Use ArrayElement of in flow step specifications

joefarebrother · joefarebrother · commit fc017b79341a · 2021-07-02T14:46:31.000+01:00
diff --git a/java/ql/src/semmle/code/java/frameworks/android/SQLite.qll b/java/ql/src/semmle/code/java/frameworks/android/SQLite.qll
@@ -118,26 +118,39 @@ private class SqlFlowStep extends SummaryModelCsv {
         // buildQuery(String[] projectionIn, String selection, String groupBy, String having, String sortOrder, String limit)
         // buildQuery(String[] projectionIn, String selection, String[] selectionArgs, String groupBy, String having, String sortOrder, String limit)
         // buildUnionQuery(String[] subQueries, String sortOrder, String limit)
-        "android.database.sqlite;SQLiteQueryBuilder;true;buildQuery;(String[],String,String,String,String,String);;Argument[-1..5];ReturnValue;taint",
-        "android.database.sqlite;SQLiteQueryBuilder;true;buildQuery;(String[],String,String[],String,String,String,String);;Argument[-1..1];ReturnValue;taint",
+        "android.database.sqlite;SQLiteQueryBuilder;true;buildQuery;(String[],String,String,String,String,String);;Argument[-1];ReturnValue;taint",
+        "android.database.sqlite;SQLiteQueryBuilder;true;buildQuery;(String[],String,String,String,String,String);;ArrayElement of Argument[0];ReturnValue;taint",
+        "android.database.sqlite;SQLiteQueryBuilder;true;buildQuery;(String[],String,String,String,String,String);;Argument[1..5];ReturnValue;taint",
+        "android.database.sqlite;SQLiteQueryBuilder;true;buildQuery;(String[],String,String[],String,String,String,String);;Argument[-1];ReturnValue;taint",
+        "android.database.sqlite;SQLiteQueryBuilder;true;buildQuery;(String[],String,String[],String,String,String,String);;ArrayElement of Argument[0];ReturnValue;taint",
+        "android.database.sqlite;SQLiteQueryBuilder;true;buildQuery;(String[],String,String[],String,String,String,String);;Argument[1];ReturnValue;taint",
         "android.database.sqlite;SQLiteQueryBuilder;true;buildQuery;(String[],String,String[],String,String,String,String);;Argument[3..6];ReturnValue;taint",
-        "android.database.sqlite;SQLiteQueryBuilder;true;buildUnionQuery;(String[],String,String);;Argument[-1..2];ReturnValue;taint",
+        "android.database.sqlite;SQLiteQueryBuilder;true;buildUnionQuery;(String[],String,String);;Argument[-1];ReturnValue;taint",
+        "android.database.sqlite;SQLiteQueryBuilder;true;buildUnionQuery;(String[],String,String);;ArrayElement of Argument[0];ReturnValue;taint",
+        "android.database.sqlite;SQLiteQueryBuilder;true;buildUnionQuery;(String[],String,String);;Argument[1..2];ReturnValue;taint",
         // buildUnionSubQuery(String typeDiscriminatorColumn, String[] unionColumns, Set<String> columnsPresentInTable, int computedColumnsOffset, String typeDiscriminatorValue, String selection, String[] selectionArgs, String groupBy, String having)
         // buildUnionSubQuery(String typeDiscriminatorColumn, String[] unionColumns, Set<String> columnsPresentInTable, int computedColumnsOffset, String typeDiscriminatorValue, String selection, String groupBy, String having)
-        "android.database.sqlite;SQLiteQueryBuilder;true;buildUnionSubQuery;(String,String[],Set<String>,int,String,String,String[],String,String);;Argument[-1..2];ReturnValue;taint",
+        "android.database.sqlite;SQLiteQueryBuilder;true;buildUnionSubQuery;(String,String[],Set<String>,int,String,String,String[],String,String);;Argument[-1..0];ReturnValue;taint",
+        "android.database.sqlite;SQLiteQueryBuilder;true;buildUnionSubQuery;(String,String[],Set<String>,int,String,String,String[],String,String);;ArrayElement of Argument[1];ReturnValue;taint",
+        "android.database.sqlite;SQLiteQueryBuilder;true;buildUnionSubQuery;(String,String[],Set<String>,int,String,String,String[],String,String);;Element of Argument[2];ReturnValue;taint",
         "android.database.sqlite;SQLiteQueryBuilder;true;buildUnionSubQuery;(String,String[],Set<String>,int,String,String,String[],String,String);;Argument[4..5];ReturnValue;taint",
         "android.database.sqlite;SQLiteQueryBuilder;true;buildUnionSubQuery;(String,String[],Set<String>,int,String,String,String[],String,String);;Argument[7..8];ReturnValue;taint",
-        "android.database.sqlite;SQLiteQueryBuilder;true;buildUnionSubQuery;(String,String[],Set<String>,int,String,String,String,String);;Argument[-1..2];ReturnValue;taint",
+        "android.database.sqlite;SQLiteQueryBuilder;true;buildUnionSubQuery;(String,String[],Set<String>,int,String,String,String,String);;Argument[-1..0];ReturnValue;taint",
+        "android.database.sqlite;SQLiteQueryBuilder;true;buildUnionSubQuery;(String,String[],Set<String>,int,String,String,String,String);;ArrayElement of Argument[1];ReturnValue;taint",
+        "android.database.sqlite;SQLiteQueryBuilder;true;buildUnionSubQuery;(String,String[],Set<String>,int,String,String,String,String);;Element of Argument[2];ReturnValue;taint",
         "android.database.sqlite;SQLiteQueryBuilder;true;buildUnionSubQuery;(String,String[],Set<String>,int,String,String,String,String);;Argument[4..7];ReturnValue;taint",
         // static buildQueryString(boolean distinct, String tables, String[] columns, String where, String groupBy, String having, String orderBy, String limit)
-        "android.database.sqlite;SQLiteQueryBuilder;true;buildQueryString;(boolean,String,String[],String,String,String,String,String);;Argument[1..7];ReturnValue;taint",
-        "android.database.sqlite;SQLiteQueryBuilder;true;setProjectionMap;(Map<String,String>);;Argument[0];Argument[-1];taint",
+        "android.database.sqlite;SQLiteQueryBuilder;true;buildQueryString;(boolean,String,String[],String,String,String,String,String);;Argument[1];ReturnValue;taint",
+        "android.database.sqlite;SQLiteQueryBuilder;true;buildQueryString;(boolean,String,String[],String,String,String,String,String);;ArrayElement of Argument[2];ReturnValue;taint",
+        "android.database.sqlite;SQLiteQueryBuilder;true;buildQueryString;(boolean,String,String[],String,String,String,String,String);;Argument[3..7];ReturnValue;taint",
+        "android.database.sqlite;SQLiteQueryBuilder;true;setProjectionMap;(Map<String,String>);;MapKey of Argument[0];Argument[-1];taint",
+        "android.database.sqlite;SQLiteQueryBuilder;true;setProjectionMap;(Map<String,String>);;MapValue of Argument[0];Argument[-1];taint",
         "android.database.sqlite;SQLiteQueryBuilder;true;setTables;(String);;Argument[0];Argument[-1];taint",
         "android.database.sqlite;SQLiteQueryBuilder;true;appendWhere;(CharSequence);;Argument[0];Argument[-1];taint",
         "android.database.sqlite;SQLiteQueryBuilder;true;appendWhereStandalone;(CharSequence);;Argument[0];Argument[-1];taint",
         "android.database.sqlite;SQLiteQueryBuilder;true;appendColumns;(StringBuilder,String[]);;Argument[1];Argument[0];taint",
-        "android.database;DatabaseUtils;false;appendSelectionArgs;(String[],String[]);;Argument;ReturnValue;taint",
-        "android.database;DatabaseUtils;false;concatenateWhere;(String,String);;Argument;ReturnValue;taint",
+        "android.database;DatabaseUtils;false;appendSelectionArgs;(String[],String[]);;ArrayElement of Argument[0..1];ArrayElement of ReturnValue;taint",
+        "android.database;DatabaseUtils;false;concatenateWhere;(String,String);;Argument[0..1];ReturnValue;taint",
         "android.content;ContentProvider;true;query;(Uri,String[],String,String[],String);;Argument[0];ReturnValue;taint",
         "android.content;ContentProvider;true;query;(Uri,String[],String,String[],String,CancellationSignal);;Argument[0];ReturnValue;taint",
         "android.content;ContentResolver;true;query;(Uri,String[],String,String[],String);;Argument[0];ReturnValue;taint",
diff --git a/java/ql/test/library-tests/frameworks/android/taint-database/FlowSteps.java b/java/ql/test/library-tests/frameworks/android/taint-database/FlowSteps.java
@@ -1,5 +1,7 @@
 import java.util.Map;
 import java.util.Set;
+import java.util.HashSet;
+import java.util.HashMap;
 
