Merge pull request github#6387 from joefarebrother/guava-cache

Java: Model guava cache package

Author: joefarebrother

java/change-notes/2021-07-28-guava-cache.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added additional taint steps modeling methods in the Guava cache package (`com.google.common.cache`)

java/ql/src/semmle/code/java/frameworks/guava/Cache.qll

@@ -0,0 +1,32 @@
+/** Flow steps through methods of `com.google.common.cache` */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+private class GuavaBaseCsv extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //`namespace; type; subtypes; name; signature; ext; input; output; kind`
+        "com.google.common.cache;Cache;true;asMap;();;MapKey of Argument[-1];MapKey of ReturnValue;value",
+        "com.google.common.cache;Cache;true;asMap;();;MapValue of Argument[-1];MapValue of ReturnValue;value",
+        // lambda flow from Argument[1] not implemented
+        "com.google.common.cache;Cache;true;get;(Object,Callable);;MapValue of Argument[-1];ReturnValue;value",
+        "com.google.common.cache;Cache;true;getIfPresent;(Object);;MapValue of Argument[-1];ReturnValue;value",
+        // the true flow to MapKey of ReturnValue for getAllPresent is the intersection of the these inputs, but intersections cannot be modelled fully accurately.
+        "com.google.common.cache;Cache;true;getAllPresent;(Iterable);;MapKey of Argument[-1];MapKey of ReturnValue;value",
+        "com.google.common.cache;Cache;true;getAllPresent;(Iterable);;Element of Argument[0];MapKey of ReturnValue;value",
+        "com.google.common.cache;Cache;true;getAllPresent;(Iterable);;MapValue of Argument[-1];MapValue of ReturnValue;value",
+        "com.google.common.cache;Cache;true;put;(Object,Object);;Argument[0];MapKey of Argument[-1];value",
+        "com.google.common.cache;Cache;true;put;(Object,Object);;Argument[1];MapValue of Argument[-1];value",
+        "com.google.common.cache;Cache;true;putAll;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value",
+        "com.google.common.cache;Cache;true;putAll;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value",
+        "com.google.common.cache;LoadingCache;true;get;(Object);;MapValue of Argument[-1];ReturnValue;value",
+        "com.google.common.cache;LoadingCache;true;getUnchecked;(Object);;MapValue of Argument[-1];ReturnValue;value",
+        "com.google.common.cache;LoadingCache;true;apply;(Object);;MapValue of Argument[-1];ReturnValue;value",
+        "com.google.common.cache;LoadingCache;true;getAll;(Iterable);;Element of Argument[0];MapKey of ReturnValue;value",
+        "com.google.common.cache;LoadingCache;true;getAll;(Iterable);;Element of Argument[0];MapKey of Argument[-1];value",
+        "com.google.common.cache;LoadingCache;true;getAll;(Iterable);;MapValue of Argument[-1];MapValue of ReturnValue;value"
+      ]
+  }
+}

java/ql/src/semmle/code/java/frameworks/guava/Guava.qll

@@ -6,3 +6,4 @@ import java
 import Base
 import Collections
 import IO
+import Cache

