMapValueContent()
 
 /**
  * A reference contained in an object. Examples include instance fields, the
@@ -114,12 +116,20 @@ class FieldContent extends Content, TFieldContent {
   }
 }
 
+class ArrayContent extends Content, TArrayContent {
+  override string toString() { result = "[]" }
+}
+
 class CollectionContent extends Content, TCollectionContent {
-  override string toString() { result = "collection" }
+  override string toString() { result = "<element>" }
 }
 
-class ArrayContent extends Content, TArrayContent {
-  override string toString() { result = "array" }
+class MapKeyContent extends Content, TMapKeyContent {
+  override string toString() { result = "<map.key>" }
+}
+
+class MapValueContent extends Content, TMapValueContent {
+  override string toString() { result = "<map.value>" }
 }
 
 /**

java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll

@@ -142,8 +142,6 @@ predicate simpleLocalFlowStep(Node node1, Node node2) {
   or
   node2.asExpr().(AssignExpr).getSource() = node1.asExpr()
   or
-  summaryStep(node1, node2, "value")
-  or
   exists(MethodAccess ma, ValuePreservingMethod m, int argNo |
     ma.getCallee().getSourceDeclaration() = m and m.returnsValue(argNo)
   |
@@ -152,6 +150,14 @@ predicate simpleLocalFlowStep(Node node1, Node node2) {
   )
   or
   FlowSummaryImpl::Private::Steps::summaryLocalStep(node1, node2, true)
+  or
+  // If flow through a method updates a parameter from some input A, and that
+  // parameter also is returned through B, then we'd like a combined flow from A
+  // to B as well. As an example, this simplifies modeling of fluent methods:
+  // for `StringBuilder.append(x)` with a specified value flow from qualifier to
+  // return value and taint flow from argument 0 to the qualifier, then this
+  // allows us to infer taint flow from argument 0 to the return value.
+  node1.(SummaryNode).(PostUpdateNode).getPreUpdateNode().(ParameterNode) = node2
 }
 
 /**

java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

@@ -46,47 +46,19 @@ predicate localTaintStep(DataFlow::Node src, DataFlow::Node sink) {
  * different objects.
  */
 predicate localAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
-  localAdditionalBasicTaintStep(src, sink)
-  or
-  composedValueAndTaintModelStep(src, sink)
-}
-
-private predicate localAdditionalBasicTaintStep(DataFlow::Node src, DataFlow::Node sink) {
   localAdditionalTaintExprStep(src.asExpr(), sink.asExpr())
   or
   localAdditionalTaintUpdateStep(src.asExpr(),
     sink.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr())
   or
-  summaryStep(src, sink, "taint") and
-  not summaryStep(src, sink, "value")
-  or
   exists(Argument arg |
     src.asExpr() = arg and
     arg.isVararg() and
     sink.(DataFlow::ImplicitVarargsArray).getCall() = arg.getCall()
   )
   or
-  FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, false)
-}
-
-/**
- * Holds if an additional step from `src` to `sink` through a call can be inferred from the
- * combination of a value-preserving step providing an alias between an input and the output
- * and a taint step from `src` to one the aliased nodes. For example, if we know that `f(a, b)` returns
- * the exact value of `a` and also propagates taint from `b` to `a`, then we also know that
- * the return value is tainted after `f` completes.
- */
-private predicate composedValueAndTaintModelStep(ArgumentNode src, DataFlow::Node sink) {
-  exists(Call call, ArgumentNode valueSource, DataFlow::PostUpdateNode valueSourcePost |
-    src.argumentOf(call, _) and
-    valueSource.argumentOf(call, _) and
-    src != valueSource and
-    valueSourcePost.getPreUpdateNode() = valueSource and
-    // in-x -value-> out-y and in-z -taint-> in-x ==> in-z -taint-> out-y
-    localAdditionalBasicTaintStep(src, valueSourcePost) and
-    DataFlow::localFlowStep(valueSource, DataFlow::exprNode(call)) and
-    sink = DataFlow::exprNode(call)
-  )
+  FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, false) and
+  not FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, true)
 }
 
