Model replace and putIfAbsent

egregius313 · egregius313 · commit 709649e9df4c · 2024-01-08T09:39:03.000-05:00
diff --git a/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedEnvironmentVariableQuery.qll
@@ -5,10 +5,10 @@ private import semmle.code.java.dataflow.FlowSources
 private import semmle.code.java.Maps
 private import semmle.code.java.JDK
 
-private class MapPutOrRemove extends MethodCall {
-  MapPutOrRemove() {
-    this.getMethod() instanceof MapMutator and
-    this.getMethod().getName().matches(["put%", "remove"])
+private class MapUpdateWithKeyOrValue extends MethodCall {
+  MapUpdateWithKeyOrValue() {
+    this.getMethod() instanceof MapMethod and
+    this.getMethod().getName().matches(["put%", "remove", "replace"])
   }
 }
 
@@ -19,7 +19,9 @@ private module ProcessBuilderEnvironmentConfig implements DataFlow::ConfigSig {
     )
   }
 
-  predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(MapPutOrRemove mm).getQualifier() }
+  predicate isSink(DataFlow::Node sink) {
+    sink.asExpr() = any(MapUpdateWithKeyOrValue mm).getQualifier()
+  }
 }
 
 private module ProcessBuilderEnvironmentFlow = DataFlow::Global<ProcessBuilderEnvironmentConfig>;
@@ -41,7 +43,7 @@ module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {
     sinkNode(sink, "environment-injection")
     or
     // sink is a key or value added to a `ProcessBuilder::environment` map.
-    exists(MapPutOrRemove mm | mm.getAnArgument() = sink.asExpr() |
+    exists(MapUpdateWithKeyOrValue mm | mm.getAnArgument() = sink.asExpr() |
       ProcessBuilderEnvironmentFlow::flowToExpr(mm.getQualifier())
     )
   }
diff --git a/java/ql/test/query-tests/security/CWE-078/ExecRelative.expected b/java/ql/test/query-tests/security/CWE-078/ExecRelative.expected
@@ -1,2 +1,2 @@
-| TaintedEnvironment.java:28:35:28:55 | new String[] | Command with a relative path 'ls' is executed. |
+| TaintedEnvironment.java:39:35:39:55 | new String[] | Command with a relative path 'ls' is executed. |
 | Test.java:50:46:50:49 | "ls" | Command with a relative path 'ls' is executed. |
diff --git a/java/ql/test/query-tests/security/CWE-078/TaintedEnvironment.java b/java/ql/test/query-tests/security/CWE-078/TaintedEnvironment.java
@@ -15,6 +15,17 @@ public void buildProcess() throws java.io.IOException {
 
         pb.environment().put(s, "foo"); // $hasTaintFlow
 
+        Map<String, String> extra = Map.of("USER", s);
+
+        pb.environment().putAll(extra); // $hasTaintFlow
+
+        pb.environment().putIfAbsent("foo", s); // $hasTaintFlow
+        pb.environment().putIfAbsent(s, "foo"); // $hasTaintFlow
+
+        pb.environment().replace("foo", s); // $hasTaintFlow
+        pb.environment().replace(s, "foo"); // $hasTaintFlow
+        pb.environment().replace("foo", "bar", s); // $hasTaintFlow
+
         Map<String, String> env = pb.environment();
 
         env.put("foo", s); // $hasTaintFlow

Original file line number	Diff line number	Diff line change
`@@ -5,10 +5,10 @@ private import semmle.code.java.dataflow.FlowSources`
`5`	`5`	`private import semmle.code.java.Maps`
`6`	`6`	`private import semmle.code.java.JDK`
`7`	`7`
`8`		`-private class MapPutOrRemove extends MethodCall {`
`9`		`- MapPutOrRemove() {`
`10`		`- this.getMethod() instanceof MapMutator and`
`11`		`- this.getMethod().getName().matches(["put%", "remove"])`
	`8`	`+private class MapUpdateWithKeyOrValue extends MethodCall {`
	`9`	`+ MapUpdateWithKeyOrValue() {`
	`10`	`+ this.getMethod() instanceof MapMethod and`
	`11`	`+ this.getMethod().getName().matches(["put%", "remove", "replace"])`
`12`	`12`	`}`
`13`	`13`	`}`
`14`	`14`
`@@ -19,7 +19,9 @@ private module ProcessBuilderEnvironmentConfig implements DataFlow::ConfigSig {`
`19`	`19`	`)`
`20`	`20`	`}`
`21`	`21`
`22`		`- predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(MapPutOrRemove mm).getQualifier() }`
	`22`	`+ predicate isSink(DataFlow::Node sink) {`
	`23`	`+ sink.asExpr() = any(MapUpdateWithKeyOrValue mm).getQualifier()`
	`24`	`+ }`
`23`	`25`	`}`
`24`	`26`
`25`	`27`	`private module ProcessBuilderEnvironmentFlow = DataFlow::Global<ProcessBuilderEnvironmentConfig>;`
`@@ -41,7 +43,7 @@ module ExecTaintedEnvironmentConfig implements DataFlow::ConfigSig {`
`41`	`43`	`sinkNode(sink, "environment-injection")`
`42`	`44`	`or`
`43`	`45`	// sink is a key or value added to a `ProcessBuilder::environment` map.
`44`		`- exists(MapPutOrRemove mm \| mm.getAnArgument() = sink.asExpr() \|`
	`46`	`+ exists(MapUpdateWithKeyOrValue mm \| mm.getAnArgument() = sink.asExpr() \|`
`45`	`47`	`ProcessBuilderEnvironmentFlow::flowToExpr(mm.getQualifier())`
`46`	`48`	`)`
`47`	`49`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-\| TaintedEnvironment.java:28:35:28:55 \| new String[] \| Command with a relative path 'ls' is executed. \|`
	`1`	`+\| TaintedEnvironment.java:39:35:39:55 \| new String[] \| Command with a relative path 'ls' is executed. \|`
`2`	`2`	`\| Test.java:50:46:50:49 \| "ls" \| Command with a relative path 'ls' is executed. \|`