java/ql/test/library-tests/frameworks/guava/generated/cache/Test.java

@@ -0,0 +1,181 @@
+package generatedtest;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.LoadingCache;
+import com.google.common.cache.CacheBuilder;
+import com.google.common.collect.ImmutableMap;
+import java.util.Map;
+import java.util.concurrent.ConcurrentMap;
+import java.util.HashMap;
+import java.util.List;
+import java.util.ArrayList;
+
+// Test case generated by GenerateFlowTestCase.ql
+public class Test {
+
+	<K,V> K getMapKey(Map<K,V> container) { return container.keySet().iterator().next(); }
+	<K,V> K getMapKey(Cache<K,V> container) { return getMapKey(container.asMap()); }
+	<K,V> V getMapValue(Map<K,V> container) { return container.values().iterator().next(); }
+	<K,V> V getMapValue(Cache<K,V> container) { return getMapValue(container.asMap()); }
+	<T> Iterable<T> newWithElement(T element) { 
+		List<T> l = new ArrayList();
+		l.add(element);
+		return l;
+	}
+	<K,V> Map<K,V> newMapWithMapKey(K element) { 
+		Map<K,V> m = new HashMap<K,V>();
+		m.put(element, null);
+		return m;
+	} 
+	<K,V> LoadingCache<K,V> newCacheWithMapKey(K element) { 
+		LoadingCache<K,V> lc = CacheBuilder.newBuilder().build(null);
+		lc.put(element, null);
+		return lc;
+	}
+	<K,V> Map<K,V> newMapWithMapValue(V element) { 
+		Map<K,V> m = new HashMap<K,V>();
+		m.put(null, element);
+		return m;
+	 } 
+	<K,V> LoadingCache<K,V> newCacheWithMapValue(V element) { 
+		LoadingCache<K,V> lc = CacheBuilder.newBuilder().build(null);
+		lc.put(null, element);
+		return lc;
+	}
+	<T> T source() { return null; }
+	void sink(Object o) { }
+
+	public void test() throws Exception {
+
+		{
+			// "com.google.common.cache;Cache;true;asMap;();;MapKey of Argument[-1];MapKey of ReturnValue;value"
+			ConcurrentMap out = null;
+			LoadingCache in = newCacheWithMapKey(source());
+			out = in.asMap();
+			sink(getMapKey(out)); // $ hasValueFlow
+		}
+		{
+			// "com.google.common.cache;Cache;true;asMap;();;MapKey of Argument[-1];MapKey of ReturnValue;value"
+			ConcurrentMap out = null;
+			Cache in = newCacheWithMapKey(source());
+			out = in.asMap();
+			sink(getMapKey(out)); // $ hasValueFlow
+		}
+		{
+			// "com.google.common.cache;Cache;true;asMap;();;MapValue of Argument[-1];MapValue of ReturnValue;value"
+			ConcurrentMap out = null;
+			LoadingCache in = newCacheWithMapValue(source());
+			out = in.asMap();
+			sink(getMapValue(out)); // $ hasValueFlow
+		}
+		{
+			// "com.google.common.cache;Cache;true;asMap;();;MapValue of Argument[-1];MapValue of ReturnValue;value"
+			ConcurrentMap out = null;
+			Cache in = newCacheWithMapValue(source());
+			out = in.asMap();
+			sink(getMapValue(out)); // $ hasValueFlow
+		}
+		{
+			// "com.google.common.cache;Cache;true;get;(Object,Callable);;MapValue of Argument[-1];ReturnValue;value"
+			Object out = null;
+			Cache in = newCacheWithMapValue(source());
+			out = in.get(null, null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "com.google.common.cache;Cache;true;getAllPresent;(Iterable);;Element of Argument[0];MapKey of ReturnValue;value"
+			ImmutableMap out = null;
+			Iterable in = newWithElement(source());
+			Cache instance = null;
+			out = instance.getAllPresent(in);
+			sink(getMapKey(out)); // $ hasValueFlow
+		}
+		{
+			// "com.google.common.cache;Cache;true;getAllPresent;(Iterable);;MapKey of Argument[-1];MapKey of ReturnValue;value"
+			ImmutableMap out = null;
+			Cache in = newCacheWithMapKey(source());
+			out = in.getAllPresent(null);
+			sink(getMapKey(out)); // $ hasValueFlow
+		}
+		{
+			// "com.google.common.cache;Cache;true;getIfPresent;;;MapValue of Argument[-1];ReturnValue;value"
+			Object out = null;
+			Cache in = newCacheWithMapValue(source());
+			out = in.getIfPresent(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "com.google.common.cache;Cache;true;put;(Object,Object);;Argument[0];MapKey of Argument[-1];value"
+			Cache out = null;
+			Object in = source();
+			out.put(in, null);
+			sink(getMapKey(out)); // $ hasValueFlow
+		}
+		{
+			// "com.google.common.cache;Cache;true;put;(Object,Object);;Argument[1];MapValue of Argument[-1];value"
+			Cache out = null;
+			Object in = source();
+			out.put(null, in);
+			sink(getMapValue(out)); // $ hasValueFlow
+		}
+		{
+			// "com.google.common.cache;Cache;true;putAll;(Map);;MapKey of Argument[0];MapKey of Argument[-1];value"
+			Cache out = null;
+			Map in = newMapWithMapKey(source());
+			out.putAll(in);
+			sink(getMapKey(out)); // $ hasValueFlow
+		}
+		{
+			// "com.google.common.cache;Cache;true;putAll;(Map);;MapValue of Argument[0];MapValue of Argument[-1];value"
+			Cache out = null;
+			Map in = newMapWithMapValue(source());
+			out.putAll(in);
+			sink(getMapValue(out)); // $ hasValueFlow
+		}
+		{
+			// "com.google.common.cache;LoadingCache;true;apply;;;MapValue of Argument[-1];ReturnValue;value"
+			Object out = null;
+			LoadingCache in = newCacheWithMapValue(source());
+			out = in.apply(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "com.google.common.cache;LoadingCache;true;get;;;MapValue of Argument[-1];ReturnValue;value"
+			Object out = null;
+			LoadingCache in = newCacheWithMapValue(source());
+			out = in.get(null);
+			sink(out); // $ hasValueFlow
+		}
+		{
+			// "com.google.common.cache;LoadingCache;true;getAll;(Iterable);;Element of Argument[0];MapKey of Argument[-1];value"
+			LoadingCache out = null;
+			Iterable in = (Iterable)newWithElement(source());
+			out.getAll(in);
+			sink(getMapKey(out)); // $ hasValueFlow
+		}
+		{
+			// "com.google.common.cache;LoadingCache;true;getAll;(Iterable);;Element of Argument[0];MapKey of ReturnValue;value"
+			ImmutableMap out = null;
+			Iterable in = (Iterable)newWithElement(source());
+			LoadingCache instance = null;
+			out = instance.getAll(in);
+			sink(getMapKey(out)); // $ hasValueFlow
+		}
+		{
+			// "com.google.common.cache;LoadingCache;true;getAll;(Iterable);;MapValue of Argument[-1];MapValue of ReturnValue;value"
+			ImmutableMap out = null;
+			LoadingCache in = newCacheWithMapValue(source());
+			out = in.getAll(null);
+			sink(getMapValue(out)); // $ hasValueFlow
+		}
+		{
+			// "com.google.common.cache;LoadingCache;true;getUnchecked;;;MapValue of Argument[-1];ReturnValue;value"
+			Object out = null;
+			LoadingCache in = newCacheWithMapValue(source());
+			out = in.getUnchecked(null);
+			sink(out); // $ hasValueFlow
+		}
+
+	}
+
+}