 /**

java/ql/src/semmle/code/java/frameworks/ApacheHttp.qll

@@ -149,9 +149,8 @@ private class ApacheHttpFlowStep extends SummaryModelCsv {
         "org.apache.hc.core5.http.message;RequestLine;true;getMethod;();;Argument[-1];ReturnValue;taint",
         "org.apache.hc.core5.http.message;RequestLine;true;getUri;();;Argument[-1];ReturnValue;taint",
         "org.apache.hc.core5.http.message;RequestLine;true;toString;();;Argument[-1];ReturnValue;taint",
-        "org.apache.hc.core5.http.message;RequestLine;true;RequestLine;(HttpRequest);;Argument[0];ReturnValue;taint",
-        "org.apache.hc.core5.http.message;RequestLine;true;RequestLine;(String,String,ProtocolVersion);;Argument[1];ReturnValue;taint",
-        "org.apache.hc.core5.http.message;RequestLine;true;RequestLine;(String,String,ProtocolVersion);;Argument[1];ReturnValue;taint",
+        "org.apache.hc.core5.http.message;RequestLine;true;RequestLine;(HttpRequest);;Argument[0];Argument[-1];taint",
+        "org.apache.hc.core5.http.message;RequestLine;true;RequestLine;(String,String,ProtocolVersion);;Argument[1];Argument[-1];taint",
         "org.apache.hc.core5.function;Supplier;true;get;();;Argument[-1];ReturnValue;taint",
         "org.apache.hc.core5.net;URIAuthority;true;getHostName;();;Argument[-1];ReturnValue;taint",
         "org.apache.hc.core5.net;URIAuthority;true;toString;();;Argument[-1];ReturnValue;taint",
@@ -181,16 +180,16 @@ private class ApacheHttpFlowStep extends SummaryModelCsv {
         "org.apache.hc.core5.http.io.entity;HttpEntities;true;withTrailers;;;Argument[0];ReturnValue;taint",
         "org.apache.http.entity;BasicHttpEntity;true;setContent;(InputStream);;Argument[0];Argument[-1];taint",
         "org.apache.http.entity;BufferedHttpEntity;true;BufferedHttpEntity;(HttpEntity);;Argument[0];ReturnValue;taint",
-        "org.apache.http.entity;ByteArrayEntity;true;ByteArrayEntity;;;Argument[0];ReturnValue;taint",
+        "org.apache.http.entity;ByteArrayEntity;true;ByteArrayEntity;;;Argument[0];Argument[-1];taint",
         "org.apache.http.entity;HttpEntityWrapper;true;HttpEntityWrapper;(HttpEntity);;Argument[0];ReturnValue;taint",
         "org.apache.http.entity;InputStreamEntity;true;InputStreamEntity;;;Argument[0];ReturnValue;taint",
-        "org.apache.http.entity;StringEntity;true;StringEntity;;;Argument[0];ReturnValue;taint",
+        "org.apache.http.entity;StringEntity;true;StringEntity;;;Argument[0];Argument[-1];taint",
         "org.apache.hc.core5.http.io.entity;BasicHttpEntity;true;BasicHttpEntity;;;Argument[0];ReturnValue;taint",
         "org.apache.hc.core5.http.io.entity;BufferedHttpEntity;true;BufferedHttpEntity;(HttpEntity);;Argument[0];ReturnValue;taint",
-        "org.apache.hc.core5.http.io.entity;ByteArrayEntity;true;ByteArrayEntity;;;Argument[0];ReturnValue;taint",
+        "org.apache.hc.core5.http.io.entity;ByteArrayEntity;true;ByteArrayEntity;;;Argument[0];Argument[-1];taint",
         "org.apache.hc.core5.http.io.entity;HttpEntityWrapper;true;HttpEntityWrapper;(HttpEntity);;Argument[0];ReturnValue;taint",
         "org.apache.hc.core5.http.io.entity;InputStreamEntity;true;InputStreamEntity;;;Argument[0];ReturnValue;taint",
-        "org.apache.hc.core5.http.io.entity;StringEntity;true;StringEntity;;;Argument[0];ReturnValue;taint",
+        "org.apache.hc.core5.http.io.entity;StringEntity;true;StringEntity;;;Argument[0];Argument[-1];taint",
         "org.apache.http.util;ByteArrayBuffer;true;append;(byte[],int,int);;Argument[0];Argument[-1];taint",
         "org.apache.http.util;ByteArrayBuffer;true;append;(char[],int,int);;Argument[0];Argument[-1];taint",
         "org.apache.http.util;ByteArrayBuffer;true;append;(CharArrayBuffer,int,int);;Argument[0];Argument[-1];taint",

java/ql/src/semmle/code/java/frameworks/apache/Lang.qll

@@ -626,12 +626,12 @@ private class ApacheObjectUtilsModel extends SummaryModelCsv {
         "org.apache.commons.lang3;ObjectUtils;false;CONST_BYTE;;;Argument[0];ReturnValue;value",
         "org.apache.commons.lang3;ObjectUtils;false;CONST_SHORT;;;Argument[0];ReturnValue;value",
         "org.apache.commons.lang3;ObjectUtils;false;defaultIfNull;;;Argument[0..1];ReturnValue;value",
-        "org.apache.commons.lang3;ObjectUtils;false;firstNonNull;;;Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3;ObjectUtils;false;firstNonNull;;;ArrayElement of Argument[0];ReturnValue;value",
         "org.apache.commons.lang3;ObjectUtils;false;getIfNull;;;Argument[0];ReturnValue;value",
-        "org.apache.commons.lang3;ObjectUtils;false;max;;;Argument[0];ReturnValue;taint",
-        "org.apache.commons.lang3;ObjectUtils;false;median;;;Argument[0];ReturnValue;taint",
-        "org.apache.commons.lang3;ObjectUtils;false;min;;;Argument[0];ReturnValue;taint",
-        "org.apache.commons.lang3;ObjectUtils;false;mode;;;Argument[0];ReturnValue;taint",
+        "org.apache.commons.lang3;ObjectUtils;false;max;;;ArrayElement of Argument[0];ReturnValue;value",
+        "org.apache.commons.lang3;ObjectUtils;false;median;;;ArrayElement of Argument[0];ReturnValue;value",
+        "org.apache.commons.lang3;ObjectUtils;false;min;;;ArrayElement of Argument[0];ReturnValue;value",
+        "org.apache.commons.lang3;ObjectUtils;false;mode;;;ArrayElement of Argument[0];ReturnValue;value",
         "org.apache.commons.lang3;ObjectUtils;false;requireNonEmpty;;;Argument[0];ReturnValue;value",
         "org.apache.commons.lang3;ObjectUtils;false;toString;(Object,String);;Argument[1];ReturnValue;value"
       ]

