Merge pull request github#6382 from bmuskalla/stringValueOfTaint

aschackmull · web-flow · commit be6fd7c22e56 · 2021-08-03T15:30:30.000+02:00
Track taint for String.valueOf(..)
diff --git a/java/ql/src/semmle/code/java/dataflow/FlowSteps.qll b/java/ql/src/semmle/code/java/dataflow/FlowSteps.qll
@@ -108,17 +108,22 @@ abstract class TaintPreservingCallable extends Callable {
 private class StringTaintPreservingMethod extends TaintPreservingCallable {
   StringTaintPreservingMethod() {
     this.getDeclaringType() instanceof TypeString and
-    this.hasName([
-        "concat", "copyValueOf", "endsWith", "format", "formatted", "getBytes", "indent", "intern",
-        "join", "repeat", "split", "strip", "stripIndent", "stripLeading", "stripTrailing",
-        "substring", "toCharArray", "toLowerCase", "toString", "toUpperCase", "trim"
-      ])
+    (
+      this.hasName([
+          "concat", "copyValueOf", "endsWith", "format", "formatted", "getBytes", "indent",
+          "intern", "join", "repeat", "split", "strip", "stripIndent", "stripLeading",
+          "stripTrailing", "substring", "toCharArray", "toLowerCase", "toString", "toUpperCase",
+          "trim"
+        ])
+      or
+      this.hasName("valueOf") and this.getParameterType(0) instanceof Array
+    )
   }
 
   override predicate returnsTaintFrom(int arg) {
     arg = -1 and not this.isStatic()
     or
-    this.hasName(["concat", "copyValueOf"]) and arg = 0
+    this.hasName(["concat", "copyValueOf", "valueOf"]) and arg = 0
     or
     this.hasName(["format", "formatted", "join"]) and arg = [0 .. getNumberOfParameters()]
   }
diff --git a/java/ql/test/library-tests/dataflow/taint/B.java b/java/ql/test/library-tests/dataflow/taint/B.java
@@ -34,6 +34,12 @@ public static void maintest() throws java.io.UnsupportedEncodingException, java.
     // tainted - data preserving constructors
     String constructed = new String(complex);
     sink(constructed);
+    // tainted - data preserving method
+    String valueOf = String.valueOf(complex.toCharArray());
+    sink(valueOf);
+    // tainted - data preserving method
+    String valueOfSubstring = String.valueOf(complex.toCharArray(), 0, 1);
+    sink(valueOfSubstring);
     // tainted - unsafe escape
     String badEscape = constructed.replaceAll("(<script>)", "");
     sink(badEscape);
@@ -49,7 +55,11 @@ public static void maintest() throws java.io.UnsupportedEncodingException, java.
     // non-whitelisted constructors don't pass taint
     StringWrapper herring = new StringWrapper(complex);
     sink(herring);
+    // toString does not pass taint yet 
+    String valueOfObject = String.valueOf(args);
+    sink(valueOfObject);
 
