Java: Add ToStringMethod

Marcono1234 · Marcono1234 · commit 9349e6922d50 · 2021-04-10T04:00:44.000+02:00
diff --git a/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql b/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
@@ -79,8 +79,7 @@ predicate stackTraceExpr(Expr exception, MethodAccess stackTraceString) {
     printStackCall.getAnArgument() = printWriter and
     printStackCall.getQualifier() = exception and
     stackTraceString.getQualifier() = stringWriterVar.getAnAccess() and
-    stackTraceString.getMethod().getName() = "toString" and
-    stackTraceString.getMethod().getNumberOfParameters() = 0
+    stackTraceString.getMethod() instanceof ToStringMethod
   )
 }
 
diff --git a/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql b/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
@@ -33,9 +33,8 @@ class InsecureAlgoLiteral extends ShortStringLiteral {
 }
 
 predicate objectToString(MethodAccess ma) {
-  exists(Method m |
+  exists(ToStringMethod m |
     m = ma.getMethod() and
-    m.hasName("toString") and
     m.getDeclaringType() instanceof TypeObject and
     variableTrack(ma.getQualifier()).getType().getErasure() instanceof TypeObject
   )
diff --git a/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql b/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
@@ -19,14 +19,14 @@ class HardcodedCredentialApiCallConfiguration extends DataFlow::Configuration {
 
   override predicate isSource(DataFlow::Node n) {
     n.asExpr() instanceof HardcodedExpr and
-    not n.asExpr().getEnclosingCallable().getName() = "toString"
+    not n.asExpr().getEnclosingCallable() instanceof ToStringMethod
   }
 
   override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof CredentialsApiSink }
 
   override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
     node1.asExpr().getType() instanceof TypeString and
-    exists(MethodAccess ma | ma.getMethod().getName().regexpMatch("getBytes|toCharArray") |
+    exists(MethodAccess ma | ma.getMethod().hasName(["getBytes", "toCharArray"]) |
       node2.asExpr() = ma and
       ma.getQualifier() = node1.asExpr()
     )
diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToStringToString.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToStringToString.ql
@@ -10,9 +10,8 @@
 
 import java
 
-from MethodAccess ma, Method tostring
+from MethodAccess ma, ToStringMethod tostring
 where
-  tostring.hasName("toString") and
   tostring.getDeclaringType() instanceof TypeString and
   ma.getMethod() = tostring
 select ma, "Redundant call to 'toString' on a String object."
diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DefaultToString.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DefaultToString.ql
@@ -14,20 +14,13 @@ import java
 import semmle.code.java.StringFormat
 
 predicate explicitToStringCall(Expr e) {
-  exists(MethodAccess ma, Method toString | toString = ma.getMethod() |
-    e = ma.getQualifier() and
-    toString.getName() = "toString" and
-    toString.getNumberOfParameters() = 0 and
-    not toString.isStatic()
+  exists(MethodAccess ma |
+    ma.getMethod() instanceof ToStringMethod and
+    e = ma.getQualifier()
   )
 }
 
-predicate directlyDeclaresToString(Class c) {
-  exists(Method m | m.getDeclaringType() = c |
-    m.getName() = "toString" and
-    m.getNumberOfParameters() = 0
-  )
-}
+predicate directlyDeclaresToString(Class c) { any(ToStringMethod m).getDeclaringType() = c }
 
 predicate inheritsObjectToString(Class t) {
   not directlyDeclaresToString(t.getSourceDeclaration()) and
diff --git a/java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql b/java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql
@@ -68,7 +68,7 @@ predicate isBooleanTrue(Expr expr) {
   or
   exists(MethodAccess ma |
     expr = ma and
-    ma.getMethod().hasName("toString") and
+    ma.getMethod() instanceof ToStringMethod and
     ma.getQualifier().(FieldAccess).getField().hasName("TRUE") and
     ma.getQualifier()
         .(FieldAccess)
diff --git a/java/ql/src/semmle/code/java/JDK.qll b/java/ql/src/semmle/code/java/JDK.qll
@@ -353,7 +353,7 @@ class EqualsMethod extends Method {
 class HashCodeMethod extends Method {
   HashCodeMethod() {
     this.hasName("hashCode") and
-    this.getNumberOfParameters() = 0
+    this.hasNoParameters()
   }
 }
 
@@ -365,6 +365,14 @@ class CloneMethod extends Method {
   }
 }
 
+/** A method with the same signature as `java.lang.Object.toString`. */
+class ToStringMethod extends Method {
+  ToStringMethod() {
+    this.hasName("toString") and
+    this.hasNoParameters()
+  }
+}
+
 /**
  * The public static `main` method, with a single formal parameter
  * of type `String[]` and return type `void`.
diff --git a/java/ql/src/semmle/code/java/dispatch/ObjFlow.qll b/java/ql/src/semmle/code/java/dispatch/ObjFlow.qll
@@ -194,7 +194,7 @@ private predicate source(RefType t, ObjNode n) {
 private predicate sink(ObjNode n) {
   exists(MethodAccess toString |
     toString.getQualifier() = n.asExpr() and
-    toString.getMethod().hasName("toString")
+    toString.getMethod() instanceof ToStringMethod
   ) and
   n.getTypeBound().getErasure() instanceof TypeObject
 }
diff --git a/java/ql/src/semmle/code/java/security/ControlledString.qll b/java/ql/src/semmle/code/java/security/ControlledString.qll
@@ -8,7 +8,8 @@ import semmle.code.java.Expr
 import semmle.code.java.security.Validation
 
