Skip to content

Commit 5cdbde2

Browse files
committed
Java: migrate 'qualifier to return' taint steps to CSV
1 parent 4012656 commit 5cdbde2

File tree

2 files changed

+15
-35
lines changed

2 files changed

+15
-35
lines changed

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -189,7 +189,21 @@ private predicate summaryModelCsv(string row) {
189189
"java.io;InputStream;true;read;(byte[]);;Argument[-1];Argument[0];taint",
190190
"java.io;InputStream;true;read;(byte[],int,int);;Argument[-1];Argument[0];taint",
191191
"java.io;ByteArrayOutputStream;false;writeTo;;;Argument[-1];Argument[0];taint",
192-
"java.io;Reader;true;read;;;Argument[-1];Argument[0];taint"
192+
"java.io;Reader;true;read;;;Argument[-1];Argument[0];taint",
193+
// qualifier to return
194+
"java.io;ByteArrayOutputStream;false;toByteArray;;;Argument[-1];ReturnValue;taint",
195+
"java.io;ByteArrayOutputStream;false;toString;;;Argument[-1];ReturnValue;taint",
196+
"java.util;StringTokenizer;false;nextElement;();;Argument[-1];ReturnValue;taint",
197+
"java.util;StringTokenizer;false;nextToken;;;Argument[-1];ReturnValue;taint",
198+
"javax.xml.transform.sax;SAXSource;false;getInputSource;;;Argument[-1];ReturnValue;taint",
199+
"javax.xml.transform.stream;StreamSource;false;getInputStream;;;Argument[-1];ReturnValue;taint",
200+
"java.nio;ByteBuffer;false;get;;;Argument[-1];ReturnValue;taint",
201+
"java.net;URI;false;toURL;;;Argument[-1];ReturnValue;taint",
202+
"java.io;File;false;toURI;;;Argument[-1];ReturnValue;taint",
203+
"java.io;File;false;toPath;;;Argument[-1];ReturnValue;taint",
204+
"java.nio.file;Path;false;toFile;;;Argument[-1];ReturnValue;taint",
205+
"java.io;Reader;true;readLine;;;Argument[-1];ReturnValue;taint",
206+
"java.io;Reader;true;read;();;Argument[-1];ReturnValue;taint"
193207
]
194208
}
195209

java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

Lines changed: 0 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -285,50 +285,16 @@ private predicate qualifierToMethodStep(Expr tracked, MethodAccess sink) {
285285
private predicate taintPreservingQualifierToMethod(Method m) {
286286
m instanceof CloneMethod
287287
or
288-
m.getDeclaringType().getASupertype*().hasQualifiedName("java.io", "Reader") and
289-
(
290-
m.getName() = "read" and m.getNumberOfParameters() = 0
291-
or
292-
m.getName() = "readLine"
293-
)
294-
or
295288
m.getDeclaringType().getQualifiedName().matches("%StringWriter") and
296289
(
297290
m.getName() = "getBuffer"
298291
or
299292
m.getName() = "toString"
300293
)
301294
or
302-
m.getDeclaringType().hasQualifiedName("java.util", "StringTokenizer") and
303-
m.getName().matches("next%")
304-
or
305-
m.getDeclaringType().hasQualifiedName("java.io", "ByteArrayOutputStream") and
306-
(m.getName() = "toByteArray" or m.getName() = "toString")
307-
or
308295
m.getDeclaringType().hasQualifiedName("java.io", "ObjectInputStream") and
309296
m.getName().matches("read%")
310297
or
311-
m.getDeclaringType().hasQualifiedName("javax.xml.transform.sax", "SAXSource") and
312-
m.hasName("getInputSource")
313-
or
314-
m.getDeclaringType().hasQualifiedName("javax.xml.transform.stream", "StreamSource") and
315-
m.hasName("getInputStream")
316-
or
317-
m.getDeclaringType().hasQualifiedName("java.nio", "ByteBuffer") and
318-
m.hasName("get")
319-
or
320-
m.getDeclaringType() instanceof TypeFile and
321-
m.hasName("toPath")
322-
or
323-
m.getDeclaringType() instanceof TypePath and
324-
m.hasName("toFile")
325-
or
326-
m.getDeclaringType() instanceof TypeFile and
327-
m.hasName("toURI")
328-
or
329-
m.getDeclaringType() instanceof TypeUri and
330-
m.hasName("toURL")
331-
or
332298
m instanceof GetterMethod and
333299
m.getDeclaringType().getASubtype*() instanceof SpringUntrustedDataType and
334300
not m.getDeclaringType() instanceof TypeObject

0 commit comments

Comments
 (0)