 import android.content.ContentProvider;
 import android.content.ContentResolver;
@@ -26,10 +28,10 @@ private static abstract class MySQLiteQueryBuilder extends SQLiteQueryBuilder {
 		// Dummy class to test for sub classes
 	}
 
-	public static String[] appendSelectionArgs() {
-		String[] originalValues = {taint()}; // $ MISSING: taintReachesReturn
-		String[] newValues = {taint()}; // $ MISSING: taintReachesReturn
-		return DatabaseUtils.appendSelectionArgs(originalValues, newValues);
+	public static String appendSelectionArgs() {
+		String[] originalValues = {taint()}; // $taintReachesReturn
+		String[] newValues = {taint()}; // $taintReachesReturn
+		return DatabaseUtils.appendSelectionArgs(originalValues, newValues)[0];
 	}
 
 	public static String concatenateWhere() {
@@ -42,7 +44,7 @@ public static String buildQueryString(MySQLiteQueryBuilder target) {
 		target = taint();
 		boolean distinct = taint(); 
 		String tables = taint(); // $taintReachesReturn
-		String[] columns = {taint()}; // $ MISSING: taintReachesReturn
+		String[] columns = {taint()}; // $taintReachesReturn
 		String where = taint(); // $taintReachesReturn
 		String groupBy = taint(); // $taintReachesReturn
 		String having = taint(); // $taintReachesReturn
@@ -53,7 +55,7 @@ public static String buildQueryString(MySQLiteQueryBuilder target) {
 
