Skip to content

Commit 49d5149

Browse files
jcogs33jcogs33
authored
Merge pull request github#11968 from jcogs33/jcogs33/model-more-top-jdk-apis-300-500
Java: model remaining top-500 JDK APIs
2 parents a5b7a0f + b8ceb71 commit 49d5149

32 files changed

+631
-28
lines changed

java/ql/lib/change-notes/2023-02-15-add-top-jdk-models.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: minorAnalysis
3+
---
4+
* Added more dataflow models for frequently-used JDK APIs.

java/ql/lib/ext/java.awt.model.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/java-all
4+
extensible: summaryModel
5+
data:
6+
- ["java.awt", "Container", True, "add", "(Component)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
7+
- ["java.awt", "Container", True, "add", "(Component)", "", "Argument[0]", "ReturnValue", "value", "manual"]
8+
- ["java.awt", "Container", True, "add", "(Component,Object)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
9+
10+
- addsTo:
11+
pack: codeql/java-all
12+
extensible: neutralModel
13+
data:
14+
# The below APIs have numeric flow and are currently being stored as neutral models.
15+
# These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
16+
- ["java.awt", "Insets", "Insets", "(int,int,int,int)", "manual"] # value-numeric

java/ql/lib/ext/java.io.model.yml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,9 @@ extensions:
6969
- ["java.io", "File", True, "getCanonicalFile", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
7070
- ["java.io", "File", True, "getCanonicalPath", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
7171
- ["java.io", "File", True, "getName", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
72+
- ["java.io", "File", True, "getParentFile", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
73+
- ["java.io", "File", True, "getPath", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
74+
- ["java.io", "File", True, "listFiles", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
7275
- ["java.io", "File", True, "toPath", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
7376
- ["java.io", "File", True, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
7477
- ["java.io", "File", True, "toURI", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
@@ -88,9 +91,28 @@ extensions:
8891
- ["java.io", "OutputStream", True, "write", "(int)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
8992
- ["java.io", "Reader", True, "read", "", "", "Argument[this]", "Argument[0]", "taint", "manual"]
9093
- ["java.io", "StringReader", False, "StringReader", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
94+
- ["java.io", "StringWriter", False, "toString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
95+
- ["java.io", "UncheckedIOException", False, "UncheckedIOException", "(IOException)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.cause]", "value", "manual"]
9196
- ["java.io", "Writer", True, "write", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
9297
- addsTo:
9398
pack: codeql/java-all
9499
extensible: neutralModel
95100
data:
101+
- ["java.io", "Closeable", "close", "()", "manual"]
102+
- ["java.io", "DataOutput", "writeBoolean", "(boolean)", "manual"]
103+
- ["java.io", "File", "delete", "()", "manual"]
96104
- ["java.io", "File", "exists", "()", "manual"]
105+
- ["java.io", "File", "isFile", "()", "manual"]
106+
- ["java.io", "File", "length", "()", "manual"]
107+
- ["java.io", "File", "isDirectory", "()", "manual"]
108+
- ["java.io", "File", "mkdirs", "()", "manual"]
109+
- ["java.io", "FileInputStream", "FileInputStream", "(File)", "manual"]
110+
- ["java.io", "InputStream", "close", "()", "manual"]
111+
- ["java.io", "OutputStream", "flush", "()", "manual"]
112+
113+
# The below APIs have numeric flow and are currently being stored as neutral models.
114+
# These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
115+
- ["java.io", "DataInput", "readInt", "()", "manual"] # taint-numeric
116+
- ["java.io", "DataInput", "readLong", "()", "manual"] # taint-numeric
117+
- ["java.io", "DataOutput", "writeInt", "(int)", "manual"] # taint-numeric
118+
- ["java.io", "DataOutput", "writeLong", "(long)", "manual"] # taint-numeric

java/ql/lib/ext/java.lang.invoke.model.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/java-all
4+
extensible: neutralModel
5+
data:
6+
- ["java.lang.invoke", "MethodHandles", "lookup", "()", "manual"]

