Match enclosing unit without casting to specific nodes

Benjamin Muskalla · Benjamin Muskalla · commit 281f25403d5d · 2021-11-10T16:30:23.000+01:00
diff --git a/java/ql/src/utils/model-generator/CaptureSinkModels.ql b/java/ql/src/utils/model-generator/CaptureSinkModels.ql
@@ -16,16 +16,19 @@ class PropagateToSinkConfiguration extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) {
     source instanceof DataFlow::ParameterNode and
-    source.asParameter().getCallable().isPublic() and
-    source.asParameter().getCallable().getDeclaringType().isPublic() and
+    source.getEnclosingCallable().isPublic() and
+    source.getEnclosingCallable().getDeclaringType().isPublic() and
     isRelevantForModels(source.getEnclosingCallable())
   }
 
   override predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) }
 }
 
 string asInputArgument(DataFlow::Node source) {
-  result = "Argument[" + source.asParameter().getPosition() + "]"
+  exists(int pos |
+    source.(DataFlow::ParameterNode).isParameterOf(_, pos) and
+    result = "Argument[" + pos + "]"
+  )
 }
 
 string captureSink(Callable api) {
diff --git a/java/ql/src/utils/model-generator/CaptureSourceModels.ql b/java/ql/src/utils/model-generator/CaptureSourceModels.ql
@@ -22,7 +22,7 @@ class FromSourceConfiguration extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) {
     exists(Callable c |
       sink instanceof ReturnNodeExt and
-      sink.asExpr().getEnclosingCallable() = c and
+      sink.getEnclosingCallable() = c and
       c.isPublic() and
       c.fromSource()
     )
@@ -42,7 +42,7 @@ string captureSource(Callable api) {
   |
     config.hasFlow(src, sink) and
     specificSourceNode(sink, output, kind) and
-    api = src.asExpr().getEnclosingCallable() and
+    api = src.getEnclosingCallable() and
     result = asSourceModel(api, output, kind)
   )
 }
diff --git a/java/ql/src/utils/model-generator/CaptureSummaryModels.ql b/java/ql/src/utils/model-generator/CaptureSummaryModels.ql
@@ -28,14 +28,15 @@ string captureQualifierFlow(Callable api) {
 }
 
 string captureFieldFlow(Callable api) {
-  exists(FieldAccess fa, ReturnNodeExt postUpdate |
+  exists(FieldAccess fa, ReturnNodeExt returnNode |
     not (fa.getField().isStatic() and fa.getField().isFinal()) and
-    postUpdate.getEnclosingCallable() = api and
+    returnNode.getEnclosingCallable() = api and
+    fa.getCompilationUnit() = api.getCompilationUnit() and
     isRelevantType(api.getReturnType()) and
     not api.getDeclaringType() instanceof EnumType and
-    TaintTracking::localTaint(DataFlow::exprNode(fa), postUpdate)
+    TaintTracking::localTaint(DataFlow::exprNode(fa), returnNode)
   |
-    result = asTaintModel(api, "Argument[-1]", asOutput(api, postUpdate))
+    result = asTaintModel(api, "Argument[-1]", asOutput(api, returnNode))
   )
 }
 
@@ -59,7 +60,11 @@ class ParameterToFieldConfig extends TaintTracking::Configuration {
   }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(FieldAssignment a | a.getSource() = sink.asExpr())
+    exists(FieldAssignment a |
+      a.getSource() = sink.asExpr() and
+      a.getDest().(VarAccess).getVariable().getCompilationUnit() =
+        sink.getEnclosingCallable().getCompilationUnit()
+    )
   }
 }
 
diff --git a/java/ql/test/utils/model-generator/CaptureSummaryModels.expected b/java/ql/test/utils/model-generator/CaptureSummaryModels.expected
@@ -1,5 +1,6 @@
 | p;Factory;false;create;(String);;Argument[0];Argument[-1];taint; |
 | p;Factory;false;create;(String,int);;Argument[0];Argument[-1];taint; |
+| p;Factory;false;getValue;();;Argument[-1];ReturnValue;taint; |
 | p;FinalClass;false;returnsInput;(String);;Argument[0];ReturnValue;taint; |
 | p;FluentAPI;false;returnsThis;(String);;Argument[-1];ReturnValue;value; |
 | p;ImmutablePojo;false;ImmutablePojo;(String,int);;Argument[0];Argument[-1];taint; |
diff --git a/java/ql/test/utils/model-generator/p/Factory.java b/java/ql/test/utils/model-generator/p/Factory.java
@@ -19,4 +19,12 @@ private Factory(String value, int intValue) {
         this.intValue = intValue;
     }
 
+    public String getValue() {
+        return value;
+    }
+
+    public int getIntValue() {
+        return intValue;
+    }
+
 }
diff --git a/java/ql/test/utils/model-generator/p/ImmutablePojo.java b/java/ql/test/utils/model-generator/p/ImmutablePojo.java
@@ -15,6 +15,10 @@ public String getValue() {
         return value;
     }
 
+    public long getX() {
+        return x;
+    }
+
     public String or(String defaultValue) {
         return value != null ? value : defaultValue;
     }
diff --git a/java/ql/test/utils/model-generator/p/MultipleImpls.java b/java/ql/test/utils/model-generator/p/MultipleImpls.java
@@ -1,9 +1,5 @@
 package p;
 
