Track taint from concatenated string

Benjamin Muskalla · Benjamin Muskalla · commit 7ddf7ff211c6 · 2021-09-01T15:41:16.000+02:00
diff --git a/java/ql/src/semmle/code/java/frameworks/Strings.qll b/java/ql/src/semmle/code/java/frameworks/Strings.qll
@@ -9,6 +9,7 @@ private class StringSummaryCsv extends SummaryModelCsv {
       [
         //`namespace; type; subtypes; name; signature; ext; input; output; kind`
         "java.lang;String;false;concat;(String);;Argument[0];ReturnValue;taint",
+        "java.lang;String;false;concat;(String);;Argument[-1];ReturnValue;taint",
         "java.lang;String;false;copyValueOf;;;Argument[0];ReturnValue;taint",
         "java.lang;String;false;endsWith;;;Argument[-1];ReturnValue;taint",
         "java.lang;String;false;format;(Locale,String,Object[]);;Argument[1];ReturnValue;taint",
diff --git a/java/ql/test/library-tests/dataflow/taint/B.java b/java/ql/test/library-tests/dataflow/taint/B.java
@@ -46,6 +46,9 @@ public static void maintest() throws java.io.UnsupportedEncodingException, java.
     // tainted - tokenized string
     String token = new StringTokenizer(badEscape).nextToken();
     sink(token);
+    // tainted - fluent concatenation
+    String fluentConcat = "".concat("str").concat(token).concat("bar");
+    sink(fluentConcat);
 
