remove useless predicate

am0o0 · am0o0 · commit 02b0b402d6bd · 2024-05-12T19:29:37.000+02:00
add missed FlowState
diff --git a/java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.ql b/java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.ql
@@ -37,6 +37,8 @@ module DecompressionBombsConfig implements DataFlow::StateConfigSig {
       state instanceof ApacheCommons
       or
       state instanceof XerialSnappy
+      or
+      state instanceof UtilZip
     )
   }
 
diff --git a/java/ql/src/experimental/semmle/code/java/security/DecompressionBomb.qll b/java/ql/src/experimental/semmle/code/java/security/DecompressionBomb.qll
@@ -81,16 +81,11 @@ module XerialSnappy {
       this.getReceiverType() instanceof TypeInputStream and
       this.getCallee().hasName(["read", "readNBytes", "readAllBytes"])
     }
-
-    /**
-     * A method Access as a sink which responsible for reading bytes
-     */
-    MethodCall getAByteRead() { result = this }
   }
 
   class Sink extends DecompressionBomb::Sink {
     override predicate sink(DataFlow::Node sink, DecompressionBomb::DecompressionState state) {
-      sink.asExpr() = any(ReadInputStreamCall r).getAByteRead() and
+      sink.asExpr() = any(ReadInputStreamCall r) and
       state instanceof DecompressionBomb::XerialSnappy
     }
   }
@@ -203,16 +198,11 @@ module ApacheCommons {
         this.getReceiverType() instanceof TypeCompressors and
         this.getCallee().hasName(["read", "readNBytes", "readAllBytes"])
       }
-
-      /**
-       * A method Access as a sink which responsible for reading bytes
-       */
-      MethodCall getAByteRead() { result = this }
     }
 
     class Sink extends DecompressionBomb::Sink {
       override predicate sink(DataFlow::Node sink, DecompressionBomb::DecompressionState state) {
-        sink.asExpr() = any(ReadInputStreamCall r).getAByteRead() and
+        sink.asExpr() = any(ReadInputStreamCall r) and
         state instanceof DecompressionBomb::ApacheCommons
       }
     }
@@ -278,16 +268,11 @@ module ApacheCommons {
         this.getReceiverType() instanceof TypeArchivers and
         this.getCallee().hasName(["read", "readNBytes", "readAllBytes"])
       }
-
-      /**
-       * A method Access as a sink which responsible for reading bytes
-       */
-      MethodCall getAByteRead() { result = this }
     }
 
     class Sink extends DecompressionBomb::Sink {
       override predicate sink(DataFlow::Node sink, DecompressionBomb::DecompressionState state) {
-        sink.asExpr() = any(ReadInputStreamCall r).getAByteRead() and
+        sink.asExpr() = any(ReadInputStreamCall r) and
         state instanceof DecompressionBomb::ApacheCommons
       }
     }
@@ -367,16 +352,11 @@ module ApacheCommons {
         ) and
         this.getCallee().hasName(["read", "readNBytes", "readAllBytes"])
       }
-
-      /**
-       * A method Access as a sink which responsible for reading bytes
-       */
-      MethodCall getAByteRead() { result = this }
     }
 
     class Sink extends DecompressionBomb::Sink {
       override predicate sink(DataFlow::Node sink, DecompressionBomb::DecompressionState state) {
-        sink.asExpr() = any(ReadInputStreamCall r).getAByteRead() and
+        sink.asExpr() = any(ReadInputStreamCall r) and
         state instanceof DecompressionBomb::ApacheCommons
       }
     }
@@ -404,16 +384,11 @@ module Zip4j {
       this.getReceiverType() instanceof TypeZipInputStream and
       this.getMethod().hasName(["read", "readNBytes", "readAllBytes"])
     }
-
-    /**
-     * A method Access as a sink which responsible for reading bytes
-     */
-    MethodCall getAByteRead() { result = this }
   }
 
   class Sink extends DecompressionBomb::Sink {
     override predicate sink(DataFlow::Node sink, DecompressionBomb::DecompressionState state) {
-      sink.asExpr() = any(ReadInputStreamCall r).getAByteRead() and
+      sink.asExpr() = any(ReadInputStreamCall r) and
       state instanceof DecompressionBomb::Zip4j
     }
   }
@@ -446,40 +421,6 @@ module Zip4j {
   }
 }
 
