Merge pull request github#15023 from igfoo/igfoo/df-wrapper

igfoo · web-flow · commit c1cc441da79f · 2023-12-06T14:48:54.000Z
Kotlin: Fix dataflow with Array.set wrappers
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/ContainerFlow.qll b/java/ql/lib/semmle/code/java/dataflow/internal/ContainerFlow.qll
@@ -452,7 +452,7 @@ predicate arrayStoreStep(Node node1, Node node2) {
   )
   or
   exists(Expr arr, Call call |
-    arr = node2.asExpr() and
+    arr = node2.(PostUpdateNode).getPreUpdateNode().asExpr() and
     call.getArgument(1) = node1.asExpr() and
     call.getQualifier() = arr and
     arr.getType() instanceof ArrayType and
diff --git a/java/ql/test-kotlin1/library-tests/dataflow/foreach/C2.kt b/java/ql/test-kotlin1/library-tests/dataflow/foreach/C2.kt
@@ -27,4 +27,14 @@ class C2 {
         sink(l1.get(0))
         sink(l2.get(0))
     }
+
+    fun setWrapper(l: Array<String>, v: String) {
+        l.set(0, v)
+    }
+    fun test3() {
+        val l = arrayOf("")
+        setWrapper(l, taint("a"))
+        sink(l[0])
+        sink(l.get(0))
+    }
 }
diff --git a/java/ql/test-kotlin1/library-tests/dataflow/foreach/test.expected b/java/ql/test-kotlin1/library-tests/dataflow/foreach/test.expected
@@ -11,3 +11,5 @@
 | C2.kt:23:24:23:24 | "a" | C2.kt:27:14:27:22 | get(...) |
 | C2.kt:24:26:24:26 | "a" | C2.kt:26:14:26:18 | ...[...] |
 | C2.kt:24:26:24:26 | "a" | C2.kt:28:14:28:22 | get(...) |
+| C2.kt:36:30:36:30 | "a" | C2.kt:37:14:37:17 | ...[...] |
+| C2.kt:36:30:36:30 | "a" | C2.kt:38:14:38:21 | get(...) |

Original file line number	Diff line number	Diff line change
`@@ -452,7 +452,7 @@ predicate arrayStoreStep(Node node1, Node node2) {`
`452`	`452`	`)`
`453`	`453`	`or`
`454`	`454`	`exists(Expr arr, Call call \|`
`455`		`- arr = node2.asExpr() and`
	`455`	`+ arr = node2.(PostUpdateNode).getPreUpdateNode().asExpr() and`
`456`	`456`	`call.getArgument(1) = node1.asExpr() and`
`457`	`457`	`call.getQualifier() = arr and`
`458`	`458`	`arr.getType() instanceof ArrayType and`