Add models for commons lang/text's Str[ing]Lookup class

smowton · smowton · commit f749c311365e · 2021-03-04T11:11:55.000Z
diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
@@ -266,3 +266,43 @@ private class ApacheStrTokenizerTaintGetter extends TaintPreservingCallable {
 
   override predicate returnsTaintFrom(int arg) { arg = -1 }
 }
+
+private class ApacheStrLookup extends RefType {
+  ApacheStrLookup() {
+    this.hasQualifiedName("org.apache.commons.lang3.text", "StrLookup") or
+    this.hasQualifiedName("org.apache.commons.text.lookup", "StringLookup")
+  }
+}
+
+private class ApacheStringLookupFactory extends RefType {
+  ApacheStringLookupFactory() {
+    this.hasQualifiedName("org.apache.commons.text.lookup", "StringLookupFactory")
+  }
+}
+
+/**
+ * A callable that constructs an Apache Commons `Str[ing]Lookup` from a map.
+ */
+private class ApacheStrLookupTaintingMethod extends TaintPreservingCallable {
+  ApacheStrLookupTaintingMethod() {
+    this.getSourceDeclaration().getDeclaringType() instanceof ApacheStrLookup and
+    this.getName() = "mapLookup"
+    or
+    this.getDeclaringType() instanceof ApacheStringLookupFactory and
+    this.getName() = "mapStringLookup"
+  }
+
+  override predicate returnsTaintFrom(int arg) { arg = 0 }
+}
+
+/**
+ * A callable that looks up a value in a Apache Commons `Str[ing]Lookup` map.
+ */
+private class ApacheStrLookupTaintGetter extends TaintPreservingCallable {
+  ApacheStrLookupTaintGetter() {
+    this.getSourceDeclaration().getDeclaringType() instanceof ApacheStrLookup and
+    this.getName() = "lookup"
+  }
+
+  override predicate returnsTaintFrom(int arg) { arg = -1 }
+}
diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrLookupTest.java b/java/ql/test/library-tests/frameworks/apache-commons-lang3/StrLookupTest.java
@@ -0,0 +1,17 @@
+import org.apache.commons.lang3.text.StrLookup;
+import java.util.HashMap;
+import java.util.Map;
+
+class StrLookupTest {
+    String taint() { return "tainted"; }
+
+    void sink(Object o) {}
+
+    void test() throws Exception {
+      Map<String, String> map = new HashMap<String, String>();
+      map.put("key", taint());
+      StrLookup<String> lookup = StrLookup.mapLookup(map);
+      sink(lookup.lookup("key")); // $hasTaintFlow=y
+    }
+
+}
diff --git a/java/ql/test/library-tests/frameworks/apache-commons-lang3/StringLookupTextTest.java b/java/ql/test/library-tests/frameworks/apache-commons-lang3/StringLookupTextTest.java
@@ -0,0 +1,18 @@
+import org.apache.commons.text.lookup.StringLookup;
+import org.apache.commons.text.lookup.StringLookupFactory;
+import java.util.HashMap;
+import java.util.Map;
+
+class StringLookupTextTest {
+    String taint() { return "tainted"; }
+
+    void sink(Object o) {}
+
+    void test() throws Exception {
+      Map<String, String> map = new HashMap<String, String>();
+      map.put("key", taint());
+      StringLookup lookup = StringLookupFactory.INSTANCE.mapStringLookup(map);
+      sink(lookup.lookup("key")); // $hasTaintFlow=y
+    }
+
+}
diff --git a/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/text/StrLookup.java b/java/ql/test/stubs/apache-commons-lang3-3.7/org/apache/commons/lang3/text/StrLookup.java
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.lang3.text;
+
+import java.util.Map;
+
+public abstract class StrLookup<V> {
+    public static StrLookup<?> noneLookup() {
+      return null;
+    }
+
+    public static StrLookup<String> systemPropertiesLookup() {
+      return null;
+    }
+
+    public static <V> StrLookup<V> mapLookup(final Map<String, V> map) {
+      return null;
+    }
+
+    public abstract String lookup(String key);
+
+}
diff --git a/java/ql/test/stubs/apache-commons-text-1.9/org/apache/commons/text/lookup/BiStringLookup.java b/java/ql/test/stubs/apache-commons-text-1.9/org/apache/commons/text/lookup/BiStringLookup.java
@@ -0,0 +1,28 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache license, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the license for the specific language governing permissions and
+ * limitations under the license.