-import java.io.File;
-import java.io.FileFilter;
-import java.io.IOException;
-import java.nio.file.Files;
 import java.util.concurrent.Callable;
 
 public class MultipleImpls {

Original file line number	Diff line number	Diff line change
`@@ -16,16 +16,19 @@ class PropagateToSinkConfiguration extends TaintTracking::Configuration {`
`16`	`16`
`17`	`17`	`override predicate isSource(DataFlow::Node source) {`
`18`	`18`	`source instanceof DataFlow::ParameterNode and`
`19`		`- source.asParameter().getCallable().isPublic() and`
`20`		`- source.asParameter().getCallable().getDeclaringType().isPublic() and`
	`19`	`+ source.getEnclosingCallable().isPublic() and`
	`20`	`+ source.getEnclosingCallable().getDeclaringType().isPublic() and`
`21`	`21`	`isRelevantForModels(source.getEnclosingCallable())`
`22`	`22`	`}`
`23`	`23`
`24`	`24`	`override predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) }`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`string asInputArgument(DataFlow::Node source) {`
`28`		`- result = "Argument[" + source.asParameter().getPosition() + "]"`
	`28`	`+ exists(int pos \|`
	`29`	`+ source.(DataFlow::ParameterNode).isParameterOf(_, pos) and`
	`30`	`+ result = "Argument[" + pos + "]"`
	`31`	`+ )`
`29`	`32`	`}`
`30`	`33`
`31`	`34`	`string captureSink(Callable api) {`
Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ class FromSourceConfiguration extends TaintTracking::Configuration {`
`22`	`22`	`override predicate isSink(DataFlow::Node sink) {`
`23`	`23`	`exists(Callable c \|`
`24`	`24`	`sink instanceof ReturnNodeExt and`
`25`		`- sink.asExpr().getEnclosingCallable() = c and`
	`25`	`+ sink.getEnclosingCallable() = c and`
`26`	`26`	`c.isPublic() and`
`27`	`27`	`c.fromSource()`
`28`	`28`	`)`
`@@ -42,7 +42,7 @@ string captureSource(Callable api) {`
`42`	`42`	`\|`
`43`	`43`	`config.hasFlow(src, sink) and`
`44`	`44`	`specificSourceNode(sink, output, kind) and`
`45`		`- api = src.asExpr().getEnclosingCallable() and`
	`45`	`+ api = src.getEnclosingCallable() and`
`46`	`46`	`result = asSourceModel(api, output, kind)`
`47`	`47`	`)`
`48`	`48`	`}`
Original file line number	Diff line number	Diff line change
`@@ -28,14 +28,15 @@ string captureQualifierFlow(Callable api) {`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`string captureFieldFlow(Callable api) {`
`31`		`- exists(FieldAccess fa, ReturnNodeExt postUpdate \|`
	`31`	`+ exists(FieldAccess fa, ReturnNodeExt returnNode \|`
`32`	`32`	`not (fa.getField().isStatic() and fa.getField().isFinal()) and`
`33`		`- postUpdate.getEnclosingCallable() = api and`
	`33`	`+ returnNode.getEnclosingCallable() = api and`
	`34`	`+ fa.getCompilationUnit() = api.getCompilationUnit() and`
`34`	`35`	`isRelevantType(api.getReturnType()) and`
`35`	`36`	`not api.getDeclaringType() instanceof EnumType and`
`36`		`- TaintTracking::localTaint(DataFlow::exprNode(fa), postUpdate)`
	`37`	`+ TaintTracking::localTaint(DataFlow::exprNode(fa), returnNode)`
`37`	`38`	`\|`
`38`		`- result = asTaintModel(api, "Argument[-1]", asOutput(api, postUpdate))`
	`39`	`+ result = asTaintModel(api, "Argument[-1]", asOutput(api, returnNode))`
`39`	`40`	`)`
`40`	`41`	`}`
`41`	`42`
`@@ -59,7 +60,11 @@ class ParameterToFieldConfig extends TaintTracking::Configuration {`
`59`	`60`	`}`
`60`	`61`
`61`	`62`	`override predicate isSink(DataFlow::Node sink) {`
`62`		`- exists(FieldAssignment a \| a.getSource() = sink.asExpr())`
	`63`	`+ exists(FieldAssignment a \|`
	`64`	`+ a.getSource() = sink.asExpr() and`
	`65`	`+ a.getDest().(VarAccess).getVariable().getCompilationUnit() =`
	`66`	`+ sink.getEnclosingCallable().getCompilationUnit()`
	`67`	`+ )`
`63`	`68`	`}`
`64`	`69`	`}`
`65`	`70`
Original file line number	Diff line number	Diff line change
`@@ -19,4 +19,12 @@ private Factory(String value, int intValue) {`
`19`	`19`	`this.intValue = intValue;`
`20`	`20`	`}`
`21`	`21`
	`22`	`+ public String getValue() {`
	`23`	`+ return value;`
	`24`	`+ }`
	`25`	`+`
	`26`	`+ public int getIntValue() {`
	`27`	`+ return intValue;`
	`28`	`+ }`
	`29`	`+`
`22`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,10 @@ public String getValue() {`
`15`	`15`	`return value;`
`16`	`16`	`}`
`17`	`17`
	`18`	`+ public long getX() {`
	`19`	`+ return x;`
	`20`	`+ }`
	`21`	`+`
`18`	`22`	`public String or(String defaultValue) {`
`19`	`23`	`return value != null ? value : defaultValue;`
`20`	`24`	`}`