 	public static String buildQuery(MySQLiteQueryBuilder target) {
 		target = taint(); // $taintReachesReturn
-		String[] projectionIn = {taint()};// $ MISSING: taintReachesReturn
+		String[] projectionIn = {taint()}; // $taintReachesReturn
 		String selection = taint(); // $taintReachesReturn
 		String groupBy = taint(); // $taintReachesReturn
 		String having = taint(); // $taintReachesReturn
@@ -64,9 +66,9 @@ public static String buildQuery(MySQLiteQueryBuilder target) {
 
 	public static String buildQuery2(MySQLiteQueryBuilder target) {
 		target = taint(); // $taintReachesReturn
-		String[] projectionIn = {taint()}; // $ MISSING: taintReachesReturn
+		String[] projectionIn = {taint()}; // $taintReachesReturn
 		String selection = taint(); // $taintReachesReturn
-		String[] selectionArgs = {taint()}; // $ MISSING: taintReachesReturn
+		String[] selectionArgs = {taint()}; 
 		String groupBy = taint(); // $taintReachesReturn
 		String having = taint(); // $taintReachesReturn
 		String sortOrder = taint(); // $taintReachesReturn
@@ -76,7 +78,7 @@ public static String buildQuery2(MySQLiteQueryBuilder target) {
 
 	public static String buildUnionQuery(MySQLiteQueryBuilder target) {
 		target = taint(); // $taintReachesReturn
-		String[] subQueries = {taint()}; // $ MISSING: taintReachesReturn
+		String[] subQueries = {taint()}; // $taintReachesReturn
 		String sortOrder = taint(); // $taintReachesReturn
 		String limit = taint(); // $taintReachesReturn
 		return target.buildUnionQuery(subQueries, sortOrder, limit);
@@ -85,12 +87,13 @@ public static String buildUnionQuery(MySQLiteQueryBuilder target) {
 	public static String buildUnionSubQuery2(MySQLiteQueryBuilder target) {
 		target = taint(); // $taintReachesReturn
 		String typeDiscriminatorColumn = taint(); // $taintReachesReturn
-		String[] unionColumns = {taint()}; // $ MISSING: taintReachesReturn
-		Set<String> columnsPresentInTable = taint(); // $taintReachesReturn
+		String[] unionColumns = {taint()}; // $taintReachesReturn
+		Set<String> columnsPresentInTable = new HashSet();
+		columnsPresentInTable.add(taint()); // $taintReachesReturn
 		int computedColumnsOffset = taint();
 		String typeDiscriminatorValue = taint(); // $taintReachesReturn
 		String selection = taint(); // $taintReachesReturn
-		String[] selectionArgs = {taint()}; // $ MISSING: taintReachesReturn
+		String[] selectionArgs = {taint()};
 		String groupBy = taint(); // $taintReachesReturn
 		String having = taint(); // $taintReachesReturn
 		return target.buildUnionSubQuery(typeDiscriminatorColumn, unionColumns, columnsPresentInTable,
@@ -100,8 +103,9 @@ public static String buildUnionSubQuery2(MySQLiteQueryBuilder target) {
 	public static String buildUnionSubQuery3(MySQLiteQueryBuilder target) {
 		target = taint(); // $taintReachesReturn 
 		String typeDiscriminatorColumn = taint(); // $taintReachesReturn
-		String[] unionColumns = {taint()}; // $ MISSING: taintReachesReturn
-		Set<String> columnsPresentInTable = taint(); // $taintReachesReturn
+		String[] unionColumns = {taint()}; // $taintReachesReturn
+		Set<String> columnsPresentInTable = new HashSet();
+		columnsPresentInTable.add(taint()); // $taintReachesReturn
 		int computedColumnsOffset = taint();
 		String typeDiscriminatorValue = taint(); // $taintReachesReturn
 		String selection = taint(); // $taintReachesReturn
@@ -151,14 +155,17 @@ public static Cursor query2(MyContentProvider target) {
 
 	public static StringBuilder appendColumns() {
 		StringBuilder s = taint(); // $taintReachesReturn
-		String[] columns = {taint()}; // $ MISSING: taintReachesReturn
+		String[] columns = {taint()}; // $taintReachesReturn
 		SQLiteQueryBuilder.appendColumns(s, columns);
 		return s;
 	}
 
 	public static SQLiteQueryBuilder setProjectionMap(MySQLiteQueryBuilder target) {
 		target = taint(); // $taintReachesReturn
-		Map<String, String> columnMap = taint(); // $taintReachesReturn
+		Map<String, String> columnMap = new HashMap(); 
+		String k = taint(); // $taintReachesReturn
+		String v = taint(); // $taintReachesReturn
+		columnMap.put(k, v);
 		target.setProjectionMap(columnMap);
 		return target;
 	}