+ */
+
+package org.apache.commons.text.lookup;
+
+import java.util.function.BiFunction;
+import java.util.function.Function;
+
+public interface BiStringLookup<U> extends StringLookup {
+    default String lookup(final String key, final U object) {
+      return null;
+    }
+
+}
diff --git a/java/ql/test/stubs/apache-commons-text-1.9/org/apache/commons/text/lookup/StringLookup.java b/java/ql/test/stubs/apache-commons-text-1.9/org/apache/commons/text/lookup/StringLookup.java
@@ -0,0 +1,37 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache license, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the license for the specific language governing permissions and
+ * limitations under the license.
+ */
+
+package org.apache.commons.text.lookup;
+
+/**
+ * Lookups a String key for a String value.
+ * <p>
+ * This class represents the simplest form of a string to string map. It has a benefit over a map in that it can create
+ * the result on demand based on the key.
+ * </p>
+ * <p>
+ * For example, it would be possible to implement a lookup that used the key as a primary key, and looked up the value
+ * on demand from the database.
+ * </p>
+ *
+ * @since 1.3
+ */
+@FunctionalInterface
+public interface StringLookup {
+    String lookup(String key);
+
+}
diff --git a/java/ql/test/stubs/apache-commons-text-1.9/org/apache/commons/text/lookup/StringLookupFactory.java b/java/ql/test/stubs/apache-commons-text-1.9/org/apache/commons/text/lookup/StringLookupFactory.java
@@ -0,0 +1,143 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache license, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the license for the specific language governing permissions and
+ * limitations under the license.
+ */
+
+package org.apache.commons.text.lookup;
+
+import java.util.Map;
+import java.util.function.BiFunction;
+import java.util.function.Function;
+
+
+public final class StringLookupFactory {
+    public static final StringLookupFactory INSTANCE = new StringLookupFactory();
+
+    public static void clear() {
+    }
+
+    public void addDefaultStringLookups(final Map<String, StringLookup> stringLookupMap) {
+    }
+
+    public StringLookup base64DecoderStringLookup() {
+      return null;
+    }
+
+    public StringLookup base64EncoderStringLookup() {
+      return null;
+    }
+
+    public StringLookup base64StringLookup() {
+      return null;
+    }
+
+    public <R, U> BiStringLookup<U> biFunctionStringLookup(final BiFunction<String, U, R> biFunction) {
+      return null;
+    }
+
+    public StringLookup constantStringLookup() {
+      return null;
+    }
+
+    public StringLookup dateStringLookup() {
+      return null;
+    }
+
+    public StringLookup dnsStringLookup() {
+      return null;
+    }
+
+    public StringLookup environmentVariableStringLookup() {
+      return null;
+    }
+
+    public StringLookup fileStringLookup() {
+      return null;
+    }
+
+    public <R> StringLookup functionStringLookup(final Function<String, R> function) {
+      return null;
+    }
+
+    public StringLookup interpolatorStringLookup() {
+      return null;
+    }
+
+    public StringLookup interpolatorStringLookup(final Map<String, StringLookup> stringLookupMap,
+        final StringLookup defaultStringLookup, final boolean addDefaultLookups) {
+      return null;
+    }
+
+    public <V> StringLookup interpolatorStringLookup(final Map<String, V> map) {
+      return null;
+    }
+
+    public StringLookup interpolatorStringLookup(final StringLookup defaultStringLookup) {
+      return null;
+    }
+
+    public StringLookup javaPlatformStringLookup() {
+      return null;
+    }
+
+    public StringLookup localHostStringLookup() {
+      return null;
+    }
+
+    public <V> StringLookup mapStringLookup(final Map<String, V> map) {
+      return null;
+    }
+
+    public StringLookup nullStringLookup() {
+      return null;
+    }
+
+    public StringLookup propertiesStringLookup() {
+      return null;
+    }
+
+    public StringLookup resourceBundleStringLookup() {
+      return null;
+    }
+
+    public StringLookup resourceBundleStringLookup(final String bundleName) {
+      return null;
+    }
+
+    public StringLookup scriptStringLookup() {
+      return null;
+    }
+
+    public StringLookup systemPropertyStringLookup() {
+      return null;
+    }
+
+    public StringLookup urlDecoderStringLookup() {
+      return null;
+    }
+
+    public StringLookup urlEncoderStringLookup() {
+      return null;
+    }
+
+    public StringLookup urlStringLookup() {
+      return null;
+    }
+
+    public StringLookup xmlStringLookup() {
+      return null;
+    }
+
+}
