Merge pull request github#5136 from aschackmull/java/csv-models

Java: Add support for framework modelling through csv data.

Author: yo-h

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

@@ -24,13 +24,20 @@ import semmle.code.java.frameworks.spring.SpringWebClient
 import semmle.code.java.frameworks.Guice
 import semmle.code.java.frameworks.struts.StrutsActions
 import semmle.code.java.frameworks.Thrift
+private import semmle.code.java.dataflow.ExternalFlow
 
 /** A data flow source of remote user input. */
 abstract class RemoteFlowSource extends DataFlow::Node {
   /** Gets a string that describes the type of this remote flow source. */
   abstract string getSourceType();
 }
 
+private class ExternalRemoteFlowSource extends RemoteFlowSource {
+  ExternalRemoteFlowSource() { sourceNode(this, "remote") }
+
+  override string getSourceType() { result = "external" }
+}
+
 private class RemoteTaintedMethodAccessSource extends RemoteFlowSource {
   RemoteTaintedMethodAccessSource() {
     this.asExpr().(MethodAccess).getMethod() instanceof RemoteTaintedMethod

java/ql/src/semmle/code/java/dataflow/FlowSources.qll

@@ -7,6 +7,7 @@ private import DataFlowPrivate
 private import semmle.code.java.dataflow.SSA
 private import semmle.code.java.dataflow.TypeFlow
 private import semmle.code.java.controlflow.Guards
+private import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.dataflow.InstanceAccess
 
 cached
@@ -405,6 +406,8 @@ predicate simpleLocalFlowStep(Node node1, Node node2) {
   or
   node2.asExpr().(AssignExpr).getSource() = node1.asExpr()
   or
+  summaryStep(node1, node2, "value")
+  or
   exists(MethodAccess ma, Method m |
     ma = node2.asExpr() and
     m = ma.getMethod() and

java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll

@@ -10,6 +10,7 @@ private import semmle.code.java.dataflow.internal.ContainerFlow
 private import semmle.code.java.frameworks.spring.SpringController
 private import semmle.code.java.frameworks.spring.SpringHttp
 private import semmle.code.java.frameworks.Networking
+private import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.dataflow.FlowSteps
 
 /**
@@ -45,6 +46,8 @@ predicate localAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
   localAdditionalTaintUpdateStep(src.asExpr(),
     sink.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr())
   or
+  summaryStep(src, sink, "taint")
+  or
   exists(Argument arg |
     src.asExpr() = arg and
     arg.isVararg() and

java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll

@@ -0,0 +1,62 @@
+package my.qltest;
+
+public class A {
+  void foo() {
+    Object x;
+    x = src1();
+    x = src1("");
+
+    Sub sub = new Sub();
+    x = sub.src2();
+    x = sub.src3();
+
+    srcArg(x);
+
+    Handler h = srcparam1 -> { };
+
+    Handler h2 = new Handler() {
+      @Override public void handle(Object srcparam2) { }
+    };
+
+    x = taggedSrcMethod();
+    x = taggedSrcField;
+
+    x = srcTwoArg("", "");
+  }
+
+  @Tag
+  void tagged1(Object taggedMethodParam) {
+  }
+
+  void tagged2(@Tag Object taggedSrcParam) {
+  }
+
+  Object src1() { return null; }
+
+  Object src1(String s) { return null; }
+
+  Object src2() { return null; }
+
+  Object src3() { return null; }
+
+  static class Sub extends A {
+    // inherit src2
+    @Override Object src3() { return null; }
+  }
+
+  void srcArg(Object src) { }
+
+  interface Handler {
+    void handle(Object src);
+  }
+
+  @interface Tag { }
+
+  @Tag
+  Object taggedSrcMethod() { return null; }
+
+  @Tag
+  Object taggedSrcField;
+
+  Object srcTwoArg(String s1, String s2) { return null; }
+}

java/ql/test/library-tests/dataflow/external-models/A.java

@@ -0,0 +1,35 @@
+package my.qltest;
+
+public class B {
+  void foo() {
+    Object arg1 = new Object();
+    sink1(arg1);
+
+    Object argToTagged = new Object();
+    taggedSinkMethod(argToTagged);
+
+    Object fieldWrite = new Object();
+    taggedField = fieldWrite;
+  }
+
+  Object sinkMethod() {
+    Object res = new Object();
+    return res;
+  }
+
+  @Tag
+  Object taggedSinkMethod() {
+    Object resTag = new Object();
+    return resTag;
+  }
+
+  void sink1(Object x) { }
+
+  @interface Tag { }
+
+  @Tag
+  void taggedSinkMethod(Object x) { }
+
+  @Tag
+  Object taggedField;
+}