     // not tainted
     String safe = notTainty(complex);
diff --git a/java/ql/test/library-tests/dataflow/taint/test.expected b/java/ql/test/library-tests/dataflow/taint/test.expected
@@ -14,29 +14,30 @@
 | B.java:15:21:15:27 | taint(...) | B.java:42:10:42:25 | valueOfSubstring |
 | B.java:15:21:15:27 | taint(...) | B.java:45:10:45:18 | badEscape |
 | B.java:15:21:15:27 | taint(...) | B.java:48:10:48:14 | token |
-| B.java:15:21:15:27 | taint(...) | B.java:65:10:65:13 | cond |
-| B.java:15:21:15:27 | taint(...) | B.java:68:10:68:14 | logic |
-| B.java:15:21:15:27 | taint(...) | B.java:70:10:70:39 | endsWith(...) |
-| B.java:15:21:15:27 | taint(...) | B.java:73:10:73:14 | logic |
+| B.java:15:21:15:27 | taint(...) | B.java:51:10:51:21 | fluentConcat |
+| B.java:15:21:15:27 | taint(...) | B.java:68:10:68:13 | cond |
+| B.java:15:21:15:27 | taint(...) | B.java:71:10:71:14 | logic |
+| B.java:15:21:15:27 | taint(...) | B.java:73:10:73:39 | endsWith(...) |
 | B.java:15:21:15:27 | taint(...) | B.java:76:10:76:14 | logic |
-| B.java:15:21:15:27 | taint(...) | B.java:84:10:84:16 | trimmed |
-| B.java:15:21:15:27 | taint(...) | B.java:86:10:86:14 | split |
-| B.java:15:21:15:27 | taint(...) | B.java:88:10:88:14 | lower |
-| B.java:15:21:15:27 | taint(...) | B.java:90:10:90:14 | upper |
-| B.java:15:21:15:27 | taint(...) | B.java:92:10:92:14 | bytes |
-| B.java:15:21:15:27 | taint(...) | B.java:94:10:94:17 | toString |
-| B.java:15:21:15:27 | taint(...) | B.java:96:10:96:13 | subs |
-| B.java:15:21:15:27 | taint(...) | B.java:98:10:98:13 | repl |
-| B.java:15:21:15:27 | taint(...) | B.java:100:10:100:16 | replAll |
-| B.java:15:21:15:27 | taint(...) | B.java:102:10:102:18 | replFirst |
-| B.java:15:21:15:27 | taint(...) | B.java:115:12:115:25 | serializedData |
-| B.java:15:21:15:27 | taint(...) | B.java:127:12:127:27 | deserializedData |
-| B.java:15:21:15:27 | taint(...) | B.java:136:10:136:21 | taintedArray |
-| B.java:15:21:15:27 | taint(...) | B.java:138:10:138:22 | taintedArray2 |
-| B.java:15:21:15:27 | taint(...) | B.java:140:10:140:22 | taintedArray3 |
-| B.java:15:21:15:27 | taint(...) | B.java:143:10:143:44 | toURL(...) |
-| B.java:15:21:15:27 | taint(...) | B.java:146:10:146:37 | toPath(...) |
-| B.java:15:21:15:27 | taint(...) | B.java:149:10:149:46 | toFile(...) |
+| B.java:15:21:15:27 | taint(...) | B.java:79:10:79:14 | logic |
+| B.java:15:21:15:27 | taint(...) | B.java:87:10:87:16 | trimmed |
+| B.java:15:21:15:27 | taint(...) | B.java:89:10:89:14 | split |
+| B.java:15:21:15:27 | taint(...) | B.java:91:10:91:14 | lower |
+| B.java:15:21:15:27 | taint(...) | B.java:93:10:93:14 | upper |
+| B.java:15:21:15:27 | taint(...) | B.java:95:10:95:14 | bytes |
+| B.java:15:21:15:27 | taint(...) | B.java:97:10:97:17 | toString |
+| B.java:15:21:15:27 | taint(...) | B.java:99:10:99:13 | subs |
+| B.java:15:21:15:27 | taint(...) | B.java:101:10:101:13 | repl |
+| B.java:15:21:15:27 | taint(...) | B.java:103:10:103:16 | replAll |
+| B.java:15:21:15:27 | taint(...) | B.java:105:10:105:18 | replFirst |
+| B.java:15:21:15:27 | taint(...) | B.java:118:12:118:25 | serializedData |
+| B.java:15:21:15:27 | taint(...) | B.java:130:12:130:27 | deserializedData |
+| B.java:15:21:15:27 | taint(...) | B.java:139:10:139:21 | taintedArray |
+| B.java:15:21:15:27 | taint(...) | B.java:141:10:141:22 | taintedArray2 |
+| B.java:15:21:15:27 | taint(...) | B.java:143:10:143:22 | taintedArray3 |
+| B.java:15:21:15:27 | taint(...) | B.java:146:10:146:44 | toURL(...) |
+| B.java:15:21:15:27 | taint(...) | B.java:149:10:149:37 | toPath(...) |
+| B.java:15:21:15:27 | taint(...) | B.java:152:10:152:46 | toFile(...) |
 | CharSeq.java:7:26:7:32 | taint(...) | CharSeq.java:8:12:8:14 | seq |
 | CharSeq.java:7:26:7:32 | taint(...) | CharSeq.java:11:12:11:21 | seqFromSeq |
 | MethodFlow.java:7:22:7:28 | taint(...) | MethodFlow.java:8:10:8:16 | tainted |

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ private class StringSummaryCsv extends SummaryModelCsv {`
`9`	`9`	`[`
`10`	`10`	//`namespace; type; subtypes; name; signature; ext; input; output; kind`
`11`	`11`	`"java.lang;String;false;concat;(String);;Argument[0];ReturnValue;taint",`
	`12`	`+ "java.lang;String;false;concat;(String);;Argument[-1];ReturnValue;taint",`
`12`	`13`	`"java.lang;String;false;copyValueOf;;;Argument[0];ReturnValue;taint",`
`13`	`14`	`"java.lang;String;false;endsWith;;;Argument[-1];ReturnValue;taint",`
`14`	`15`	`"java.lang;String;false;format;(Locale,String,Object[]);;Argument[1];ReturnValue;taint",`