Exclude known internal APIs from being modeled

Benjamin Muskalla · Benjamin Muskalla · commit 2654e271236d · 2021-11-10T16:30:22.000+01:00
diff --git a/java/ql/src/utils/model-generator/CaptureSinkModels.ql b/java/ql/src/utils/model-generator/CaptureSinkModels.ql
@@ -17,10 +17,11 @@ class PropagateToSinkConfiguration extends TaintTracking::Configuration {
   override predicate isSource(DataFlow::Node source) {
     source instanceof DataFlow::ParameterNode and
     source.asParameter().getCallable().isPublic() and
-    source.asParameter().getCallable().getDeclaringType().isPublic()
+    source.asParameter().getCallable().getDeclaringType().isPublic() and
+    isRelevantForModels(source.getEnclosingCallable())
   }
 
-  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) }
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, _)}
 }
 
 string asInputArgument(DataFlow::Node source) {
@@ -36,8 +37,7 @@ string captureSink(Callable api) {
   )
 }
 
-from Callable api, string sink
+from TargetAPI api, string sink
 where
-  sink = captureSink(api) and
-  not isInTestFile(api)
+  sink = captureSink(api)
 select sink order by sink
diff --git a/java/ql/src/utils/model-generator/CaptureSourceModels.ql b/java/ql/src/utils/model-generator/CaptureSourceModels.ql
@@ -47,8 +47,7 @@ string captureSource(Callable api) {
   )
 }
 
-from Callable api, string sink
+from TargetAPI api, string sink
 where
-  sink = captureSource(api) and
-  not isInTestFile(api)
+  sink = captureSource(api) 
 select sink order by sink
diff --git a/java/ql/src/utils/model-generator/CaptureSummaryModels.ql b/java/ql/src/utils/model-generator/CaptureSummaryModels.ql
@@ -9,6 +9,7 @@ import ModelGeneratorUtils
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.internal.DataFlowImplCommon
 import semmle.code.java.dataflow.internal.DataFlowNodes
+import ModelGeneratorUtils
 
 string captureFlow(Callable api) {
   result = captureQualifierFlow(api) or
@@ -123,15 +124,6 @@ string captureParameterToParameterFlow(Callable api) {
 // TODO: infer interface from multiple implementations? e.g. UriComponentsContributor
 // TODO: distinguish between taint and value flows. If we find a value flow, omit the taint flow
 // TODO: merge param->return value with param->parameter flow?
-class TargetAPI extends Callable {
-  TargetAPI() {
-    this.isPublic() and
-    this.fromSource() and
-    this.getDeclaringType().isPublic() and
-    not isInTestFile(this)
-  }
-}
-
 from TargetAPI api, string flow
 where flow = captureFlow(api)
 select flow order by flow
diff --git a/java/ql/src/utils/model-generator/GenerateFlowModel.py b/java/ql/src/utils/model-generator/GenerateFlowModel.py
@@ -1,12 +1,9 @@
 #!/usr/bin/python3
 
-import errno
 import json
 import os
 import os.path
-import re
 import shlex
-import shutil
 import subprocess
 import sys
 import tempfile
diff --git a/java/ql/src/utils/model-generator/ModelGeneratorUtils.qll b/java/ql/src/utils/model-generator/ModelGeneratorUtils.qll
@@ -2,7 +2,32 @@ import java
 import semmle.code.java.dataflow.ExternalFlow
 import semmle.code.java.dataflow.internal.ContainerFlow
 
-string isExtensible(RefType ref) { if ref.isFinal() then result = "false" else result = "true" }
+class TargetAPI extends Callable {
+  TargetAPI() {
+    this.isPublic() and
+    this.fromSource() and
+    this.getDeclaringType().isPublic() and
+    isRelevantForModels(this)
+  }
+  
+}
+
+private string isExtensible(RefType ref) { if ref.isFinal() then result = "false" else result = "true" }
+
+predicate isRelevantForModels(Callable api) {
+  not isInTestFile(api.getCompilationUnit().getFile()) and
+  not isJdkInternal(api.getCompilationUnit())
+}
+
+private predicate isInTestFile(File file) {
+  file.getAbsolutePath().matches("%src/test/%") or
+  file.getAbsolutePath().matches("%/guava-tests/%") or
+  file.getAbsolutePath().matches("%/guava-testlib/%")
+}
+
+private predicate isJdkInternal(CompilationUnit cu) {
+  cu.getPackage().getName().matches("com.sun") or cu.getPackage().getName().matches("sun") or cu.getPackage().getName().matches("")
+}
 
 bindingset[input, output]
 string asTaintModel(Callable api, string input, string output) {
@@ -56,10 +81,4 @@ string parameterAccess(Parameter p) {
     if p.getType() instanceof ContainerType
     then result = "Element of Argument[" + p.getPosition() + "]"
     else result = "Argument[" + p.getPosition() + "]"
-}
-
-predicate isInTestFile(Callable api) {
-  api.getCompilationUnit().getFile().getAbsolutePath().matches("%src/test/%") or
-  api.getCompilationUnit().getFile().getAbsolutePath().matches("%/guava-tests/%") or
-  api.getCompilationUnit().getFile().getAbsolutePath().matches("%/guava-testlib/%")
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -17,10 +17,11 @@ class PropagateToSinkConfiguration extends TaintTracking::Configuration {`
`17`	`17`	`override predicate isSource(DataFlow::Node source) {`
`18`	`18`	`source instanceof DataFlow::ParameterNode and`
`19`	`19`	`source.asParameter().getCallable().isPublic() and`
`20`		`- source.asParameter().getCallable().getDeclaringType().isPublic()`
	`20`	`+ source.asParameter().getCallable().getDeclaringType().isPublic() and`
	`21`	`+ isRelevantForModels(source.getEnclosingCallable())`
`21`	`22`	`}`
`22`	`23`
`23`		`- override predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) }`
	`24`	`+ override predicate isSink(DataFlow::Node sink) { sinkNode(sink, _)}`
`24`	`25`	`}`
`25`	`26`
`26`	`27`	`string asInputArgument(DataFlow::Node source) {`
`@@ -36,8 +37,7 @@ string captureSink(Callable api) {`
`36`	`37`	`)`
`37`	`38`	`}`
`38`	`39`
`39`		`-from Callable api, string sink`
	`40`	`+from TargetAPI api, string sink`
`40`	`41`	`where`
`41`		`- sink = captureSink(api) and`
`42`		`- not isInTestFile(api)`
	`42`	`+ sink = captureSink(api)`
`43`	`43`	`select sink order by sink`
Original file line number	Diff line number	Diff line change
`@@ -47,8 +47,7 @@ string captureSource(Callable api) {`
`47`	`47`	`)`
`48`	`48`	`}`
`49`	`49`
`50`		`-from Callable api, string sink`
	`50`	`+from TargetAPI api, string sink`
`51`	`51`	`where`
`52`		`- sink = captureSource(api) and`
`53`		`- not isInTestFile(api)`
	`52`	`+ sink = captureSource(api)`
`54`	`53`	`select sink order by sink`