Java: Remove manual models from QL code.

Author: michaelnebel

java/ql/lib/ext/android.content.model.yml

@@ -3,6 +3,7 @@ extensions:
       pack: codeql/java-all
       extensible: extSourceModel
     data:
+      # ContentInterface models are here for backwards compatibility (it was removed in API 28)
       - ["android.content", "ContentInterface", True, "call", "(String,String,String,Bundle)", "", "Parameter[0..3]", "contentprovider", "manual"]
       - ["android.content", "ContentInterface", True, "delete", "(Uri,Bundle)", "", "Parameter[0..1]", "contentprovider", "manual"]
       - ["android.content", "ContentInterface", True, "getType", "(Uri)", "", "Parameter[0]", "contentprovider", "manual"]
@@ -80,6 +81,7 @@ extensions:
       - ["android.content", "ComponentName", False, "unflattenFromString", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["android.content", "ContentProvider", True, "query", "(Uri,String[],String,String[],String)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["android.content", "ContentProvider", True, "query", "(Uri,String[],String,String[],String,CancellationSignal)", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      # ContentProviderClient is tainted at its creation, not by its arguments
       - ["android.content", "ContentProviderClient", True, "applyBatch", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["android.content", "ContentProviderClient", True, "call", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["android.content", "ContentProviderClient", True, "canonicalize", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
@@ -132,6 +134,7 @@ extensions:
       - ["android.content", "ContentValues", False, "put", "", "", "Argument[1]", "Argument[-1].MapValue", "value", "manual"]
       - ["android.content", "ContentValues", False, "putAll", "", "", "Argument[0].MapKey", "Argument[-1].MapKey", "value", "manual"]
       - ["android.content", "ContentValues", False, "putAll", "", "", "Argument[0].MapValue", "Argument[-1].MapValue", "value", "manual"]
+      # Currently only the Extras part of the intent and the data field are fully modeled
       - ["android.content", "Intent", True, "Intent", "(Context,Class)", "", "Argument[1]", "Argument[-1]", "taint", "manual"]
       - ["android.content", "Intent", True, "Intent", "(Intent)", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
       - ["android.content", "Intent", False, "Intent", "(Intent)", "", "Argument[0].SyntheticField[android.content.Intent.extras].MapKey", "Argument[-1].SyntheticField[android.content.Intent.extras].MapKey", "value", "manual"]

java/ql/lib/ext/android.os.model.yml

@@ -35,6 +35,7 @@ extensions:
       - ["android.os", "Bundle", False, "Bundle", "(PersistableBundle)", "", "Argument[0].MapValue", "Argument[-1].MapValue", "value", "manual"]
       - ["android.os", "Bundle", True, "clone", "()", "", "Argument[-1].MapKey", "ReturnValue.MapKey", "value", "manual"]
       - ["android.os", "Bundle", True, "clone", "()", "", "Argument[-1].MapValue", "ReturnValue.MapValue", "value", "manual"]
+      #  Model for Bundle.deepCopy is not fully precise, as some map values aren't copied by value
       - ["android.os", "Bundle", True, "deepCopy", "()", "", "Argument[-1].MapKey", "ReturnValue.MapKey", "value", "manual"]
       - ["android.os", "Bundle", True, "deepCopy", "()", "", "Argument[-1].MapValue", "ReturnValue.MapValue", "value", "manual"]
       - ["android.os", "Bundle", True, "getBinder", "(String)", "", "Argument[-1].MapValue", "ReturnValue", "value", "manual"]

java/ql/lib/ext/android.webkit.model.yml

@@ -9,6 +9,7 @@ extensions:
       pack: codeql/java-all
       extensible: extSinkModel
     data:
+      # Models representing methods susceptible to XSS attacks.
       - ["android.webkit", "WebView", False, "evaluateJavascript", "", "", "Argument[0]", "xss", "manual"]
       - ["android.webkit", "WebView", False, "loadData", "", "", "Argument[0]", "xss", "manual"]
       - ["android.webkit", "WebView", False, "loadDataWithBaseURL", "", "", "Argument[1]", "xss", "manual"]

java/ql/lib/ext/com.google.common.cache.model.yml

@@ -5,7 +5,9 @@ extensions:
     data:
       - ["com.google.common.cache", "Cache", True, "asMap", "()", "", "Argument[-1].MapKey", "ReturnValue.MapKey", "value", "manual"]
       - ["com.google.common.cache", "Cache", True, "asMap", "()", "", "Argument[-1].MapValue", "ReturnValue.MapValue", "value", "manual"]
+      # Lambda flow from Argument[1] not implemented
       - ["com.google.common.cache", "Cache", True, "get", "(Object,Callable)", "", "Argument[-1].MapValue", "ReturnValue", "value", "manual"]
+      # The true flow to MapKey of ReturnValue for getAllPresent is the intersection of the these inputs, but intersections cannot be modeled fully accurately.
       - ["com.google.common.cache", "Cache", True, "getAllPresent", "(Iterable)", "", "Argument[-1].MapKey", "ReturnValue.MapKey", "value", "manual"]
       - ["com.google.common.cache", "Cache", True, "getAllPresent", "(Iterable)", "", "Argument[-1].MapValue", "ReturnValue.MapValue", "value", "manual"]
       - ["com.google.common.cache", "Cache", True, "getAllPresent", "(Iterable)", "", "Argument[0].Element", "ReturnValue.MapKey", "value", "manual"]