java/ql/lib/ext/java.lang.model.yml

Lines changed: 72 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,8 @@ extensions:
3737
- ["java.lang", "AbstractStringBuilder", True, "AbstractStringBuilder", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
3838
- ["java.lang", "AbstractStringBuilder", True, "append", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
3939
- ["java.lang", "AbstractStringBuilder", True, "append", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
40+
# When `WithoutElement` is implemented for Java, `java.lang.AbstractStringBuilder#delete` might require a `taint` step of the form `Argument[this].WithoutElement -> Argument[this]` in addition to the below `value` step.
41+
- ["java.lang", "AbstractStringBuilder", True, "delete", "(int,int)", "", "Argument[this]", "ReturnValue", "value", "manual"]
4042
- ["java.lang", "AbstractStringBuilder", True, "getChars", "", "", "Argument[this]", "Argument[2]", "taint", "manual"]
4143
- ["java.lang", "AbstractStringBuilder", True, "insert", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
4244
- ["java.lang", "AbstractStringBuilder", True, "insert", "", "", "Argument[1]", "Argument[this]", "taint", "manual"]
@@ -48,16 +50,21 @@ extensions:
4850
- ["java.lang", "AbstractStringBuilder", True, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
4951
- ["java.lang", "Appendable", True, "append", "", "", "Argument[this]", "ReturnValue", "value", "manual"]
5052
- ["java.lang", "Appendable", True, "append", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
53+
- ["java.lang", "AssertionError", False, "AssertionError", "(Object)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
5154
- ["java.lang", "CharSequence", True, "charAt", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
5255
- ["java.lang", "CharSequence", True, "subSequence", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
5356
- ["java.lang", "CharSequence", True, "toString", "", "", "Argument[this]", "ReturnValue", "taint", "manual"]
57+
- ["java.lang", "Class", False, "cast", "(Object)", "", "Argument[0]", "ReturnValue", "value", "manual"]
5458
- ["java.lang", "Exception", False, "Exception", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
59+
- ["java.lang", "Exception", False, "Exception", "(String,Throwable)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
60+
- ["java.lang", "Exception", False, "Exception", "(String,Throwable)", "", "Argument[1]", "Argument[this].SyntheticField[java.lang.Throwable.cause]", "value", "manual"]
5561
- ["java.lang", "IllegalArgumentException", False, "IllegalArgumentException", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
5662
- ["java.lang", "IllegalStateException", False, "IllegalStateException", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
5763
- ["java.lang", "IndexOutOfBoundsException", False, "IndexOutOfBoundsException", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
5864
- ["java.lang", "Iterable", True, "forEach", "(Consumer)", "", "Argument[this].Element", "Argument[0].Parameter[0]", "value", "manual"]
5965
- ["java.lang", "Iterable", True, "iterator", "()", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
6066
- ["java.lang", "Iterable", True, "spliterator", "()", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
67+
- ["java.lang", "NullPointerException", False, "NullPointerException", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
6168
- ["java.lang", "Object", True, "clone", "", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
6269
- ["java.lang", "Object", True, "clone", "", "", "Argument[this].MapKey", "ReturnValue.MapKey", "value", "manual"]
6370
- ["java.lang", "Object", True, "clone", "", "", "Argument[this].MapValue", "ReturnValue.MapValue", "value", "manual"]
@@ -107,50 +114,105 @@ extensions:
107114
- ["java.lang", "StringBuffer", True, "StringBuffer", "(String)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
108115
- ["java.lang", "StringBuilder", True, "StringBuilder", "", "", "Argument[0]", "Argument[this]", "taint", "manual"]
109116
- ["java.lang", "System", False, "arraycopy", "", "", "Argument[0]", "Argument[2]", "taint", "manual"]
117+
- ["java.lang", "Thread", False, "Thread", "(Runnable)", "", "Argument[0]", "Argument[this]", "taint", "manual"]
118+
- ["java.lang", "Thread", False, "Thread", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Thread.name]", "value", "manual"]
119+
- ["java.lang", "Thread", True, "getName", "()", "", "Argument[this].SyntheticField[java.lang.Thread.name]", "ReturnValue", "value", "manual"]