-/**
- * Providing sinks that can be related to reading uncontrolled buffer and bytes for `org.apache.commons.io` package
- */
-module CommonsIO {
-  /**
-   * The Access to Methods which work with byes and inputStreams and buffers
-   */
-  class IOUtils extends MethodCall {
-    IOUtils() {
-      this.getMethod()
-          .hasName([
-              "copy", "copyLarge", "read", "readFully", "readLines", "toBufferedInputStream",
-              "toByteArray", "toCharArray", "toString", "buffer"
-            ]) and
-      this.getMethod().getDeclaringType().hasQualifiedName("org.apache.commons.io", "IOUtils")
-    }
-  }
-
-  class Sink extends DecompressionBomb::Sink {
-    override predicate sink(DataFlow::Node sink, DecompressionBomb::DecompressionState state) {
-      sink.asExpr() = any(IOUtils r).getArgument(0) and
-      (
-        state instanceof DecompressionBomb::Zip4j
-        or
-        state instanceof DecompressionBomb::Inflator
-        or
-        state instanceof DecompressionBomb::ApacheCommons
-        or
-        state instanceof DecompressionBomb::XerialSnappy
-      )
-    }
-  }
-}
-
 /**
  * Providing Decompression sinks and additional taint steps for `java.util.zip` package
  */
@@ -503,16 +444,11 @@ module Zip {
       this.getReceiverType() instanceof TypeInputStream and
       this.getCallee().hasName(["read", "readNBytes", "readAllBytes"])
     }
-
-    /**
-     * A method Access as a sink which responsible for reading bytes
-     */
-    MethodCall getAByteRead() { result = this }
   }
 
   class ReadInputStreamSink extends DecompressionBomb::Sink {
     override predicate sink(DataFlow::Node sink, DecompressionBomb::DecompressionState state) {
-      sink.asExpr() = any(ReadInputStreamCall r).getAByteRead() and
+      sink.asExpr() = any(ReadInputStreamCall r) and
       state instanceof DecompressionBomb::UtilZip
     }
   }
@@ -602,16 +538,11 @@ module Zip {
       this.getReceiverType() instanceof TypeInflator and
       this.getCallee().hasName("inflate")
     }
-
-    /**
-     * A method Access as a sink which responsible for reading bytes
-     */
-    MethodCall getAByteRead() { result = this }
   }
 
   class InflateSink extends DecompressionBomb::Sink {
     override predicate sink(DataFlow::Node sink, DecompressionBomb::DecompressionState state) {
-      sink.asExpr() = any(InflateCall r).getAByteRead() and
+      sink.asExpr() = any(InflateCall r) and
       state instanceof DecompressionBomb::Inflator
     }
   }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/src/main/java/com/Bombs/CommonsCompressHandler.java b/java/ql/test/experimental/query-tests/security/CWE-522-DecompressionBombs/src/main/java/com/Bombs/CommonsCompressHandler.java
@@ -8,7 +8,6 @@
 import org.apache.commons.compress.compressors.CompressorInputStream;
 import org.apache.commons.compress.compressors.CompressorStreamFactory;
 import org.apache.commons.compress.compressors.gzip.*;
-import org.apache.commons.io.IOUtils;
 
 public class CommonsCompressHandler {
   public static void commonsCompressorInputStream(InputStream inputStream) throws IOException {
@@ -37,38 +36,14 @@ public static void commonsCompressorInputStream(InputStream inputStream) throws
     }
     out.close();
     gzIn.close();
-
-    try (GzipCompressorInputStream gzIn2 =
-        new org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream(in)) {
-      File f = new File("tmpfile");
-      try (OutputStream o = Files.newOutputStream(f.toPath())) {
-        IOUtils.copy(gzIn2, o);  // BAD
-      }
-    } catch (IOException e) {
-      throw new RuntimeException(e);
-    }
   }
 
