Java: automodel application mode: refactor varargs endpoint class to rely on normal argument node for nicer extracted examples

Stephan Brandauer · Stephan Brandauer · commit e1a5eba61b85 · 2023-08-07T12:18:52.000+02:00
diff --git a/java/ql/src/Telemetry/AutomodelApplicationModeCharacteristics.qll b/java/ql/src/Telemetry/AutomodelApplicationModeCharacteristics.qll
@@ -24,13 +24,17 @@ newtype JavaRelatedLocationType = CallContext()
 newtype TApplicationModeEndpoint =
   TExplicitArgument(Call call, DataFlow::Node arg) {
     exists(Argument argExpr |
-      arg.asExpr() = argExpr and not argExpr.isVararg() and call = argExpr.getCall()
+      arg.asExpr() = argExpr and call = argExpr.getCall() and not argExpr.isVararg()
     )
   } or
   TInstanceArgument(Call call, DataFlow::Node arg) { arg = DataFlow::getInstanceArgument(call) } or
-  TImplicitVarargsArray(Call call, DataFlow::ImplicitVarargsArray varargs, int idx) {
-    varargs.getCall() = call and
-    idx = min(Argument arg, int n | arg = call.getArgument(n) and arg.isVararg() | n)
+  TImplicitVarargsArray(Call call, DataFlow::Node arg, int idx) {
+    exists(Argument argExpr |
+      arg.asExpr() = argExpr and
+      call = argExpr.getCall() and
+      argExpr.isVararg() and
+      idx = min(int n | argExpr = call.getArgument(n) and argExpr.isVararg() | n)
+    )
   }
 
 /**
@@ -96,18 +100,18 @@ class InstanceArgument extends ApplicationModeEndpoint, TInstanceArgument {
  */
 class ImplicitVarargsArray extends ApplicationModeEndpoint, TImplicitVarargsArray {
   Call call;
-  DataFlow::ImplicitVarargsArray varargs;
+  DataFlow::Node vararg;
   int idx;
 
-  ImplicitVarargsArray() { this = TImplicitVarargsArray(call, varargs, idx) }
+  ImplicitVarargsArray() { this = TImplicitVarargsArray(call, vararg, idx) }
 
   override predicate isArgOf(Call c, int i) { c = call and i = idx }
 
   override Top asTop() { result = this.getCall() }
 
-  override DataFlow::Node asNode() { result = varargs }
+  override DataFlow::Node asNode() { result = vararg }
 
-  override string toString() { result = varargs.toString() }
+  override string toString() { result = vararg.toString() }
 }
 
 /**
diff --git a/java/ql/test/query-tests/Telemetry/AutomodelApplicationModeExtraction/AutomodelApplicationModeExtractCandidates.expected b/java/ql/test/query-tests/Telemetry/AutomodelApplicationModeExtraction/AutomodelApplicationModeExtractCandidates.expected
@@ -1,3 +1,3 @@
 | Test.java:16:3:16:11 | reference | command-injection, path-injection, request-forgery, sql-injection\nrelated locations: $@.\nmetadata: $@, $@, $@, $@, $@, $@. | Test.java:16:3:16:11 | reference | CallContext | file://java.util.concurrent.atomic:1:1:1:1 | java.util.concurrent.atomic | package | file://AtomicReference:1:1:1:1 | AtomicReference | type | file://false:1:1:1:1 | false | subtypes | file://set:1:1:1:1 | set | name | file://(String):1:1:1:1 | (String) | signature | file://Argument[this]:1:1:1:1 | Argument[this] | input | file://false:1:1:1:1 | false | isVarargsArray |
 | Test.java:21:3:21:10 | supplier | command-injection, path-injection, request-forgery, sql-injection\nrelated locations: $@.\nmetadata: $@, $@, $@, $@, $@, $@. | Test.java:21:3:21:10 | supplier | CallContext | file://java.util.function:1:1:1:1 | java.util.function | package | file://Supplier:1:1:1:1 | Supplier | type | file://true:1:1:1:1 | true | subtypes | file://get:1:1:1:1 | get | name | file://():1:1:1:1 | () | signature | file://Argument[this]:1:1:1:1 | Argument[this] | input | file://false:1:1:1:1 | false | isVarargsArray |
-| Test.java:51:3:54:3 | new ..[] { .. } | command-injection, path-injection, request-forgery, sql-injection\nrelated locations: $@.\nmetadata: $@, $@, $@, $@, $@, $@. | Test.java:51:3:54:3 | walk(...) | CallContext | file://java.nio.file:1:1:1:1 | java.nio.file | package | file://Files:1:1:1:1 | Files | type | file://false:1:1:1:1 | false | subtypes | file://walk:1:1:1:1 | walk | name | file://(Path,FileVisitOption[]):1:1:1:1 | (Path,FileVisitOption[]) | signature | file://Argument[1]:1:1:1:1 | Argument[1] | input | file://true:1:1:1:1 | true | isVarargsArray |
+| Test.java:53:4:53:4 | o | command-injection, path-injection, request-forgery, sql-injection\nrelated locations: $@.\nmetadata: $@, $@, $@, $@, $@, $@. | Test.java:51:3:54:3 | walk(...) | CallContext | file://java.nio.file:1:1:1:1 | java.nio.file | package | file://Files:1:1:1:1 | Files | type | file://false:1:1:1:1 | false | subtypes | file://walk:1:1:1:1 | walk | name | file://(Path,FileVisitOption[]):1:1:1:1 | (Path,FileVisitOption[]) | signature | file://Argument[1]:1:1:1:1 | Argument[1] | input | file://true:1:1:1:1 | true | isVarargsArray |
diff --git a/java/ql/test/query-tests/Telemetry/AutomodelApplicationModeExtraction/Test.java b/java/ql/test/query-tests/Telemetry/AutomodelApplicationModeExtraction/Test.java
@@ -47,10 +47,10 @@ public static int compareFiles(File f1, File f2) {
 		);
 	}
 		
-	public static void FilesWalkExample(Path p) throws Exception {
+	public static void FilesWalkExample(Path p, FileVisitOption o) throws Exception {
 		Files.walk(
 			p, // negative example (modeled as a taint step)
-			FileVisitOption.FOLLOW_LINKS // the implicit varargs array is a candidate
+			o // the implicit varargs array is a candidate
 		);
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -47,10 +47,10 @@ public static int compareFiles(File f1, File f2) {`
`47`	`47`	`);`
`48`	`48`	`}`
`49`	`49`
`50`		`- public static void FilesWalkExample(Path p) throws Exception {`
	`50`	`+ public static void FilesWalkExample(Path p, FileVisitOption o) throws Exception {`
`51`	`51`	`Files.walk(`
`52`	`52`	`p, // negative example (modeled as a taint step)`
`53`		`- FileVisitOption.FOLLOW_LINKS // the implicit varargs array is a candidate`
	`53`	`+ o // the implicit varargs array is a candidate`
`54`	`54`	`);`
`55`	`55`	`}`
`56`	`56`	`}`