Merge pull request github#6353 from sauyon/sauyon/java/model-constructors

Java: Add models for collection constructors

Author: smowton

java/change-notes/2021-07-22-model-collection-constructors.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added additional taint steps modeling constructors for collections in `java.util`.

java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll

@@ -368,7 +368,44 @@ private class ContainerFlowSummaries extends SummaryModelCsv {
         "java.util;Collections;false;copy;(List,List);;Element of Argument[1];Element of Argument[0];value",
         "java.util;Collections;false;fill;(List,Object);;Argument[1];Element of Argument[0];value",
         "java.util;Arrays;false;asList;;;ArrayElement of Argument[0];Element of ReturnValue;value",
-        "java.util;Collections;false;addAll;(Collection,Object[]);;ArrayElement of Argument[1];Element of Argument[0];value"
+        "java.util;Collections;false;addAll;(Collection,Object[]);;ArrayElement of Argument[1];Element of Argument[0];value",
+        "java.util;AbstractMap$SimpleEntry;false;SimpleEntry;(Object,Object);;Argument[0];MapKey of Argument[-1];value",
+        "java.util;AbstractMap$SimpleEntry;false;SimpleEntry;(Object,Object);;Argument[1];MapValue of Argument[-1];value",
+        "java.util;AbstractMap$SimpleEntry;false;SimpleEntry;(Entry);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "java.util;AbstractMap$SimpleEntry;false;SimpleEntry;(Entry);;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "java.util;AbstractMap$SimpleImmutableEntry;false;SimpleImmutableEntry;(Object,Object);;Argument[0];MapKey of Argument[-1];value",
+        "java.util;AbstractMap$SimpleImmutableEntry;false;SimpleImmutableEntry;(Object,Object);;Argument[1];MapValue of Argument[-1];value",
+        "java.util;AbstractMap$SimpleImmutableEntry;false;SimpleImmutableEntry;(Entry);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "java.util;AbstractMap$SimpleImmutableEntry;false;SimpleImmutableEntry;(Entry);;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "java.util;ArrayDeque;false;ArrayDeque;(Collection);;Element of Argument[0];Element of Argument[-1];value",
+        "java.util;ArrayList;false;ArrayList;(Collection);;Element of Argument[0];Element of Argument[-1];value",
+        "java.util;EnumMap;false;EnumMap;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "java.util;EnumMap;false;EnumMap;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "java.util;EnumMap;false;EnumMap;(EnumMap);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "java.util;EnumMap;false;EnumMap;(EnumMap);;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "java.util;HashMap;false;HashMap;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "java.util;HashMap;false;HashMap;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "java.util;HashSet;false;HashSet;(Collection);;Element of Argument[0];Element of Argument[-1];value",
+        "java.util;Hashtable;false;Hashtable;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "java.util;Hashtable;false;Hashtable;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "java.util;IdentityHashMap;false;IdentityHashMap;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "java.util;IdentityHashMap;false;IdentityHashMap;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "java.util;LinkedHashMap;false;LinkedHashMap;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "java.util;LinkedHashMap;false;LinkedHashMap;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "java.util;LinkedHashSet;false;LinkedHashSet;(Collection);;Element of Argument[0];Element of Argument[-1];value",
+        "java.util;LinkedList;false;LinkedList;(Collection);;Element of Argument[0];Element of Argument[-1];value",
+        "java.util;PriorityQueue;false;PriorityQueue;(Collection);;Element of Argument[0];Element of Argument[-1];value",
+        "java.util;PriorityQueue;false;PriorityQueue;(PriorityQueue);;Element of Argument[0];Element of Argument[-1];value",
+        "java.util;PriorityQueue;false;PriorityQueue;(SortedSet);;Element of Argument[0];Element of Argument[-1];value",
+        "java.util;TreeMap;false;TreeMap;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "java.util;TreeMap;false;TreeMap;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "java.util;TreeMap;false;TreeMap;(SortedMap);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "java.util;TreeMap;false;TreeMap;(SortedMap);;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "java.util;TreeSet;false;TreeSet;(Collection);;Element of Argument[0];Element of Argument[-1];value",
+        "java.util;TreeSet;false;TreeSet;(SortedSet);;Element of Argument[0];Element of Argument[-1];value",
+        "java.util;Vector;false;Vector;(Collection);;Element of Argument[0];Element of Argument[-1];value",
+        "java.util;WeakHashMap;false;WeakHashMap;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "java.util;WeakHashMap;false;WeakHashMap;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value"
       ]
   }
 }