java/ql/lib/ext/com.google.common.collect.model.yml

@@ -3,6 +3,8 @@ extensions:
       pack: codeql/java-all
       extensible: extSummaryModel
     data:
+      # Methods depending on lambda flow are not currently modeled
+      # Methods depending on stronger aliasing properties than we support are also not modeled.
       - ["com.google.common.collect", "ArrayListMultimap", True, "create", "(Multimap)", "", "Argument[0].MapKey", "ReturnValue.MapKey", "value", "manual"]
       - ["com.google.common.collect", "ArrayListMultimap", True, "create", "(Multimap)", "", "Argument[0].MapValue", "ReturnValue.MapValue", "value", "manual"]
       - ["com.google.common.collect", "ArrayTable", True, "create", "(Iterable,Iterable)", "", "Argument[0].Element", "ReturnValue.SyntheticField[com.google.common.collect.Table.rowKey]", "value", "manual"]

java/ql/lib/ext/jakarta.ws.rs.core.model.yml

@@ -27,6 +27,9 @@ extensions:
       - ["jakarta.ws.rs.core", "Form", True, "param", "", "", "Argument[0..1]", "Argument[-1]", "taint", "manual"]
       - ["jakarta.ws.rs.core", "GenericEntity", False, "GenericEntity", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
       - ["jakarta.ws.rs.core", "GenericEntity", True, "getEntity", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      # Methods that Date have to be syntax-checked, but those returning MediaType
+      # or Locale are assumed potentially dangerous, as these types do not generally check that the
+      # input data is recognised, only that it conforms to the expected syntax.
       - ["jakarta.ws.rs.core", "HttpHeaders", True, "getAcceptableLanguages", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["jakarta.ws.rs.core", "HttpHeaders", True, "getAcceptableMediaTypes", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["jakarta.ws.rs.core", "HttpHeaders", True, "getCookies", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
@@ -63,9 +66,13 @@ extensions:
       - ["jakarta.ws.rs.core", "NewCookie", False, "valueOf", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["jakarta.ws.rs.core", "PathSegment", True, "getMatrixParameters", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["jakarta.ws.rs.core", "PathSegment", True, "getPath", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      # The returned ResponseBuilder gains taint from a tainted entity or existing Response
       - ["jakarta.ws.rs.core", "Response", False, "accepted", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["jakarta.ws.rs.core", "Response", False, "fromResponse", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["jakarta.ws.rs.core", "Response", False, "ok", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      # Becomes tainted by a tainted entity, but not by metadata, headers etc
+      # Build() method returns taint
+      # Almost all methods are fluent, and so preserve value
       - ["jakarta.ws.rs.core", "Response$ResponseBuilder", True, "allow", "", "", "Argument[-1]", "ReturnValue", "value", "manual"]
       - ["jakarta.ws.rs.core", "Response$ResponseBuilder", True, "build", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["jakarta.ws.rs.core", "Response$ResponseBuilder", True, "cacheControl", "", "", "Argument[-1]", "ReturnValue", "value", "manual"]

java/ql/lib/ext/java.nio.file.model.yml

@@ -24,10 +24,12 @@ extensions:
     data:
       - ["java.nio.file", "FileSystem", True, "getPath", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["java.nio.file", "FileSystem", True, "getRootDirectories", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["java.nio.file", "Path", True, "getParent", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.nio.file", "Path", True, "normalize", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.nio.file", "Path", True, "resolve", "", "", "Argument[-1..0]", "ReturnValue", "taint", "manual"]
       - ["java.nio.file", "Path", True, "toAbsolutePath", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.nio.file", "Path", False, "toFile", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.nio.file", "Path", True, "toString", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["java.nio.file", "Path", True, "toUri", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
-      - ["java.nio.file", "Paths", True, "get", "", "", "Argument[0..1]", "ReturnValue", "taint", "manual"]
+      - ["java.nio.file", "Paths", True, "get", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["java.nio.file", "Paths", True, "get", "", "", "Argument[1].ArrayElement", "ReturnValue", "taint", "manual"]