java/ql/src/semmle/code/java/frameworks/guava/Base.qll

@@ -13,7 +13,8 @@ private class GuavaBaseCsv extends SummaryModelCsv {
         "com.google.common.base;Strings;false;padStart;(String,int,char);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Strings;false;padEnd;(String,int,char);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Strings;false;repeat;(String,int);;Argument[0];ReturnValue;taint",
-        "com.google.common.base;Strings;false;lenientFormat;(String,Object[]);;Argument;ReturnValue;taint",
+        "com.google.common.base;Strings;false;lenientFormat;(String,Object[]);;Argument[0];ReturnValue;taint",
+        "com.google.common.base;Strings;false;lenientFormat;(String,Object[]);;ArrayElement of Argument[1];ReturnValue;taint",
         "com.google.common.base;Joiner;false;on;(String);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Joiner;false;skipNulls;();;Argument[-1];ReturnValue;taint",
         "com.google.common.base;Joiner;false;useForNull;(String);;Argument[-1];ReturnValue;taint",
@@ -22,14 +23,14 @@ private class GuavaBaseCsv extends SummaryModelCsv {
         "com.google.common.base;Joiner;false;withKeyValueSeparator;(String);;Argument[-1];ReturnValue;taint",
         "com.google.common.base;Joiner;false;withKeyValueSeparator;(char);;Argument[-1];ReturnValue;taint",
         // Note: The signatures of some of the appendTo methods involve collection flow
-        "com.google.common.base;Joiner;false;appendTo;;;Argument;Argument[0];taint",
+        "com.google.common.base;Joiner;false;appendTo;;;Argument[-1..3];Argument[0];taint",
         "com.google.common.base;Joiner;false;appendTo;;;Argument[0];ReturnValue;value",
-        "com.google.common.base;Joiner;false;join;;;Argument;ReturnValue;taint",
+        "com.google.common.base;Joiner;false;join;;;Argument[-1..2];ReturnValue;taint",
         "com.google.common.base;Joiner$MapJoiner;false;useForNull;(String);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Joiner$MapJoiner;false;useForNull;(String);;Argument[-1];ReturnValue;taint",
-        "com.google.common.base;Joiner$MapJoiner;false;appendTo;;;Argument;Argument[0];taint",
+        "com.google.common.base;Joiner$MapJoiner;false;appendTo;;;Argument[1];Argument[0];taint",
         "com.google.common.base;Joiner$MapJoiner;false;appendTo;;;Argument[0];ReturnValue;value",
-        "com.google.common.base;Joiner$MapJoiner;false;join;;;Argument;ReturnValue;taint",
+        "com.google.common.base;Joiner$MapJoiner;false;join;;;Argument[-1..0];ReturnValue;taint",
         "com.google.common.base;Splitter;false;split;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Splitter;false;splitToList;(CharSequence);;Argument[0];ReturnValue;taint",
         "com.google.common.base;Splitter;false;splitToStream;(CharSequence);;Argument[0];ReturnValue;taint",

java/ql/src/semmle/code/java/frameworks/guava/IO.qll

@@ -61,7 +61,7 @@ private class GuavaIoCsv extends SummaryModelCsv {
         "com.google.common.io;Files;false;simplifyPath;(String);;Argument[0];ReturnValue;taint",
         "com.google.common.io;MoreFiles;false;getFileExtension;(Path);;Argument[0];ReturnValue;taint",
         "com.google.common.io;MoreFiles;false;getNameWithoutExtension;(Path);;Argument[0];ReturnValue;taint",
-        "com.google.common.io;LineReader;false;LineReader;(Readable);;Argument[0];ReturnValue;taint",
+        "com.google.common.io;LineReader;false;LineReader;(Readable);;Argument[0];Argument[-1];taint",
         "com.google.common.io;LineReader;true;readLine;();;Argument[-1];ReturnValue;taint",
         "com.google.common.io;ByteArrayDataOutput;true;toByteArray;();;Argument[-1];ReturnValue;taint",
         "com.google.common.io;ByteArrayDataOutput;true;write;(byte[]);;Argument[0];Argument[-1];taint",