   static void commonsCompressArchiveInputStream(InputStream inputStream) throws ArchiveException {
     new org.apache.commons.compress.archivers.ar.ArArchiveInputStream(inputStream);
     new org.apache.commons.compress.archivers.arj.ArjArchiveInputStream(inputStream);
     new org.apache.commons.compress.archivers.cpio.CpioArchiveInputStream(inputStream);
     new org.apache.commons.compress.archivers.jar.JarArchiveInputStream(inputStream);
-    try (org.apache.commons.compress.archivers.zip.ZipArchiveInputStream zipInputStream =
-        new org.apache.commons.compress.archivers.zip.ZipArchiveInputStream(inputStream)) {
-      ArchiveEntry entry = null;
-      while ((entry = zipInputStream.getNextEntry()) != null) {
-        if (!zipInputStream.canReadEntryData(entry)) {
-          continue;
-        }
-        File f = new File("tmpfile");
-        try (OutputStream o = Files.newOutputStream(f.toPath())) {
-          IOUtils.copy(zipInputStream, o);  // BAD
-        }
-      }
-    } catch (IOException e) {
-      throw new RuntimeException(e);
-    }
+    new org.apache.commons.compress.archivers.zip.ZipArchiveInputStream(inputStream);
   }
 
   static void commonsCompressArchiveInputStream2(InputStream inputStream) {
@@ -83,7 +58,7 @@ static void commonsCompressArchiveInputStream2(InputStream inputStream) {
         File f = new File("tmpfile");
         try (OutputStream outputStream = new FileOutputStream(f)) {
           int readLen;
-          while ((readLen = zipInputStream.read(readBuffer)) != -1) {  // BAD
+          while ((readLen = zipInputStream.read(readBuffer)) != -1) { // BAD
             outputStream.write(readBuffer, 0, readLen);
           }
         }
@@ -106,7 +81,7 @@ static void commonsCompressArchiveStreamFactory(InputStream inputStream)
       File f = new File("tmpfile");
       try (OutputStream outputStream = new FileOutputStream(f)) {
         int readLen;
-        while ((readLen = zipInputStream.read(readBuffer)) != -1) {  // BAD
+        while ((readLen = zipInputStream.read(readBuffer)) != -1) { // BAD
           outputStream.write(readBuffer, 0, readLen);
         }
       }
@@ -121,7 +96,7 @@ static void commonsCompressCompressorStreamFactory(InputStream inputStream)
     int buffersize = 4096;
     final byte[] buffer = new byte[buffersize];
     int n = 0;
-    while (-1 != (n = in.read(buffer))) {  // BAD
+    while (-1 != (n = in.read(buffer))) { // BAD
       out.write(buffer, 0, n);
     }
     out.close();

Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,8 @@ module DecompressionBombsConfig implements DataFlow::StateConfigSig {`
`37`	`37`	`state instanceof ApacheCommons`
`38`	`38`	`or`
`39`	`39`	`state instanceof XerialSnappy`
	`40`	`+ or`
	`41`	`+ state instanceof UtilZip`
`40`	`42`	`)`
`41`	`43`	`}`
`42`	`44`
Original file line number	Diff line number	Diff line change
`@@ -81,16 +81,11 @@ module XerialSnappy {`
`81`	`81`	`this.getReceiverType() instanceof TypeInputStream and`
`82`	`82`	`this.getCallee().hasName(["read", "readNBytes", "readAllBytes"])`
`83`	`83`	`}`
`84`		`-`
`85`		`- /**`
`86`		`- * A method Access as a sink which responsible for reading bytes`
`87`		`- */`
`88`		`- MethodCall getAByteRead() { result = this }`
`89`	`84`	`}`
`90`	`85`
`91`	`86`	`class Sink extends DecompressionBomb::Sink {`
`92`	`87`	`override predicate sink(DataFlow::Node sink, DecompressionBomb::DecompressionState state) {`
`93`		`- sink.asExpr() = any(ReadInputStreamCall r).getAByteRead() and`
	`88`	`+ sink.asExpr() = any(ReadInputStreamCall r) and`
`94`	`89`	`state instanceof DecompressionBomb::XerialSnappy`
`95`	`90`	`}`
`96`	`91`	`}`
`@@ -203,16 +198,11 @@ module ApacheCommons {`
`203`	`198`	`this.getReceiverType() instanceof TypeCompressors and`
`204`	`199`	`this.getCallee().hasName(["read", "readNBytes", "readAllBytes"])`
`205`	`200`	`}`
`206`		`-`
`207`		`- /**`
`208`		`- * A method Access as a sink which responsible for reading bytes`
`209`		`- */`
`210`		`- MethodCall getAByteRead() { result = this }`
`211`	`201`	`}`
`212`	`202`
`213`	`203`	`class Sink extends DecompressionBomb::Sink {`
`214`	`204`	`override predicate sink(DataFlow::Node sink, DecompressionBomb::DecompressionState state) {`
`215`		`- sink.asExpr() = any(ReadInputStreamCall r).getAByteRead() and`
	`205`	`+ sink.asExpr() = any(ReadInputStreamCall r) and`
`216`	`206`	`state instanceof DecompressionBomb::ApacheCommons`
`217`	`207`	`}`
`218`	`208`	`}`
`@@ -278,16 +268,11 @@ module ApacheCommons {`
`278`	`268`	`this.getReceiverType() instanceof TypeArchivers and`
`279`	`269`	`this.getCallee().hasName(["read", "readNBytes", "readAllBytes"])`
`280`	`270`	`}`
`281`		`-`
`282`		`- /**`
`283`		`- * A method Access as a sink which responsible for reading bytes`
`284`		`- */`
`285`		`- MethodCall getAByteRead() { result = this }`
`286`	`271`	`}`
`287`	`272`
`288`	`273`	`class Sink extends DecompressionBomb::Sink {`
`289`	`274`	`override predicate sink(DataFlow::Node sink, DecompressionBomb::DecompressionState state) {`
`290`		`- sink.asExpr() = any(ReadInputStreamCall r).getAByteRead() and`
	`275`	`+ sink.asExpr() = any(ReadInputStreamCall r) and`
`291`	`276`	`state instanceof DecompressionBomb::ApacheCommons`
`292`	`277`	`}`
`293`	`278`	`}`
`@@ -367,16 +352,11 @@ module ApacheCommons {`
`367`	`352`	`) and`
`368`	`353`	`this.getCallee().hasName(["read", "readNBytes", "readAllBytes"])`
`369`	`354`	`}`
`370`		`-`
`371`		`- /**`
`372`		`- * A method Access as a sink which responsible for reading bytes`
`373`		`- */`
`374`		`- MethodCall getAByteRead() { result = this }`
`375`	`355`	`}`
`376`	`356`
`377`	`357`	`class Sink extends DecompressionBomb::Sink {`
`378`	`358`	`override predicate sink(DataFlow::Node sink, DecompressionBomb::DecompressionState state) {`
`379`		`- sink.asExpr() = any(ReadInputStreamCall r).getAByteRead() and`
	`359`	`+ sink.asExpr() = any(ReadInputStreamCall r) and`
`380`	`360`	`state instanceof DecompressionBomb::ApacheCommons`
`381`	`361`	`}`
`382`	`362`	`}`
`@@ -404,16 +384,11 @@ module Zip4j {`
`404`	`384`	`this.getReceiverType() instanceof TypeZipInputStream and`
`405`	`385`	`this.getMethod().hasName(["read", "readNBytes", "readAllBytes"])`