java/ql/test/library-tests/dataflow/external-models/B.java

@@ -0,0 +1,36 @@
+package my.qltest;
+
+public class C {
+  void foo() {
+    Object arg1 = new Object();
+    stepArgRes(arg1);
+
+    Object argIn1 = new Object();
+    Object argOut1 = new Object();
+    stepArgArg(argIn1, argOut1);
+    Object argIn2 = new Object();
+    Object argOut2 = new Object();
+    stepArgArg(argIn2, argOut2);
+
+    Object arg2 = new Object();
+    stepArgQual(arg2);
+    Object arg3 = new Object();
+    this.stepArgQual(arg3);
+
+    this.stepQualRes();
+    stepQualRes();
+
+    Object argOut = new Object();
+    stepQualArg(argOut);
+  }
+
+  Object stepArgRes(Object x) { return null; }
+
+  void stepArgArg(Object in, Object out) { }
+
+  void stepArgQual(Object x) { }
+
+  Object stepQualRes() { return null; }
+
+  void stepQualArg(Object out) { }
+}

java/ql/test/library-tests/dataflow/external-models/C.java

@@ -0,0 +1,8 @@
+invalidModelRow
+#select
+| B.java:6:11:6:14 | arg1 | qltest |
+| B.java:9:5:9:33 | this <.method> | qltest-arg |
+| B.java:9:22:9:32 | argToTagged | qltest-arg |
+| B.java:12:19:12:28 | fieldWrite | qltest-nospec |
+| B.java:17:12:17:14 | res | qltest |
+| B.java:23:12:23:17 | resTag | qltest-retval |

java/ql/test/library-tests/dataflow/external-models/sinks.expected

@@ -0,0 +1,22 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.ExternalFlow
+import CsvValidation
+
+class SinkModelTest extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //"package;type;overrides;name;signature;ext;spec;kind",
+        "my.qltest;B;false;sink1;(Object);;Argument[0];qltest",
+        "my.qltest;B;false;sinkMethod;();;ReturnValue;qltest",
+        "my.qltest;B$Tag;false;;;Annotated;ReturnValue;qltest-retval",
+        "my.qltest;B$Tag;false;;;Annotated;Argument;qltest-arg",
+        "my.qltest;B$Tag;false;;;Annotated;;qltest-nospec"
+      ]
+  }
+}
+
+from DataFlow::Node node, string kind
+where sinkNode(node, kind)
+select node, kind

java/ql/test/library-tests/dataflow/external-models/sinks.ql

@@ -0,0 +1,24 @@
+invalidModelRow
+#select
+| A.java:6:9:6:14 | src1(...) | qltest |
+| A.java:6:9:6:14 | src1(...) | qltest-all-overloads |
+| A.java:7:9:7:16 | src1(...) | qltest |
+| A.java:7:9:7:16 | src1(...) | qltest-all-overloads |
+| A.java:7:9:7:16 | src1(...) | qltest-alt |
+| A.java:10:9:10:18 | src2(...) | qltest |
+| A.java:10:9:10:18 | src2(...) | qltest-w-subtypes |
+| A.java:11:9:11:18 | src3(...) | qltest-w-subtypes |
+| A.java:13:5:13:13 | this <.method> [post update] | qltest-argany |
+| A.java:13:12:13:12 | x [post update] | qltest-argany |
+| A.java:13:12:13:12 | x [post update] | qltest-argnum |
+| A.java:15:17:15:25 | srcparam1 | qltest-param-override |
+| A.java:18:36:18:51 | srcparam2 | qltest-param-override |
+| A.java:21:9:21:25 | taggedSrcMethod(...) | qltest-retval |
+| A.java:22:9:22:22 | taggedSrcField | qltest-nospec |
+| A.java:24:9:24:25 | srcTwoArg(...) | qltest-longsig |
+| A.java:24:9:24:25 | srcTwoArg(...) | qltest-shortsig |
+| A.java:28:8:28:14 | parameter this | qltest-param |
+| A.java:28:16:28:39 | taggedMethodParam | qltest-param |
+| A.java:31:16:31:41 | taggedSrcParam | qltest-nospec |
+| A.java:31:16:31:41 | taggedSrcParam | qltest-param |
+| A.java:56:10:56:24 | parameter this | qltest-param |