java/ql/test/library-tests/dataflow/collections/Constructors.java

@@ -0,0 +1,286 @@
+package generatedtest;
+
+import java.util.AbstractMap;
+import java.util.ArrayDeque;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.EnumMap;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Hashtable;
+import java.util.IdentityHashMap;
+import java.util.LinkedHashMap;
+import java.util.LinkedHashSet;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import java.util.PriorityQueue;
+import java.util.SortedMap;
+import java.util.SortedSet;
+import java.util.TreeMap;
+import java.util.TreeSet;
+import java.util.Vector;
+import java.util.WeakHashMap;
+
+// Test case generated by GenerateFlowTestCase.ql
+public class Constructors {
+
+	Object getElement(Collection container) { return container.iterator().next(); }
+	Object getMapKey(Map container) { return container.keySet().iterator().next(); }
+	Object getMapValue(Map container) { return container.get(null); }
+	Object getMapKey(Map.Entry container) { return container.getKey(); }
+	Object getMapValue(Map.Entry container) { return container.getValue(); }
+	Object source() { return null; }
+	void sink(Object o) { }
+
+	public void test() {
+
+		{
+			// "java.util;AbstractMap$SimpleEntry;false;SimpleEntry;(Entry);;MapKey of Argument[0];MapKey of Argument[-1];value"
+			AbstractMap.SimpleEntry out = null;
+			Map.Entry in = new AbstractMap.SimpleEntry(source(), null);
+			out = new AbstractMap.SimpleEntry(in);
+			sink(getMapKey(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;AbstractMap$SimpleEntry;false;SimpleEntry;(Entry);;MapValue of Argument[0];MapValue of Argument[-1];value"
+			AbstractMap.SimpleEntry out = null;
+			Map.Entry in = new AbstractMap.SimpleEntry(null, source());;
+			out = new AbstractMap.SimpleEntry(in);
+			sink(getMapValue(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;AbstractMap$SimpleEntry;false;SimpleEntry;(Object,Object);;Argument[0];MapKey of Argument[-1];value"
+			AbstractMap.SimpleEntry out = null;
+			Object in = source();
+			out = new AbstractMap.SimpleEntry(in, null);
+			sink(getMapKey(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;AbstractMap$SimpleEntry;false;SimpleEntry;(Object,Object);;Argument[1];MapValue of Argument[-1];value"
+			AbstractMap.SimpleEntry out = null;
+			Object in = source();
+			out = new AbstractMap.SimpleEntry(null, in);
+			sink(getMapValue(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;AbstractMap$SimpleImmutableEntry;false;SimpleImmutableEntry;(Entry);;MapKey of Argument[0];MapKey of Argument[-1];value"
+			AbstractMap.SimpleImmutableEntry out = null;
+			Map.Entry in = new AbstractMap.SimpleEntry(source(), null);
+			out = new AbstractMap.SimpleImmutableEntry(in);
+			sink(getMapKey(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;AbstractMap$SimpleImmutableEntry;false;SimpleImmutableEntry;(Entry);;MapValue of Argument[0];MapValue of Argument[-1];value"
+			AbstractMap.SimpleImmutableEntry out = null;
+			Map.Entry in = new AbstractMap.SimpleEntry(null, source());
+			out = new AbstractMap.SimpleImmutableEntry(in);
+			sink(getMapValue(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;ArrayDeque;false;ArrayDeque;(Collection);;Element of Argument[0];Element of Argument[-1];value"
+			ArrayDeque out = null;
+			Collection in = List.of(source());
+			out = new ArrayDeque(in);
+			sink(getElement(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;ArrayList;false;ArrayList;(Collection);;Element of Argument[0];Element of Argument[-1];value"
+			ArrayList out = null;
+			Collection in = List.of(source());
+			out = new ArrayList(in);
+			sink(getElement(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;EnumMap;false;EnumMap;(EnumMap);;MapKey of Argument[0];MapKey of Argument[-1];value"
+			EnumMap out = null;
+			EnumMap in = new EnumMap(Map.of(source(), null));
+			out = new EnumMap(in);
+			sink(getMapKey(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;EnumMap;false;EnumMap;(EnumMap);;MapValue of Argument[0];MapValue of Argument[-1];value"
+			EnumMap out = null;
+			EnumMap in = new EnumMap(Map.of(null, source()));
+			out = new EnumMap(in);
+			sink(getMapValue(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;EnumMap;false;EnumMap;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value"
+			EnumMap out = null;
+			Map in = Map.of(source(), null);
+			out = new EnumMap(in);
+			sink(getMapKey(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;EnumMap;false;EnumMap;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value"
+			EnumMap out = null;
+			Map in = Map.of(null, source());
+			out = new EnumMap(in);
+			sink(getMapValue(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;HashMap;false;HashMap;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value"
+			HashMap out = null;
+			Map in = Map.of(source(), null);
+			out = new HashMap(in);
+			sink(getMapKey(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;HashMap;false;HashMap;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value"
+			HashMap out = null;
+			Map in = Map.of(null, source());
+			out = new HashMap(in);
+			sink(getMapValue(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;HashSet;false;HashSet;(Collection);;Element of Argument[0];Element of Argument[-1];value"
+			HashSet out = null;
+			Collection in = List.of(source());
+			out = new HashSet(in);
