Java: add new endpoint class for source candidates in application mode

Stephan Brandauer · Stephan Brandauer · commit eb1e29d28445 · 2023-09-07T15:49:57.000+02:00
diff --git a/java/ql/automodel/src/AutomodelApplicationModeCharacteristics.qll b/java/ql/automodel/src/AutomodelApplicationModeCharacteristics.qll
@@ -35,7 +35,8 @@ newtype TApplicationModeEndpoint =
       argExpr.isVararg() and
       not exists(int i | i < idx and call.getArgument(i).(Argument).isVararg())
     )
-  }
+  } or
+  TMethodCall(Call call) { not call instanceof ConstructorCall }
 
 /**
  * An endpoint is a node that is a candidate for modeling.
@@ -122,6 +123,25 @@ class ImplicitVarargsArray extends ApplicationModeEndpoint, TImplicitVarargsArra
   override string toString() { result = vararg.toString() }
 }
 
+/**
+ * An endpoint that represents a method call.
+ */
+class MethodCall extends ApplicationModeEndpoint, TMethodCall {
+  Call call;
+
+  MethodCall() { this = TMethodCall(call) }
+
+  override predicate isArgOf(Call c, int idx) { c = call and idx = -1 }
+
+  override Top asTop() { result = call }
+
+  override DataFlow::Node asNode() { result.asExpr() = call }
+
+  override string getExtensibleType() { result = "sourceModel" }
+
+  override string toString() { result = call.toString() }
+}
+
 /**
  * A candidates implementation.
  *
@@ -275,6 +295,7 @@ private class UnexploitableIsCharacteristic extends CharacteristicsImpl::NotASin
   UnexploitableIsCharacteristic() { this = "unexploitable (is-style boolean method)" }
 
   override predicate appliesToEndpoint(Endpoint e) {
+    e.getExtensibleType() = "sinkModel" and
     not ApplicationCandidatesImpl::isSink(e, _, _) and
     ApplicationModeGetCallable::getCallable(e).getName().matches("is%") and
     ApplicationModeGetCallable::getCallable(e).getReturnType() instanceof BooleanType
@@ -293,6 +314,7 @@ private class UnexploitableExistsCharacteristic extends CharacteristicsImpl::Not
   UnexploitableExistsCharacteristic() { this = "unexploitable (existence-checking boolean method)" }
 
   override predicate appliesToEndpoint(Endpoint e) {
+    e.getExtensibleType() = "sinkModel" and
     not ApplicationCandidatesImpl::isSink(e, _, _) and
     exists(Callable callable |
       callable = ApplicationModeGetCallable::getCallable(e) and
@@ -309,6 +331,7 @@ private class ExceptionCharacteristic extends CharacteristicsImpl::NotASinkChara
   ExceptionCharacteristic() { this = "exception" }
 
   override predicate appliesToEndpoint(Endpoint e) {
+    e.getExtensibleType() = "sinkModel" and
     ApplicationModeGetCallable::getCallable(e).getDeclaringType().getASupertype*() instanceof
       TypeThrowable
   }
@@ -323,9 +346,13 @@ private class IsMaDTaintStepCharacteristic extends CharacteristicsImpl::NotASink
   IsMaDTaintStepCharacteristic() { this = "taint step" }
 
   override predicate appliesToEndpoint(Endpoint e) {
-    FlowSummaryImpl::Private::Steps::summaryThroughStepValue(e.asNode(), _, _) or
-    FlowSummaryImpl::Private::Steps::summaryThroughStepTaint(e.asNode(), _, _) or
-    FlowSummaryImpl::Private::Steps::summaryGetterStep(e.asNode(), _, _, _) or
+    e.getExtensibleType() = "sinkModel" and
+    FlowSummaryImpl::Private::Steps::summaryThroughStepValue(e.asNode(), _, _)
+    or
+    FlowSummaryImpl::Private::Steps::summaryThroughStepTaint(e.asNode(), _, _)
+    or
+    FlowSummaryImpl::Private::Steps::summaryGetterStep(e.asNode(), _, _, _)
+    or
     FlowSummaryImpl::Private::Steps::summarySetterStep(e.asNode(), _, _, _)
   }
 }
@@ -340,6 +367,7 @@ private class ArgumentToLocalCall extends CharacteristicsImpl::UninterestingToMo
   ArgumentToLocalCall() { this = "argument to local call" }
 
