Skip to content

Commit 6367eb9

Browse files
aibaarsaibaars
committed
Address review comments
1 parent 441bf98 commit 6367eb9

File tree

1 file changed

+32
-11
lines changed

1 file changed

+32
-11
lines changed

java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll

Lines changed: 32 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -112,17 +112,16 @@ private predicate taintPreservingQualifierToMethod(Method m) {
112112
// java.util.Map
113113
m
114114
.(MapMethod)
115-
.hasName(["compute", "computeIfAbsent", "computeIfPresent", "entrySet", "get", "getOrDefault",
116-
"merge", "putIfAbsent", "remove", "replace", "values"])
115+
.hasName(["computeIfAbsent", "entrySet", "get", "getOrDefault", "merge", "put", "putIfAbsent",
116+
"remove", "replace", "values"])
117117
or
118118
// java.util.Collection
119119
m.(CollectionMethod).hasName(["parallelStream", "stream", "toArray"])
120120
or
121121
// java.util.List
122122
m.(CollectionMethod).hasName(["get", "listIterator", "set", "subList"])
123123
or
124-
m.(CollectionMethod).hasName("remove") and
125-
(m.getNumberOfParameters() = 0 or m.getParameterType(0).(PrimitiveType).hasName("int"))
124+
m.(CollectionMethod).hasName("remove") and m.getParameterType(0).(PrimitiveType).hasName("int")
126125
or
127126
// java.util.Vector
128127
m.(CollectionMethod).hasName(["elementAt", "elements", "firstElement", "lastElement"])
@@ -131,9 +130,11 @@ private predicate taintPreservingQualifierToMethod(Method m) {
131130
m.(CollectionMethod).hasName(["peek", "pop", "push"])
132131
or
133132
// java.util.Queue
134-
m.(CollectionMethod).hasName(["element", /*"peek", "remove"*/ "poll"])
133+
m.(CollectionMethod).hasName(["element", "poll"])
135134
or
136-
// java.util.DeQueue
135+
m.(CollectionMethod).hasName("remove") and m.getNumberOfParameters() = 0
136+
or
137+
// java.util.Deque
137138
m
138139
.(CollectionMethod)
139140
.hasName(["getFirst", "getLast", "peekFirst", "peekLast", "pollFirst", "pollLast",
@@ -171,7 +172,7 @@ private predicate taintPreservingQualifierToMethod(Method m) {
171172
m.hasName(["elements", "get", "put", "remove"])
172173
or
173174
// java.util.concurrent.ConcurrentHashMap
174-
m.(MapMethod).hasName(["search", "searchEntries", "searchValues"])
175+
m.(MapMethod).hasName(["elements", "search", "searchEntries", "searchValues"])
175176
}
176177

177178
private predicate qualifierToMethodStep(Expr tracked, MethodAccess sink) {
@@ -180,9 +181,18 @@ private predicate qualifierToMethodStep(Expr tracked, MethodAccess sink) {
180181
}
181182

182183
private predicate qualifierToArgumentStep(Expr tracked, RValue sink) {
183-
exists(MethodAccess ma |
184-
// java.util.Vector, java.util.concurrent.BlockingQueue, java.util.Collection
185-
ma.getMethod().(CollectionMethod).hasName(["copyInto", "drainTo", "toArray"]) and
184+
exists(MethodAccess ma, CollectionMethod method |
185+
method = ma.getMethod() and
186+
(
187+
// java.util.Vector
188+
method.hasName("copyInto")
189+
or
190+
// java.util.concurrent.BlockingQueue
191+
method.hasName("drainTo")
192+
or
193+
// java.util.Collection
194+
method.hasName("toArray") and method.getParameter(0).getType() instanceof Array
195+
) and
186196
tracked = ma.getQualifier() and
187197
sink = ma.getArgument(0)
188198
)
@@ -207,7 +217,9 @@ private predicate taintPreservingArgumentToQualifier(Method method, int arg) {
207217
arg = 0
208218
or
209219
// java.util.Collection
210-
method.(CollectionMethod).hasName(["add", "addAll"]) and arg = method.getNumberOfParameters() - 1
220+
method.(CollectionMethod).hasName(["add", "addAll"]) and
221+
// Refer to the last parameter to also cover List::add(int, E) and List::addAll(int, Collection)
222+
arg = method.getNumberOfParameters() - 1
211223
or
212224
// java.util.List
213225
method.(CollectionMethod).hasName("set") and arg = 1
@@ -232,6 +244,15 @@ private predicate taintPreservingArgumentToQualifier(Method method, int arg) {
232244
or
233245
// java.util.concurrent.BlockingDeque
234246
method.(CollectionMethod).hasName(["putFirst", "putLast"]) and arg = 0
247+
or
248+
//java.util.Dictionary
249+
method
250+
.getDeclaringType()
251+
.getSourceDeclaration()
252+
.getASourceSupertype*()
253+
.hasQualifiedName("java.util", "Dictionary") and
254+
method.hasName("put") and
255+
arg = 1
235256
}
236257

237258
/**

0 commit comments

Comments
 (0)