+			sink(getElement(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;Hashtable;false;Hashtable;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value"
+			Hashtable out = null;
+			Map in = Map.of(source(), null);
+			out = new Hashtable(in);
+			sink(getMapKey(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;Hashtable;false;Hashtable;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value"
+			Hashtable out = null;
+			Map in = Map.of(null, source());
+			out = new Hashtable(in);
+			sink(getMapValue(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;IdentityHashMap;false;IdentityHashMap;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value"
+			IdentityHashMap out = null;
+			Map in = Map.of(source(), null);
+			out = new IdentityHashMap(in);
+			sink(getMapKey(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;IdentityHashMap;false;IdentityHashMap;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value"
+			IdentityHashMap out = null;
+			Map in = Map.of(null, source());
+			out = new IdentityHashMap(in);
+			sink(getMapValue(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;LinkedHashMap;false;LinkedHashMap;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value"
+			LinkedHashMap out = null;
+			Map in = Map.of(source(), null);
+			out = new LinkedHashMap(in);
+			sink(getMapKey(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;LinkedHashMap;false;LinkedHashMap;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value"
+			LinkedHashMap out = null;
+			Map in = Map.of(null, source());
+			out = new LinkedHashMap(in);
+			sink(getMapValue(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;LinkedHashSet;false;LinkedHashSet;(Collection);;Element of Argument[0];Element of Argument[-1];value"
+			LinkedHashSet out = null;
+			Collection in = List.of(source());
+			out = new LinkedHashSet(in);
+			sink(getElement(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;LinkedList;false;LinkedList;(Collection);;Element of Argument[0];Element of Argument[-1];value"
+			LinkedList out = null;
+			Collection in = List.of(source());
+			out = new LinkedList(in);
+			sink(getElement(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;PriorityQueue;false;PriorityQueue;(Collection);;Element of Argument[0];Element of Argument[-1];value"
+			PriorityQueue out = null;
+			Collection in = List.of(source());
+			out = new PriorityQueue(in);
+			sink(getElement(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;PriorityQueue;false;PriorityQueue;(PriorityQueue);;Element of Argument[0];Element of Argument[-1];value"
+			PriorityQueue out = null;
+			PriorityQueue in = new PriorityQueue(List.of(source()));
+			out = new PriorityQueue(in);
+			sink(getElement(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;PriorityQueue;false;PriorityQueue;(SortedSet);;Element of Argument[0];Element of Argument[-1];value"
+			PriorityQueue out = null;
+			SortedSet in = new TreeSet(List.of(source()));
+			out = new PriorityQueue(in);
+			sink(getElement(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;TreeMap;false;TreeMap;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value"
+			TreeMap out = null;
+			Map in = Map.of(source(), null);
+			out = new TreeMap(in);
+			sink(getMapKey(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;TreeMap;false;TreeMap;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value"
+			TreeMap out = null;
+			Map in = Map.of(null, source());
+			out = new TreeMap(in);
+			sink(getMapValue(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;TreeMap;false;TreeMap;(SortedMap);;MapKey of Argument[0];MapKey of Argument[-1];value"
+			TreeMap out = null;
+			SortedMap in = new TreeMap(Map.of(source(), null));
+			out = new TreeMap(in);
+			sink(getMapKey(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;TreeMap;false;TreeMap;(SortedMap);;MapValue of Argument[0];MapValue of Argument[-1];value"
+			TreeMap out = null;
+			SortedMap in = new TreeMap(Map.of(null, source()));
+			out = new TreeMap(in);
+			sink(getMapValue(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;TreeSet;false;TreeSet;(Collection);;Element of Argument[0];Element of Argument[-1];value"
+			TreeSet out = null;
+			Collection in = List.of(source());
+			out = new TreeSet(in);
+			sink(getElement(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;TreeSet;false;TreeSet;(SortedSet);;Element of Argument[0];Element of Argument[-1];value"
+			TreeSet out = null;
+			SortedSet in = new TreeSet(List.of(source()));
+			out = new TreeSet(in);
+			sink(getElement(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;Vector;false;Vector;(Collection);;Element of Argument[0];Element of Argument[-1];value"
+			Vector out = null;
+			Collection in = List.of(source());
+			out = new Vector(in);
+			sink(getElement(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;WeakHashMap;false;WeakHashMap;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value"
+			WeakHashMap out = null;
+			Map in = Map.of(source(), null);
+			out = new WeakHashMap(in);
+			sink(getMapKey(out)); // $ hasValueFlow
+		}
+		{
+			// "java.util;WeakHashMap;false;WeakHashMap;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value"
+			WeakHashMap out = null;
+			Map in = Map.of(null, source());
+			out = new WeakHashMap(in);
+			sink(getMapValue(out)); // $ hasValueFlow
+		}
+
+	}
+
+}