Java: migrate constructor flow taint steps to CSV

tamasvajk · tamasvajk · commit af0dff8c6fa9 · 2021-03-16T12:10:28.000+01:00
diff --git a/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll
@@ -241,7 +241,30 @@ private predicate summaryModelCsv(string row) {
       "org.apache.commons.io;IOUtils;false;write;;;Argument[0];Argument[1];taint",
       "org.apache.commons.io;IOUtils;false;writeChunked;;;Argument[0];Argument[1];taint",
       "org.apache.commons.io;IOUtils;false;writeLines;;;Argument[0];Argument[2];taint",
-      "org.apache.commons.io;IOUtils;false;writeLines;;;Argument[1];Argument[2];taint"
+      "org.apache.commons.io;IOUtils;false;writeLines;;;Argument[1];Argument[2];taint",
+      // constructor flow
+      "java.io;File;false;File;;;Argument[0];ReturnValue;taint",
+      "java.io;File;false;File;;;Argument[1];ReturnValue;taint",
+      "java.net;URI;false;URI;(String);;Argument[0];ReturnValue;taint",
+      "javax.xml.transform.stream;StreamSource;false;StreamSource;;;Argument[0];ReturnValue;taint",
+      "javax.xml.transform.sax;SAXSource;false;SAXSource;(InputSource);;Argument[0];ReturnValue;taint",
+      "javax.xml.transform.sax;SAXSource;false;SAXSource;(XMLReader,InputSource);;Argument[1];ReturnValue;taint",
+      "org.xml.sax;InputSource;false;InputSource;;;Argument[0];ReturnValue;taint",
+      "javax.servlet.http;Cookie;false;Cookie;;;Argument[0];ReturnValue;taint",
+      "javax.servlet.http;Cookie;false;Cookie;;;Argument[1];ReturnValue;taint",
+      "java.util.zip;ZipInputStream;false;ZipInputStream;;;Argument[0];ReturnValue;taint",
+      "java.util.zip;GZIPInputStream;false;GZIPInputStream;;;Argument[0];ReturnValue;taint",
+      "java.util;StringTokenizer;false;StringTokenizer;;;Argument[0];ReturnValue;taint",
+      "java.beans;XMLDecoder;false;XMLDecoder;;;Argument[0];ReturnValue;taint",
+      "com.esotericsoftware.kryo.io;Input;false;Input;;;Argument[0];ReturnValue;taint",
+      "java.io;BufferedInputStream;false;BufferedInputStream;;;Argument[0];ReturnValue;taint",
+      "java.io;DataInputStream;false;DataInputStream;;;Argument[0];ReturnValue;taint",
+      "java.io;ByteArrayInputStream;false;ByteArrayInputStream;;;Argument[0];ReturnValue;taint",
+      "java.io;ObjectInputStream;false;ObjectInputStream;;;Argument[0];ReturnValue;taint",
+      "java.io;StringReader;false;StringReader;;;Argument[0];ReturnValue;taint",
+      "java.io;CharArrayReader;false;CharArrayReader;;;Argument[0];ReturnValue;taint",
+      "java.io;BufferedReader;false;BufferedReader;;;Argument[0];ReturnValue;taint",
+      "java.io;InputStreamReader;false;InputStreamReader;;;Argument[0];ReturnValue;taint"
     ]
 }
 
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -166,60 +166,6 @@ private predicate inputStreamWrapper(Constructor c, int argi) {
 /** An object construction that preserves the data flow status of any of its arguments. */
 private predicate constructorStep(Expr tracked, ConstructorCall sink) {
   exists(int argi | sink.getArgument(argi) = tracked |
-    exists(string s | sink.getConstructedType().getQualifiedName() = s |
-      // some readers preserve the content of streams
-      s = "java.io.InputStreamReader" and argi = 0
-      or
-      s = "java.io.BufferedReader" and argi = 0
-      or
-      s = "java.io.CharArrayReader" and argi = 0
-      or
-      s = "java.io.StringReader" and argi = 0
-      or
-      // data preserved through streams
-      s = "java.io.ObjectInputStream" and argi = 0
-      or
-      s = "java.io.ByteArrayInputStream" and argi = 0
-      or
-      s = "java.io.DataInputStream" and argi = 0
-      or
-      s = "java.io.BufferedInputStream" and argi = 0
-      or
-      s = "com.esotericsoftware.kryo.io.Input" and argi = 0
-      or
-      s = "java.beans.XMLDecoder" and argi = 0
-      or
-      // a tokenizer preserves the content of a string
-      s = "java.util.StringTokenizer" and argi = 0
-      or
-      // unzipping the stream preserves content
-      s = "java.util.zip.ZipInputStream" and argi = 0
-      or
-      s = "java.util.zip.GZIPInputStream" and argi = 0
-      or
-      // a cookie with tainted ingredients is tainted
-      s = "javax.servlet.http.Cookie" and argi = 0
-      or
-      s = "javax.servlet.http.Cookie" and argi = 1
-      or
-      // various xml stream source constructors.
-      s = "org.xml.sax.InputSource" and argi = 0
-      or
-      s = "javax.xml.transform.sax.SAXSource" and argi = 0 and sink.getNumArgument() = 1
-      or
-      s = "javax.xml.transform.sax.SAXSource" and argi = 1 and sink.getNumArgument() = 2
-      or
-      s = "javax.xml.transform.stream.StreamSource" and argi = 0
-      or
-      //a URI constructed from a tainted string is tainted.
-      s = "java.net.URI" and argi = 0 and sink.getNumArgument() = 1
-      or
-      //a File constructed from a tainted string is tainted.
-      s = "java.io.File" and argi = 0
-      or
-      s = "java.io.File" and argi = 1
-    )
-    or
     // wrappers constructed by extension
     exists(Constructor c, Parameter p, SuperConstructorInvocationStmt sup |
       c = sink.getConstructor() and
