Fix treatment of void method calls.

Max Schaefer · Max Schaefer · commit 1ebd0747a8a3 · 2024-01-17T14:40:47.000Z
diff --git a/java/ql/automodel/src/AutomodelApplicationModeCharacteristics.qll b/java/ql/automodel/src/AutomodelApplicationModeCharacteristics.qll
@@ -239,7 +239,12 @@ module ApplicationCandidatesImpl implements SharedCharacteristics::CandidateSig
   // Sanitizers are currently not modeled in MaD. TODO: check if this has large negative impact.
   predicate isSanitizer(Endpoint e, EndpointType t) {
     exists(t) and
-    AutomodelJavaUtil::isUnexploitableType(e.asNode().getType())
+    AutomodelJavaUtil::isUnexploitableType([
+        // for most endpoints, we can get the type from the node
+        e.asNode().getType(),
+        // but not for calls to void methods, where we need to go via the AST
+        e.asTop().(Expr).getType()
+      ])
     or
     t instanceof AutomodelEndpointTypes::PathInjectionSinkType and
     e.asNode() instanceof PathSanitizer::PathInjectionSanitizer
diff --git a/java/ql/automodel/test/AutomodelApplicationModeExtraction/Test.java b/java/ql/automodel/test/AutomodelApplicationModeExtraction/Test.java
@@ -18,7 +18,7 @@ public static void main(String[] args) throws Exception {
 		AtomicReference<String> reference = new AtomicReference<>(); // uninteresting (parameterless constructor)
 		reference.set( // $ sinkModel=set(Object):Argument[this]
 			args[0] // not a sink candidate (modeled as a flow step)
-		);  // $ sourceModel=set(Object):ReturnValue
+		);  // not a source candidate (return type is void)
 	}
 
 	public static void callSupplier(Supplier<String> supplier) {
@@ -92,7 +92,7 @@ public static void FilesListExample(Path p) throws Exception {
 
 		Files.delete(
 			p // $ sinkModel=delete(Path):Argument[0]
-		); // $ SPURIOUS: sourceModel=delete(Path):ReturnValue
+		); // not a source candidate (return type is void)
 
 		Files.deleteIfExists(
 			p // $ sinkModel=deleteIfExists(Path):Argument[0]