 /**
- * Holds if `method` is a `toString()` method on a boxed type. These never return special characters.
+ * Holds if `method` is a `toString()` method on a boxed type, with or without parameters.
+ * These never return special characters.
  */
 private predicate boxedToString(Method method) {
   method.getDeclaringType() instanceof BoxedType and
@@ -44,11 +45,9 @@ private predicate controlledStringProp(Expr src, Expr dest) {
   exists(AddExpr concatOp | concatOp = dest | src = concatOp.getAnOperand())
   or
   // `toString()` on a safe string is safe.
-  exists(MethodAccess toStringCall, Method toString |
+  exists(MethodAccess toStringCall |
     src = toStringCall.getQualifier() and
-    toString = toStringCall.getMethod() and
-    toString.hasName("toString") and
-    toString.getNumberOfParameters() = 0 and
+    toStringCall.getMethod() instanceof ToStringMethod and
     dest = toStringCall
   )
 }

Original file line number	Diff line number	Diff line change
`@@ -79,8 +79,7 @@ predicate stackTraceExpr(Expr exception, MethodAccess stackTraceString) {`
`79`	`79`	`printStackCall.getAnArgument() = printWriter and`
`80`	`80`	`printStackCall.getQualifier() = exception and`
`81`	`81`	`stackTraceString.getQualifier() = stringWriterVar.getAnAccess() and`
`82`		`- stackTraceString.getMethod().getName() = "toString" and`
`83`		`- stackTraceString.getMethod().getNumberOfParameters() = 0`
	`82`	`+ stackTraceString.getMethod() instanceof ToStringMethod`
`84`	`83`	`)`
`85`	`84`	`}`
`86`	`85`
Original file line number	Diff line number	Diff line change
`@@ -33,9 +33,8 @@ class InsecureAlgoLiteral extends ShortStringLiteral {`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`predicate objectToString(MethodAccess ma) {`
`36`		`- exists(Method m \|`
	`36`	`+ exists(ToStringMethod m \|`
`37`	`37`	`m = ma.getMethod() and`
`38`		`- m.hasName("toString") and`
`39`	`38`	`m.getDeclaringType() instanceof TypeObject and`
`40`	`39`	`variableTrack(ma.getQualifier()).getType().getErasure() instanceof TypeObject`
`41`	`40`	`)`
Original file line number	Diff line number	Diff line change
`@@ -19,14 +19,14 @@ class HardcodedCredentialApiCallConfiguration extends DataFlow::Configuration {`
`19`	`19`
`20`	`20`	`override predicate isSource(DataFlow::Node n) {`
`21`	`21`	`n.asExpr() instanceof HardcodedExpr and`
`22`		`- not n.asExpr().getEnclosingCallable().getName() = "toString"`
	`22`	`+ not n.asExpr().getEnclosingCallable() instanceof ToStringMethod`
`23`	`23`	`}`
`24`	`24`
`25`	`25`	`override predicate isSink(DataFlow::Node n) { n.asExpr() instanceof CredentialsApiSink }`
`26`	`26`
`27`	`27`	`override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {`
`28`	`28`	`node1.asExpr().getType() instanceof TypeString and`
`29`		`- exists(MethodAccess ma \| ma.getMethod().getName().regexpMatch("getBytes\|toCharArray") \|`
	`29`	`+ exists(MethodAccess ma \| ma.getMethod().hasName(["getBytes", "toCharArray"]) \|`
`30`	`30`	`node2.asExpr() = ma and`
`31`	`31`	`ma.getQualifier() = node1.asExpr()`
`32`	`32`	`)`
Original file line number	Diff line number	Diff line change
`@@ -353,7 +353,7 @@ class EqualsMethod extends Method {`
`353`	`353`	`class HashCodeMethod extends Method {`
`354`	`354`	`HashCodeMethod() {`
`355`	`355`	`this.hasName("hashCode") and`
`356`		`- this.getNumberOfParameters() = 0`
	`356`	`+ this.hasNoParameters()`
`357`	`357`	`}`
`358`	`358`	`}`
`359`	`359`
`@@ -365,6 +365,14 @@ class CloneMethod extends Method {`
`365`	`365`	`}`
`366`	`366`	`}`
`367`	`367`
	`368`	+/** A method with the same signature as `java.lang.Object.toString`. */
	`369`	`+class ToStringMethod extends Method {`
	`370`	`+ ToStringMethod() {`
	`371`	`+ this.hasName("toString") and`
	`372`	`+ this.hasNoParameters()`
	`373`	`+ }`
	`374`	`+}`
	`375`	`+`
`368`	`376`	`/**`
`369`	`377`	* The public static `main` method, with a single formal parameter
`370`	`378`	* of type `String[]` and return type `void`.
Original file line number	Diff line number	Diff line change
`@@ -194,7 +194,7 @@ private predicate source(RefType t, ObjNode n) {`
`194`	`194`	`private predicate sink(ObjNode n) {`
`195`	`195`	`exists(MethodAccess toString \|`
`196`	`196`	`toString.getQualifier() = n.asExpr() and`
`197`		`- toString.getMethod().hasName("toString")`
	`197`	`+ toString.getMethod() instanceof ToStringMethod`
`198`	`198`	`) and`
`199`	`199`	`n.getTypeBound().getErasure() instanceof TypeObject`
`200`	`200`	`}`