120+
- ["java.lang", "ThreadLocal", True, "get", "()", "", "Argument[this].SyntheticField[java.lang.ThreadLocal.value]", "ReturnValue", "value", "manual"]
121+
- ["java.lang", "ThreadLocal", True, "set", "(Object)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.ThreadLocal.value]", "value", "manual"]
110122
- ["java.lang", "Throwable", False, "Throwable", "(Throwable)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.cause]", "value", "manual"]
123+
- ["java.lang", "Throwable", False, "Throwable", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[java.lang.Throwable.message]", "value", "manual"]
111124
- ["java.lang", "Throwable", True, "getCause", "()", "", "Argument[this].SyntheticField[java.lang.Throwable.cause]", "ReturnValue", "value", "manual"]
112125
- ["java.lang", "Throwable", True, "getMessage", "()", "", "Argument[this].SyntheticField[java.lang.Throwable.message]", "ReturnValue", "value", "manual"]
126+
- ["java.lang", "Throwable", True, "getLocalizedMessage", "()", "", "Argument[this].SyntheticField[java.lang.Throwable.message]", "ReturnValue", "value", "manual"]
127+
- ["java.lang", "Throwable", True, "toString", "()", "", "Argument[this].SyntheticField[java.lang.Throwable.message]", "ReturnValue", "taint", "manual"]
128+
113129
- addsTo:
114130
pack: codeql/java-all
115131
extensible: neutralModel
116132
data:
117133
- ["java.lang", "AbstractStringBuilder", "length", "()", "manual"]
134+
- ["java.lang", "AbstractStringBuilder", "setCharAt", "(int,char)", "manual"]
135+
- ["java.lang", "AbstractStringBuilder", "setLength", "(int)", "manual"]
136+
- ["java.lang", "Boolean", "booleanValue", "()", "manual"]
118137
- ["java.lang", "Boolean", "equals", "(Object)", "manual"]
138+
- ["java.lang", "Boolean", "parseBoolean", "(String)", "manual"]
139+
- ["java.lang", "Boolean", "valueOf", "(boolean)", "manual"]
140+
- ["java.lang", "CharSequence", "length", "()", "manual"]
141+
- ["java.lang", "Class", "forName", "(String)", "manual"]
142+
- ["java.lang", "Class", "getCanonicalName", "()", "manual"]
119143
- ["java.lang", "Class", "getClassLoader", "()", "manual"]
144+
- ["java.lang", "Class", "getDeclaredConstructor", "(Class[])", "manual"] # This model may be changed to a taint step for an unsafe reflection query in the future.
145+
- ["java.lang", "Class", "getDeclaredField", "(String)", "manual"] # This model may be changed to a taint step for an unsafe reflection query in the future.
146+
- ["java.lang", "Class", "getMethod", "(String,Class[])", "manual"] # This model may be changed to a taint step for an unsafe reflection query in the future.
120147
- ["java.lang", "Class", "getName", "()", "manual"]
148+
- ["java.lang", "Class", "getResource", "(String)", "manual"]
149+
- ["java.lang", "Class", "getResourceAsStream", "(String)", "manual"]
121150
- ["java.lang", "Class", "getSimpleName", "()", "manual"]
122151
- ["java.lang", "Class", "isAssignableFrom", "(Class)", "manual"]
152+
- ["java.lang", "Class", "isInstance", "(Object)", "manual"]
153+
- ["java.lang", "Class", "toString", "()", "manual"]
154+
- ["java.lang", "ClassLoader", "getResource", "(String)", "manual"]
155+
- ["java.lang", "ClassLoader", "getResourceAsStream", "(String)", "manual"]
123156
- ["java.lang", "Enum", "Enum", "(String,int)", "manual"]
124157
- ["java.lang", "Enum", "equals", "(Object)", "manual"]
158+
- ["java.lang", "Enum", "hashCode", "()", "manual"]
125159
- ["java.lang", "Enum", "name", "()", "manual"]
160+
- ["java.lang", "Enum", "ordinal", "()", "manual"]
126161
- ["java.lang", "Enum", "toString", "()", "manual"]
162+
- ["java.lang", "Integer", "equals", "(Object)", "manual"]
127163
- ["java.lang", "Long", "equals", "(Object)", "manual"]
128164
- ["java.lang", "Object", "equals", "(Object)", "manual"]
129165
- ["java.lang", "Object", "getClass", "()", "manual"]
130166
- ["java.lang", "Object", "hashCode", "()", "manual"]
131167
- ["java.lang", "Object", "toString", "()", "manual"]
168+
- ["java.lang", "Runnable", "run", "()", "manual"]
169+
- ["java.lang", "Runtime", "getRuntime", "()", "manual"]
170+
- ["java.lang", "String", "compareTo", "(String)", "manual"]
132171
- ["java.lang", "String", "contains", "(CharSequence)", "manual"]
133172
- ["java.lang", "String", "endsWith", "(String)", "manual"]
134173
- ["java.lang", "String", "equals", "(Object)", "manual"]
135174
- ["java.lang", "String", "equalsIgnoreCase", "(String)", "manual"]
136175
