Java: Add defaultImplicitTaintRead and sync.

aschackmull · aschackmull · commit 65ac8be5ac09 · 2021-06-21T14:42:47.000+02:00
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
@@ -34,6 +34,13 @@ predicate defaultAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
   localAdditionalTaintStep(src, sink)
 }
 
+/**
+ * Holds if default `TaintTracking::Configuration`s should allow implicit reads
+ * of `c` at sinks and inputs to additional taint steps.
+ */
+bindingset[node]
+predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { none() }
+
 /**
  * Holds if `node` should be a sanitizer in all global taint flow configurations
  * but not in local taint.
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -105,6 +105,11 @@ abstract class Configuration extends DataFlow::Configuration {
     defaultAdditionalTaintStep(node1, node2)
   }
 
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
+    defaultImplicitTaintRead(node, c)
+  }
+
   /**
    * Holds if taint may flow from `source` to `sink` for this configuration.
    */
diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -105,6 +105,11 @@ abstract class Configuration extends DataFlow::Configuration {
     defaultAdditionalTaintStep(node1, node2)
   }
 
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
+    defaultImplicitTaintRead(node, c)
+  }
+
   /**
    * Holds if taint may flow from `source` to `sink` for this configuration.
    */
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
@@ -151,6 +151,13 @@ predicate defaultAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
   localAdditionalTaintStep(src, sink)
 }
 
+/**
+ * Holds if default `TaintTracking::Configuration`s should allow implicit reads
+ * of `c` at sinks and inputs to additional taint steps.
+ */
+bindingset[node]
+predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { none() }
+
 /**
  * Holds if `node` should be a sanitizer in all global taint flow configurations
  * but not in local taint.
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -105,6 +105,11 @@ abstract class Configuration extends DataFlow::Configuration {
     defaultAdditionalTaintStep(node1, node2)
   }
 
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
+    defaultImplicitTaintRead(node, c)
+  }
+
   /**
    * Holds if taint may flow from `source` to `sink` for this configuration.
    */
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -105,6 +105,11 @@ abstract class Configuration extends DataFlow::Configuration {
     defaultAdditionalTaintStep(node1, node2)
   }
 
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
+    defaultImplicitTaintRead(node, c)
+  }
+
   /**
    * Holds if taint may flow from `source` to `sink` for this configuration.
    */
diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
@@ -105,6 +105,11 @@ abstract class Configuration extends DataFlow::Configuration {
     defaultAdditionalTaintStep(node1, node2)
   }
 
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
+    defaultImplicitTaintRead(node, c)
+  }
+
   /**
    * Holds if taint may flow from `source` to `sink` for this configuration.
    */
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll
@@ -18,6 +18,13 @@ private import semmle.code.csharp.frameworks.WCF
  */
 predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
 
+/**
+ * Holds if default `TaintTracking::Configuration`s should allow implicit reads
+ * of `c` at sinks and inputs to additional taint steps.
+ */
+bindingset[node]
+predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { none() }
+
 deprecated predicate localAdditionalTaintStep = defaultAdditionalTaintStep/2;
 
 private CIL::DataFlowNode asCilDataFlowNode(DataFlow::Node node) {
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -105,6 +105,11 @@ abstract class Configuration extends DataFlow::Configuration {
     defaultAdditionalTaintStep(node1, node2)
   }
 
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
+    defaultImplicitTaintRead(node, c)
+  }
+
   /**
    * Holds if taint may flow from `source` to `sink` for this configuration.
    */
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -105,6 +105,11 @@ abstract class Configuration extends DataFlow::Configuration {
     defaultAdditionalTaintStep(node1, node2)
   }
 
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
+    defaultImplicitTaintRead(node, c)
+  }
+
   /**
    * Holds if taint may flow from `source` to `sink` for this configuration.
    */
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll
@@ -105,6 +105,11 @@ abstract class Configuration extends DataFlow::Configuration {
     defaultAdditionalTaintStep(node1, node2)
   }
 
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
+    defaultImplicitTaintRead(node, c)
+  }
+
   /**
    * Holds if taint may flow from `source` to `sink` for this configuration.
    */
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll
@@ -105,6 +105,11 @@ abstract class Configuration extends DataFlow::Configuration {
     defaultAdditionalTaintStep(node1, node2)
   }
 