   override predicate appliesToEndpoint(Endpoint e) {
+    e.getExtensibleType() = "sinkModel" and
     ApplicationModeGetCallable::getCallable(e).fromSource()
   }
 }
@@ -351,6 +379,7 @@ private class ExcludedFromModeling extends CharacteristicsImpl::UninterestingToM
   ExcludedFromModeling() { this = "excluded from modeling" }
 
   override predicate appliesToEndpoint(Endpoint e) {
+    e.getExtensibleType() = "sinkModel" and
     ModelExclusions::isUninterestingForModels(ApplicationModeGetCallable::getCallable(e))
   }
 }
@@ -364,6 +393,7 @@ private class NonPublicMethodCharacteristic extends CharacteristicsImpl::Uninter
   NonPublicMethodCharacteristic() { this = "non-public method" }
 
   override predicate appliesToEndpoint(Endpoint e) {
+    e.getExtensibleType() = "sinkModel" and
     not ApplicationModeGetCallable::getCallable(e).isPublic()
   }
 }
@@ -386,6 +416,7 @@ private class OtherArgumentToModeledMethodCharacteristic extends Characteristics
   }
 
   override predicate appliesToEndpoint(Endpoint e) {
+    e.getExtensibleType() = "sinkModel" and
     not ApplicationCandidatesImpl::isSink(e, _, _) and
     exists(Endpoint otherSink |
       ApplicationCandidatesImpl::isSink(otherSink, _, "manual") and
@@ -403,7 +434,10 @@ private class OtherArgumentToModeledMethodCharacteristic extends Characteristics
 private class FunctionValueCharacteristic extends CharacteristicsImpl::LikelyNotASinkCharacteristic {
   FunctionValueCharacteristic() { this = "function value" }
 
-  override predicate appliesToEndpoint(Endpoint e) { e.asNode().asExpr() instanceof FunctionalExpr }
+  override predicate appliesToEndpoint(Endpoint e) {
+    e.getExtensibleType() = "sinkModel" and
+    e.asNode().asExpr() instanceof FunctionalExpr
+  }
 }
 
 /**
@@ -419,6 +453,7 @@ private class CannotBeTaintedCharacteristic extends CharacteristicsImpl::LikelyN
 
   override predicate appliesToEndpoint(Endpoint e) {
     // XXX consider source candidate endpoints
+    e.getExtensibleType() = "sinkModel" and
     not this.isKnownOutNodeForStep(e)
   }
 