- ["java.lang", "String", "hashCode", "()", "manual"]
176+
- ["java.lang", "String", "indexOf", "(int)", "manual"]
137177
- ["java.lang", "String", "indexOf", "(String)", "manual"]
138178
- ["java.lang", "String", "isEmpty", "()", "manual"]
179+
- ["java.lang", "String", "lastIndexOf", "(int)", "manual"]
180+
- ["java.lang", "String", "lastIndexOf", "(String)", "manual"]
139181
- ["java.lang", "String", "length", "()", "manual"]
140182
- ["java.lang", "String", "startsWith", "(String)", "manual"]
183+
- ["java.lang", "String", "valueOf", "(boolean)", "manual"]
141184
- ["java.lang", "System", "currentTimeMillis", "()", "manual"]
185+
- ["java.lang", "System", "exit", "(int)", "manual"]
186+
- ["java.lang", "System", "getenv", "(String)", "manual"]
187+
- ["java.lang", "System", "identityHashCode", "(Object)", "manual"]
188+
- ["java.lang", "System", "lineSeparator", "()", "manual"]
142189
- ["java.lang", "System", "nanoTime", "()", "manual"]
143190
- ["java.lang", "Thread", "currentThread", "()", "manual"]
191+
- ["java.lang", "Thread", "getContextClassLoader", "()", "manual"]
192+
- ["java.lang", "Thread", "interrupt", "()", "manual"]
144193
- ["java.lang", "Thread", "sleep", "(long)", "manual"]
194+
- ["java.lang", "Thread", "start", "()", "manual"]
145195
# The below APIs have numeric flow and are currently being stored as neutral models.
146196
# These may be changed to summary models with kinds "value-numeric" and "taint-numeric" (or similar) in the future.
147-
- ["java.lang", "Integer", "intValue", "()", "manual"] # taint-numeric
148-
- ["java.lang", "Integer", "parseInt", "(String)", "manual"] # taint-numeric
149-
- ["java.lang", "Integer", "toString", "(int)", "manual"] # taint-numeric
150-
- ["java.lang", "Integer", "valueOf", "(int)", "manual"] # taint-numeric
151-
- ["java.lang", "Long", "longValue", "()", "manual"] # taint-numeric
152-
- ["java.lang", "Long", "parseLong", "(String)", "manual"] # taint-numeric
153-
- ["java.lang", "Long", "toString", "()", "manual"] # taint-numeric
154-
- ["java.lang", "Math", "min", "(int,int)", "manual"] # value-numeric
155-
- ["java.lang", "String", "valueOf", "(int)", "manual"] # taint-numeric
156-
- ["java.lang", "String", "valueOf", "(long)", "manual"] # taint-numeric
197+
- ["java.lang", "Double", "doubleToLongBits", "(double)", "manual"] # taint-numeric
198+
- ["java.lang", "Double", "parseDouble", "(String)", "manual"] # taint-numeric
199+
- ["java.lang", "Double", "valueOf", "(double)", "manual"] # taint-numeric
200+
- ["java.lang", "Integer", "Integer", "(int)", "manual"] # taint-numeric
201+
- ["java.lang", "Integer", "intValue", "()", "manual"] # taint-numeric
202+
- ["java.lang", "Integer", "parseInt", "(String)", "manual"] # taint-numeric
203+
- ["java.lang", "Integer", "toHexString", "(int)", "manual"] # taint-numeric
204+
- ["java.lang", "Integer", "toString", "", "manual"] # taint-numeric
205+
- ["java.lang", "Integer", "valueOf", "", "manual"] # taint-numeric
206+
- ["java.lang", "Long", "Long", "(long)", "manual"] # taint-numeric
207+
- ["java.lang", "Long", "intValue", "()", "manual"] # taint-numeric
208+
- ["java.lang", "Long", "longValue", "()", "manual"] # taint-numeric
209+
- ["java.lang", "Long", "parseLong", "(String)", "manual"] # taint-numeric
210+
- ["java.lang", "Long", "toString", "", "manual"] # taint-numeric
211+
- ["java.lang", "Long", "valueOf", "", "manual"] # taint-numeric
212+
- ["java.lang", "Math", "max", "", "manual"] # value-numeric
213+
- ["java.lang", "Math", "min", "", "manual"] # value-numeric
214+
- ["java.lang", "Number", "doubleValue", "()", "manual"] # taint-numeric
215+
- ["java.lang", "Number", "intValue", "()", "manual"] # taint-numeric
216+
- ["java.lang", "Number", "longValue", "()", "manual"] # taint-numeric
217+
- ["java.lang", "String", "valueOf", "(int)", "manual"] # taint-numeric
218+
- ["java.lang", "String", "valueOf", "(long)", "manual"] # taint-numeric

java/ql/lib/ext/java.lang.reflect.model.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/java-all
4+
extensible: neutralModel
5+
data:
6+
# The below models may be changed to taint steps for an unsafe reflection query in the future.
7+
- ["java.lang.reflect", "Constructor", "newInstance", "(Object[])", "manual"]
8+
- ["java.lang.reflect", "Field", "get", "(Object)", "manual"]
9+
- ["java.lang.reflect", "Method", "getName", "()", "manual"]
10+
- ["java.lang.reflect", "Method", "invoke", "(Object,Object[])", "manual"]

0 commit comments

Comments
 (0)