+    
     // tainted equality check with constant
     boolean cond = "foo" == s;
     sink(cond);
diff --git a/java/ql/test/library-tests/dataflow/taint/test.expected b/java/ql/test/library-tests/dataflow/taint/test.expected
@@ -10,31 +10,33 @@
 | B.java:15:21:15:27 | taint(...) | B.java:30:10:30:15 | method |
 | B.java:15:21:15:27 | taint(...) | B.java:33:10:33:16 | complex |
 | B.java:15:21:15:27 | taint(...) | B.java:36:10:36:20 | constructed |
-| B.java:15:21:15:27 | taint(...) | B.java:39:10:39:18 | badEscape |
-| B.java:15:21:15:27 | taint(...) | B.java:42:10:42:14 | token |
-| B.java:15:21:15:27 | taint(...) | B.java:55:10:55:13 | cond |
-| B.java:15:21:15:27 | taint(...) | B.java:58:10:58:14 | logic |
-| B.java:15:21:15:27 | taint(...) | B.java:60:10:60:39 | endsWith(...) |
-| B.java:15:21:15:27 | taint(...) | B.java:63:10:63:14 | logic |
-| B.java:15:21:15:27 | taint(...) | B.java:66:10:66:14 | logic |
-| B.java:15:21:15:27 | taint(...) | B.java:74:10:74:16 | trimmed |
-| B.java:15:21:15:27 | taint(...) | B.java:76:10:76:14 | split |
-| B.java:15:21:15:27 | taint(...) | B.java:78:10:78:14 | lower |
-| B.java:15:21:15:27 | taint(...) | B.java:80:10:80:14 | upper |
-| B.java:15:21:15:27 | taint(...) | B.java:82:10:82:14 | bytes |
-| B.java:15:21:15:27 | taint(...) | B.java:84:10:84:17 | toString |
-| B.java:15:21:15:27 | taint(...) | B.java:86:10:86:13 | subs |
-| B.java:15:21:15:27 | taint(...) | B.java:88:10:88:13 | repl |
-| B.java:15:21:15:27 | taint(...) | B.java:90:10:90:16 | replAll |
-| B.java:15:21:15:27 | taint(...) | B.java:92:10:92:18 | replFirst |
-| B.java:15:21:15:27 | taint(...) | B.java:105:12:105:25 | serializedData |
-| B.java:15:21:15:27 | taint(...) | B.java:117:12:117:27 | deserializedData |
-| B.java:15:21:15:27 | taint(...) | B.java:126:10:126:21 | taintedArray |
-| B.java:15:21:15:27 | taint(...) | B.java:128:10:128:22 | taintedArray2 |
-| B.java:15:21:15:27 | taint(...) | B.java:130:10:130:22 | taintedArray3 |
-| B.java:15:21:15:27 | taint(...) | B.java:133:10:133:44 | toURL(...) |
-| B.java:15:21:15:27 | taint(...) | B.java:136:10:136:37 | toPath(...) |
-| B.java:15:21:15:27 | taint(...) | B.java:139:10:139:46 | toFile(...) |
+| B.java:15:21:15:27 | taint(...) | B.java:39:10:39:16 | valueOf |
+| B.java:15:21:15:27 | taint(...) | B.java:42:10:42:25 | valueOfSubstring |
+| B.java:15:21:15:27 | taint(...) | B.java:45:10:45:18 | badEscape |
+| B.java:15:21:15:27 | taint(...) | B.java:48:10:48:14 | token |
+| B.java:15:21:15:27 | taint(...) | B.java:65:10:65:13 | cond |
+| B.java:15:21:15:27 | taint(...) | B.java:68:10:68:14 | logic |
+| B.java:15:21:15:27 | taint(...) | B.java:70:10:70:39 | endsWith(...) |
+| B.java:15:21:15:27 | taint(...) | B.java:73:10:73:14 | logic |
+| B.java:15:21:15:27 | taint(...) | B.java:76:10:76:14 | logic |
+| B.java:15:21:15:27 | taint(...) | B.java:84:10:84:16 | trimmed |
+| B.java:15:21:15:27 | taint(...) | B.java:86:10:86:14 | split |
+| B.java:15:21:15:27 | taint(...) | B.java:88:10:88:14 | lower |
+| B.java:15:21:15:27 | taint(...) | B.java:90:10:90:14 | upper |
+| B.java:15:21:15:27 | taint(...) | B.java:92:10:92:14 | bytes |
+| B.java:15:21:15:27 | taint(...) | B.java:94:10:94:17 | toString |
+| B.java:15:21:15:27 | taint(...) | B.java:96:10:96:13 | subs |
+| B.java:15:21:15:27 | taint(...) | B.java:98:10:98:13 | repl |
+| B.java:15:21:15:27 | taint(...) | B.java:100:10:100:16 | replAll |
+| B.java:15:21:15:27 | taint(...) | B.java:102:10:102:18 | replFirst |
+| B.java:15:21:15:27 | taint(...) | B.java:115:12:115:25 | serializedData |
+| B.java:15:21:15:27 | taint(...) | B.java:127:12:127:27 | deserializedData |
+| B.java:15:21:15:27 | taint(...) | B.java:136:10:136:21 | taintedArray |
+| B.java:15:21:15:27 | taint(...) | B.java:138:10:138:22 | taintedArray2 |
+| B.java:15:21:15:27 | taint(...) | B.java:140:10:140:22 | taintedArray3 |
+| B.java:15:21:15:27 | taint(...) | B.java:143:10:143:44 | toURL(...) |
+| B.java:15:21:15:27 | taint(...) | B.java:146:10:146:37 | toPath(...) |
+| B.java:15:21:15:27 | taint(...) | B.java:149:10:149:46 | toFile(...) |
 | MethodFlow.java:7:22:7:28 | taint(...) | MethodFlow.java:8:10:8:16 | tainted |
 | MethodFlow.java:9:31:9:37 | taint(...) | MethodFlow.java:10:10:10:17 | tainted2 |
 | MethodFlow.java:11:35:11:41 | taint(...) | MethodFlow.java:12:10:12:17 | tainted3 |