java/ql/lib/ext/java.util.stream.model.yml

@@ -16,6 +16,7 @@ extensions:
       - ["java.util.stream", "Stream", True, "collect", "(Supplier,BiConsumer,BiConsumer)", "", "Argument[1].Parameter[0]", "Argument[2].Parameter[0..1]", "value", "manual"]
       - ["java.util.stream", "Stream", True, "collect", "(Supplier,BiConsumer,BiConsumer)", "", "Argument[1].Parameter[0]", "ReturnValue", "value", "manual"]
       - ["java.util.stream", "Stream", True, "collect", "(Supplier,BiConsumer,BiConsumer)", "", "Argument[2].Parameter[0..1]", "Argument[1].Parameter[0]", "value", "manual"]
+      # collect(Collector<T,A,R> collector) is handled separately on a case-by-case basis as it is too complex for MaD
       - ["java.util.stream", "Stream", True, "concat", "(Stream,Stream)", "", "Argument[0..1].Element", "ReturnValue.Element", "value", "manual"]
       - ["java.util.stream", "Stream", True, "distinct", "()", "", "Argument[-1].Element", "ReturnValue.Element", "value", "manual"]
       - ["java.util.stream", "Stream", True, "dropWhile", "(Predicate)", "", "Argument[-1].Element", "Argument[0].Parameter[0]", "value", "manual"]
@@ -43,6 +44,9 @@ extensions:
       - ["java.util.stream", "Stream", True, "limit", "(long)", "", "Argument[-1].Element", "ReturnValue.Element", "value", "manual"]
       - ["java.util.stream", "Stream", True, "map", "(Function)", "", "Argument[-1].Element", "Argument[0].Parameter[0]", "value", "manual"]
       - ["java.util.stream", "Stream", True, "map", "(Function)", "", "Argument[0].ReturnValue", "ReturnValue.Element", "value", "manual"]
+      # Missing for mapMulti(BiConsumer) (not currently supported):
+      # Argument[0] of Parameter[1] of Argument[0] -> Element of Parameter[1] of Argument[0]
+      # Element of Parameter[1] of Argument[0] -> Element of ReturnValue
       - ["java.util.stream", "Stream", True, "mapMulti", "(BiConsumer)", "", "Argument[-1].Element", "Argument[0].Parameter[0]", "value", "manual"]
       - ["java.util.stream", "Stream", True, "mapMultiToDouble", "(BiConsumer)", "", "Argument[-1].Element", "Argument[0].Parameter[0]", "value", "manual"]
       - ["java.util.stream", "Stream", True, "mapMultiToInt", "(BiConsumer)", "", "Argument[-1].Element", "Argument[0].Parameter[0]", "value", "manual"]

java/ql/lib/ext/javax.jms.model.yml

@@ -1,3 +1,8 @@
+ # This model covers JMS API versions 1 and 2.
+ #
+ # https://docs.oracle.com/javaee/6/api/javax/jms/package-summary.html
+ # https://docs.oracle.com/javaee/7/api/javax/jms/package-summary.html
+ #
 extensions:
   - addsTo:
       pack: codeql/java-all

java/ql/lib/ext/javax.ws.rs.core.model.yml

@@ -28,6 +28,9 @@ extensions:
       - ["javax.ws.rs.core", "Form", True, "param", "", "", "Argument[0..1]", "Argument[-1]", "taint", "manual"]
       - ["javax.ws.rs.core", "GenericEntity", False, "GenericEntity", "", "", "Argument[0]", "Argument[-1]", "taint", "manual"]
       - ["javax.ws.rs.core", "GenericEntity", True, "getEntity", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      # Methods that Date have to be syntax-checked, but those returning MediaType
+      # or Locale are assumed potentially dangerous, as these types do not generally check that the
+      # input data is recognised, only that it conforms to the expected syntax.
       - ["javax.ws.rs.core", "HttpHeaders", True, "getAcceptableLanguages", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["javax.ws.rs.core", "HttpHeaders", True, "getAcceptableMediaTypes", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["javax.ws.rs.core", "HttpHeaders", True, "getCookies", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
@@ -64,9 +67,13 @@ extensions:
       - ["javax.ws.rs.core", "NewCookie", False, "valueOf", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["javax.ws.rs.core", "PathSegment", True, "getMatrixParameters", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["javax.ws.rs.core", "PathSegment", True, "getPath", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
+      # The returned ResponseBuilder gains taint from a tainted entity or existing Response
       - ["javax.ws.rs.core", "Response", False, "accepted", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["javax.ws.rs.core", "Response", False, "fromResponse", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["javax.ws.rs.core", "Response", False, "ok", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
+      # Becomes tainted by a tainted entity, but not by metadata, headers etc
+      # Build() method returns taint
+      # Almost all methods are fluent, and so preserve value
       - ["javax.ws.rs.core", "Response$ResponseBuilder", True, "allow", "", "", "Argument[-1]", "ReturnValue", "value", "manual"]
       - ["javax.ws.rs.core", "Response$ResponseBuilder", True, "build", "", "", "Argument[-1]", "ReturnValue", "taint", "manual"]
       - ["javax.ws.rs.core", "Response$ResponseBuilder", True, "cacheControl", "", "", "Argument[-1]", "ReturnValue", "value", "manual"]