`406`	`386`	`}`
`407`		`-`
`408`		`- /**`
`409`		`- * A method Access as a sink which responsible for reading bytes`
`410`		`- */`
`411`		`- MethodCall getAByteRead() { result = this }`
`412`	`387`	`}`
`413`	`388`
`414`	`389`	`class Sink extends DecompressionBomb::Sink {`
`415`	`390`	`override predicate sink(DataFlow::Node sink, DecompressionBomb::DecompressionState state) {`
`416`		`- sink.asExpr() = any(ReadInputStreamCall r).getAByteRead() and`
	`391`	`+ sink.asExpr() = any(ReadInputStreamCall r) and`
`417`	`392`	`state instanceof DecompressionBomb::Zip4j`
`418`	`393`	`}`
`419`	`394`	`}`
`@@ -446,40 +421,6 @@ module Zip4j {`
`446`	`421`	`}`
`447`	`422`	`}`
`448`	`423`
`449`		`-/**`
`450`		- * Providing sinks that can be related to reading uncontrolled buffer and bytes for `org.apache.commons.io` package
`451`		`- */`
`452`		`-module CommonsIO {`
`453`		`- /**`
`454`		`- * The Access to Methods which work with byes and inputStreams and buffers`
`455`		`- */`
`456`		`- class IOUtils extends MethodCall {`
`457`		`- IOUtils() {`
`458`		`- this.getMethod()`
`459`		`- .hasName([`
`460`		`- "copy", "copyLarge", "read", "readFully", "readLines", "toBufferedInputStream",`
`461`		`- "toByteArray", "toCharArray", "toString", "buffer"`
`462`		`- ]) and`
`463`		`- this.getMethod().getDeclaringType().hasQualifiedName("org.apache.commons.io", "IOUtils")`
`464`		`- }`
`465`		`- }`
`466`		`-`
`467`		`- class Sink extends DecompressionBomb::Sink {`
`468`		`- override predicate sink(DataFlow::Node sink, DecompressionBomb::DecompressionState state) {`
`469`		`- sink.asExpr() = any(IOUtils r).getArgument(0) and`
`470`		`- (`
`471`		`- state instanceof DecompressionBomb::Zip4j`
`472`		`- or`
`473`		`- state instanceof DecompressionBomb::Inflator`
`474`		`- or`
`475`		`- state instanceof DecompressionBomb::ApacheCommons`
`476`		`- or`
`477`		`- state instanceof DecompressionBomb::XerialSnappy`
`478`		`- )`
`479`		`- }`
`480`		`- }`
`481`		`-}`
`482`		`-`
`483`	`424`	`/**`
`484`	`425`	* Providing Decompression sinks and additional taint steps for `java.util.zip` package
`485`	`426`	`*/`
`@@ -503,16 +444,11 @@ module Zip {`
`503`	`444`	`this.getReceiverType() instanceof TypeInputStream and`
`504`	`445`	`this.getCallee().hasName(["read", "readNBytes", "readAllBytes"])`
`505`	`446`	`}`
`506`		`-`
`507`		`- /**`
`508`		`- * A method Access as a sink which responsible for reading bytes`
`509`		`- */`
`510`		`- MethodCall getAByteRead() { result = this }`
`511`	`447`	`}`
`512`	`448`
`513`	`449`	`class ReadInputStreamSink extends DecompressionBomb::Sink {`
`514`	`450`	`override predicate sink(DataFlow::Node sink, DecompressionBomb::DecompressionState state) {`
`515`		`- sink.asExpr() = any(ReadInputStreamCall r).getAByteRead() and`
	`451`	`+ sink.asExpr() = any(ReadInputStreamCall r) and`
`516`	`452`	`state instanceof DecompressionBomb::UtilZip`
`517`	`453`	`}`
`518`	`454`	`}`
`@@ -602,16 +538,11 @@ module Zip {`
`602`	`538`	`this.getReceiverType() instanceof TypeInflator and`
`603`	`539`	`this.getCallee().hasName("inflate")`
`604`	`540`	`}`
`605`		`-`
`606`		`- /**`
`607`		`- * A method Access as a sink which responsible for reading bytes`
`608`		`- */`
`609`		`- MethodCall getAByteRead() { result = this }`
`610`	`541`	`}`
`611`	`542`
`612`	`543`	`class InflateSink extends DecompressionBomb::Sink {`
`613`	`544`	`override predicate sink(DataFlow::Node sink, DecompressionBomb::DecompressionState state) {`
`614`		`- sink.asExpr() = any(InflateCall r).getAByteRead() and`
	`545`	`+ sink.asExpr() = any(InflateCall r) and`
`615`	`546`	`state instanceof DecompressionBomb::Inflator`
`616`	`547`	`}`
`617`	`548`	`}`