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
+    defaultImplicitTaintRead(node, c)
+  }
+
   /**
    * Holds if taint may flow from `source` to `sink` for this configuration.
    */
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll
@@ -105,6 +105,11 @@ abstract class Configuration extends DataFlow::Configuration {
     defaultAdditionalTaintStep(node1, node2)
   }
 
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
+    defaultImplicitTaintRead(node, c)
+  }
+
   /**
    * Holds if taint may flow from `source` to `sink` for this configuration.
    */
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -100,6 +100,33 @@ private module Cached {
 
 import Cached
 
+private RefType getElementType(RefType container) {
+  result = container.(Array).getComponentType() or
+  result = container.(CollectionType).getElementType() or
+  result = container.(MapType).getValueType()
+}
+
+/**
+ * Holds if default `TaintTracking::Configuration`s should allow implicit reads
+ * of `c` at sinks and inputs to additional taint steps.
+ */
+bindingset[node]
+predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) {
+  exists(RefType container |
+    (node.asExpr() instanceof Argument or node instanceof ArgumentNode) and
+    getElementType*(node.getType()) = container
+  |
+    container instanceof Array and
+    c instanceof DataFlow::ArrayContent
+    or
+    container instanceof CollectionType and
+    c instanceof DataFlow::CollectionContent
+    or
+    container instanceof MapType and
+    c instanceof DataFlow::MapValueContent
+  )
+}
+
 /**
  * These configurations add a number of configuration-dependent additional taint
  * steps to all taint configurations. For each sink or additional step provided
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll b/java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -105,6 +105,11 @@ abstract class Configuration extends DataFlow::Configuration {
     defaultAdditionalTaintStep(node1, node2)
   }
 
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
+    defaultImplicitTaintRead(node, c)
+  }
+
   /**
    * Holds if taint may flow from `source` to `sink` for this configuration.
    */
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll b/java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll
@@ -105,6 +105,11 @@ abstract class Configuration extends DataFlow::Configuration {
     defaultAdditionalTaintStep(node1, node2)
   }
 
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
+    defaultImplicitTaintRead(node, c)
+  }
+
   /**
    * Holds if taint may flow from `source` to `sink` for this configuration.
    */
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll b/python/ql/src/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll
@@ -9,6 +9,13 @@ private import semmle.python.dataflow.new.internal.TaintTrackingPublic
  */
 predicate defaultTaintSanitizer(DataFlow::Node node) { none() }
 
+/**
+ * Holds if default `TaintTracking::Configuration`s should allow implicit reads
+ * of `c` at sinks and inputs to additional taint steps.
+ */
+bindingset[node]
+predicate defaultImplicitTaintRead(DataFlow::Node node, DataFlow::Content c) { none() }
+
 private module Cached {
   /**
    * Holds if the additional step from `nodeFrom` to `nodeTo` should be included in all
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll b/python/ql/src/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll
@@ -105,6 +105,11 @@ abstract class Configuration extends DataFlow::Configuration {
     defaultAdditionalTaintStep(node1, node2)
   }
 
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
+    defaultImplicitTaintRead(node, c)
+  }
+
   /**
    * Holds if taint may flow from `source` to `sink` for this configuration.
    */
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll b/python/ql/src/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll
@@ -105,6 +105,11 @@ abstract class Configuration extends DataFlow::Configuration {
     defaultAdditionalTaintStep(node1, node2)
   }
 
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
+    defaultImplicitTaintRead(node, c)
+  }
+
   /**
    * Holds if taint may flow from `source` to `sink` for this configuration.
    */
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll b/python/ql/src/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll
@@ -105,6 +105,11 @@ abstract class Configuration extends DataFlow::Configuration {
     defaultAdditionalTaintStep(node1, node2)
   }
 
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
+    defaultImplicitTaintRead(node, c)
+  }
+
   /**
    * Holds if taint may flow from `source` to `sink` for this configuration.
    */
diff --git a/python/ql/src/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll b/python/ql/src/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll
@@ -105,6 +105,11 @@ abstract class Configuration extends DataFlow::Configuration {
     defaultAdditionalTaintStep(node1, node2)
   }
 
+  override predicate allowImplicitRead(DataFlow::Node node, DataFlow::Content c) {
+    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
+    defaultImplicitTaintRead(node, c)
+  }
+
   /**
    * Holds if taint may flow from `source` to `sink` for this configuration.
    */