diff --git a/java/ql/automodel/test/AutomodelApplicationModeExtraction/AutomodelApplicationModeExtractNegativeExamples.expected b/java/ql/automodel/test/AutomodelApplicationModeExtraction/AutomodelApplicationModeExtractNegativeExamples.expected
@@ -1,2 +1,3 @@
+| Test.java:45:10:47:3 | compareTo(...) | known sanitizer\nrelated locations: $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@. | Test.java:45:10:47:3 | compareTo(...) | CallContext | file://java.io:1:1:1:1 | java.io | package | file://File:1:1:1:1 | File | type | file://true:1:1:1:1 | true | subtypes | file://compareTo:1:1:1:1 | compareTo | name | file://(File):1:1:1:1 | (File) | signature | file://Argument[this]:1:1:1:1 | Argument[this] | input | file://false:1:1:1:1 | false | isVarargsArray |
 | Test.java:46:4:46:5 | f2 | known non-sink\nrelated locations: $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@. | Test.java:45:10:47:3 | compareTo(...) | CallContext | file://java.io:1:1:1:1 | java.io | package | file://File:1:1:1:1 | File | type | file://true:1:1:1:1 | true | subtypes | file://compareTo:1:1:1:1 | compareTo | name | file://(File):1:1:1:1 | (File) | signature | file://Argument[0]:1:1:1:1 | Argument[0] | input | file://false:1:1:1:1 | false | isVarargsArray |
 | Test.java:52:4:52:4 | p | taint step\nrelated locations: $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@. | Test.java:51:3:56:3 | walk(...) | CallContext | file://java.nio.file:1:1:1:1 | java.nio.file | package | file://Files:1:1:1:1 | Files | type | file://false:1:1:1:1 | false | subtypes | file://walk:1:1:1:1 | walk | name | file://(Path,FileVisitOption[]):1:1:1:1 | (Path,FileVisitOption[]) | signature | file://Argument[0]:1:1:1:1 | Argument[0] | input | file://false:1:1:1:1 | false | isVarargsArray |
diff --git a/java/ql/automodel/test/AutomodelApplicationModeExtraction/Test.java b/java/ql/automodel/test/AutomodelApplicationModeExtraction/Test.java
@@ -42,7 +42,7 @@ public static InputStream getInputStream(String openPath) throws Exception {
 	}
 
 	public static int compareFiles(File f1, File f2) {
-		return f1.compareTo(
+		return f1.compareTo( // compareTo call is a known sanitizer
 			f2 // negative example (modeled as not a sink)
 		);
 	}

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
	`1`	`+\| Test.java:45:10:47:3 \| compareTo(...) \| known sanitizer\nrelated locations: $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@. \| Test.java:45:10:47:3 \| compareTo(...) \| CallContext \| file://java.io:1:1:1:1 \| java.io \| package \| file://File:1:1:1:1 \| File \| type \| file://true:1:1:1:1 \| true \| subtypes \| file://compareTo:1:1:1:1 \| compareTo \| name \| file://(File):1:1:1:1 \| (File) \| signature \| file://Argument[this]:1:1:1:1 \| Argument[this] \| input \| file://false:1:1:1:1 \| false \| isVarargsArray \|`
`1`	`2`	`\| Test.java:46:4:46:5 \| f2 \| known non-sink\nrelated locations: $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@. \| Test.java:45:10:47:3 \| compareTo(...) \| CallContext \| file://java.io:1:1:1:1 \| java.io \| package \| file://File:1:1:1:1 \| File \| type \| file://true:1:1:1:1 \| true \| subtypes \| file://compareTo:1:1:1:1 \| compareTo \| name \| file://(File):1:1:1:1 \| (File) \| signature \| file://Argument[0]:1:1:1:1 \| Argument[0] \| input \| file://false:1:1:1:1 \| false \| isVarargsArray \|`
`2`	`3`	\| Test.java:52:4:52:4 \| p \| taint step\nrelated locations: $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@. \| Test.java:51:3:56:3 \| walk(...) \| CallContext \| file://java.nio.file:1:1:1:1 \| java.nio.file \| package \| file://Files:1:1:1:1 \| Files \| type \| file://false:1:1:1:1 \| false \| subtypes \| file://walk:1:1:1:1 \| walk \| name \| file://(Path,FileVisitOption[]):1:1:1:1 \| (Path,FileVisitOption[]) \| signature \| file://Argument[0]:1:1:1:1 \| Argument[0] \| input \| file://false:1:1:1:1 \| false \| isVarargsArray \|
Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ public static InputStream getInputStream(String openPath) throws Exception {`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`public static int compareFiles(File f1, File f2) {`
`45`		`- return f1.compareTo(`
	`45`	`+ return f1.compareTo( // compareTo call is a known sanitizer`
`46`	`46`	`f2 // negative example (modeled as not a sink)`
`47`	`47`	`);`
`48`	`48`	`}`