java/ql/test/library-tests/frameworks/guava/generated/cache/options

@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/guava-30.0

java/ql/test/library-tests/frameworks/guava/generated/cache/test.expected

@@ -0,0 +1,53 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.ExternalFlow
+import semmle.code.java.dataflow.TaintTracking
+import TestUtilities.InlineExpectationsTest
+
+class ValueFlowConf extends DataFlow::Configuration {
+  ValueFlowConf() { this = "qltest:valueFlowConf" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("source")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    n.asExpr().(Argument).getCall().getCallee().hasName("sink")
+  }
+}
+
+class TaintFlowConf extends TaintTracking::Configuration {
+  TaintFlowConf() { this = "qltest:taintFlowConf" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("source")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    n.asExpr().(Argument).getCall().getCallee().hasName("sink")
+  }
+}
+
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = ["hasValueFlow", "hasTaintFlow"] }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasValueFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+    or
+    tag = "hasTaintFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf |
+      conf.hasFlow(src, sink) and not any(ValueFlowConf c).hasFlow(src, sink)
+    |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}

java/ql/test/library-tests/frameworks/guava/generated/cache/test.ql

@@ -1,25 +1,9 @@
-/*
- * Copyright (C) 2007 The Guava Authors
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
- * in compliance with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License
- * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
- * or implied. See the License for the specific language governing permissions and limitations under
- * the License.
- */
+// Generated automatically from com.google.common.base.Function for testing purposes, and adjusted manually
 
 package com.google.common.base;
-import org.checkerframework.checker.nullness.qual.Nullable;
-
-public interface Function<F, T> extends java.util.function.Function<F, T> {
-  @Override
-  T apply(@Nullable F input);
-
-  @Override
-  boolean equals(@Nullable Object object);
 
+public interface Function<F, T> extends java.util.function.Function<F, T>
+{
+    T apply(F p0);
+    boolean equals(Object p0);
 }

java/ql/test/stubs/guava-30.0/com/google/common/base/Function.java

@@ -1,29 +1,10 @@
-/*
- * Copyright (C) 2007 The Guava Authors
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
- * in compliance with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License
- * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
- * or implied. See the License for the specific language governing permissions and limitations under
- * the License.
- */
+// Generated automatically from com.google.common.base.Predicate for testing purposes, and adjusted manually.
 
 package com.google.common.base;
-import org.checkerframework.checker.nullness.qual.Nullable;
-
-public interface Predicate<T> extends java.util.function.Predicate<T> {
-  boolean apply(@Nullable T input);
-
-  @Override
-  boolean equals(@Nullable Object object);
-
-  @Override
-  default boolean test(@Nullable T input) {
-    return false;
-  }
 
+public interface Predicate<T> extends java.util.function.Predicate<T>
+{
+    boolean apply(T p0);
+    boolean equals(Object p0);
+    default boolean test(T p0){ return false; }
 }

java/ql/test/stubs/guava-30.0/com/google/common/base/Predicate.java

@@ -1,21 +1,8 @@
-/*
- * Copyright (C) 2007 The Guava Authors
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
- * in compliance with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License
- * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
- * or implied. See the License for the specific language governing permissions and limitations under
- * the License.
- */
+// Generated automatically from com.google.common.base.Supplier for testing purposes, and adjusted manually
 
 package com.google.common.base;
 
-public interface Supplier<T> extends java.util.function.Supplier<T> {
-  @Override
-  T get();
-
+public interface Supplier<T> extends java.util.function.Supplier<T>
+{
+    T get();
 }