Merge pull request github#12610 from michaelnebel/java/validatespecs

Java/C#: Validate all AccessPaths.

Author: michaelnebel

csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll

@@ -160,7 +160,7 @@ predicate modelCoverage(string namespace, int namespaces, string kind, string pa
 /** Provides a query predicate to check the MaD models for validation errors. */
 module ModelValidation {
   private string getInvalidModelInput() {
-    exists(string pred, AccessPath input, string part |
+    exists(string pred, AccessPath input, AccessPathToken part |
       sinkModel(_, _, _, _, _, _, input, _, _) and pred = "sink"
       or
       summaryModel(_, _, _, _, _, _, input, _, _, _) and pred = "summary"
@@ -169,7 +169,8 @@ module ModelValidation {
         invalidSpecComponent(input, part) and
         not part = "" and
         not (part = "Argument" and pred = "sink") and
-        not parseArg(part, _)
+        not parseArg(part, _) and
+        not part.getName() = ["Field", "Property"]
         or
         part = input.getToken(_) and
         parseParam(part, _)
@@ -181,15 +182,16 @@ module ModelValidation {
   }
 
   private string getInvalidModelOutput() {
-    exists(string pred, string output, string part |
+    exists(string pred, AccessPath output, AccessPathToken part |
       sourceModel(_, _, _, _, _, _, output, _, _) and pred = "source"
       or
       summaryModel(_, _, _, _, _, _, _, output, _, _) and pred = "summary"
     |
       (
         invalidSpecComponent(output, part) and
         not part = "" and
-        not (part = ["Argument", "Parameter"] and pred = "source")
+        not (part = ["Argument", "Parameter"] and pred = "source") and
+        not part.getName() = ["Field", "Property"]
         or
         invalidIndexComponent(output, part)
       ) and

csharp/ql/test/library-tests/dataflow/external-models/validatemodels.expected

@@ -0,0 +1,15 @@
+import csharp
+import semmle.code.csharp.dataflow.ExternalFlow
+import semmle.code.csharp.dataflow.internal.AccessPathSyntax
+import ModelValidation
+
+private predicate getRelevantAccessPath(string path) {
+  summaryModel(_, _, _, _, _, _, path, _, _, _) or
+  summaryModel(_, _, _, _, _, _, _, path, _, _) or
+  sinkModel(_, _, _, _, _, _, path, _, _) or
+  sourceModel(_, _, _, _, _, _, path, _, _)
+}
+
+private class AccessPathsExternal extends AccessPath::Range {
+  AccessPathsExternal() { getRelevantAccessPath(this) }
+}

csharp/ql/test/library-tests/dataflow/external-models/validatemodels.ql

@@ -220,7 +220,7 @@ predicate modelCoverage(string package, int pkgs, string kind, string part, int
 /** Provides a query predicate to check the MaD models for validation errors. */
 module ModelValidation {
   private string getInvalidModelInput() {
-    exists(string pred, string input, string part |
+    exists(string pred, AccessPath input, AccessPathToken part |
       sinkModel(_, _, _, _, _, _, input, _, _) and pred = "sink"
       or
       summaryModel(_, _, _, _, _, _, input, _, _, _) and pred = "summary"
@@ -229,9 +229,10 @@ module ModelValidation {
         invalidSpecComponent(input, part) and
         not part = "" and
         not (part = "Argument" and pred = "sink") and
-        not parseArg(part, _)
+        not parseArg(part, _) and
+        not part.getName() = "Field"
         or
-        part = input.(AccessPath).getToken(0) and
+        part = input.getToken(0) and
         parseParam(part, _)
         or
         invalidIndexComponent(input, part)
@@ -241,15 +242,16 @@ module ModelValidation {
   }
 
   private string getInvalidModelOutput() {
-    exists(string pred, string output, string part |
+    exists(string pred, AccessPath output, AccessPathToken part |
       sourceModel(_, _, _, _, _, _, output, _, _) and pred = "source"
       or
       summaryModel(_, _, _, _, _, _, _, output, _, _) and pred = "summary"
     |
       (
         invalidSpecComponent(output, part) and
         not part = "" and
-        not (part = ["Argument", "Parameter"] and pred = "source")
+        not (part = ["Argument", "Parameter"] and pred = "source") and
+        not part.getName() = "Field"
         or
         invalidIndexComponent(output, part)
       ) and

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -0,0 +1,15 @@
+import java
+import semmle.code.java.dataflow.ExternalFlow
+import semmle.code.java.dataflow.internal.AccessPathSyntax
+import ModelValidation
+
+private predicate getRelevantAccessPath(string path) {
+  summaryModel(_, _, _, _, _, _, path, _, _, _) or
+  summaryModel(_, _, _, _, _, _, _, path, _, _) or
+  sinkModel(_, _, _, _, _, _, path, _, _) or
+  sourceModel(_, _, _, _, _, _, path, _, _)
+}
+
+private class AccessPathsExternal extends AccessPath::Range {
+  AccessPathsExternal() { getRelevantAccessPath(this) }
+}