Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 58de6d1

Browse files
author
Benjamin Muskalla
committed
Add docs to explain the models captured by the predicates
1 parent 747ab12 commit 58de6d1

1 file changed

Lines changed: 79 additions & 0 deletions

File tree

java/ql/src/utils/model-generator/CaptureSummaryModels.ql

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,18 @@ string captureFlow(Callable api) {
1919
result = captureFieldFlow(api)
2020
}
2121

22+
/**
23+
* Capture fluent APIs that return `this`.
24+
* Example of a fluent API:
25+
* ```
26+
* public class Foo {
27+
* public Foo someAPI() {
28+
* // some side-effect
29+
* return this;
30+
* }
31+
* }
32+
* ```
33+
*/
2234
string captureQualifierFlow(Callable api) {
2335
exists(ReturnStmt rtn |
2436
rtn.getEnclosingCallable() = api and
@@ -27,6 +39,28 @@ string captureQualifierFlow(Callable api) {
2739
result = asValueModel(api, "Argument[-1]", "ReturnValue")
2840
}
2941

42+
/**
43+
* Capture APIs that return tainted instance data.
44+
* Example of an API that returns tainted instance data:
45+
* ```
46+
* public class Foo {
47+
* private String tainted;
48+
*
49+
* public String returnsTainted() {
50+
* return tainted;
51+
* }
52+
*
53+
* public void putsTaintIntoParameter(List<String> foo) {
54+
* foo.add(tainted);
55+
* }
56+
* }
57+
* ```
58+
* Captured Model:
59+
* ```
60+
* p;Foo;true;returnsTainted;;Argument[-1];ReturnValue;taint
61+
* p;Foo;true;putsTaintIntoParameter;(List);Argument[-1];ReturnValue;taint
62+
* ```
63+
*/
3064
string captureFieldFlow(Callable api) {
3165
exists(FieldAccess fa, ReturnNodeExt returnNode |
3266
not (fa.getField().isStatic() and fa.getField().isFinal()) and
@@ -68,6 +102,19 @@ class ParameterToFieldConfig extends TaintTracking::Configuration {
68102
}
69103
}
70104

105+
/**
106+
* Captures APIs that accept input and store them in a field.
107+
* Example:
108+
* ```
109+
* public class Foo {
110+
* private String tainted;
111+
* public void doSomething(String input) {
112+
* tainted = input;
113+
* }
114+
* ```
115+
* Captured Model:
116+
* `p;Foo;true;doSomething;(String);Argument[0];Argument[-1];taint`
117+
*/
71118
string captureFieldFlowIn(Callable api) {
72119
exists(DataFlow::ParameterNode source, DataFlow::ExprNode sink, ParameterToFieldConfig config |
73120
sink.asExpr().getEnclosingCallable().getDeclaringType() =
@@ -102,6 +149,22 @@ predicate paramFlowToReturnValueExists(Parameter p) {
102149
)
103150
}
104151

152+
/**
153+
* Capture APIs that return (parts of) data passed in as a parameter.
154+
* Example:
155+
* ```
156+
* public class Foo {
157+
*
158+
* public String returnData(String tainted) {
159+
* return tainted.substring(0,10)
160+
* }
161+
* }
162+
* ```
163+
* Captured Model:
164+
* ```
165+
* p;Foo;true;returnData;;Argument[0];ReturnValue;taint
166+
* ```
167+
*/
105168
string captureParameterFlowToReturnValue(Callable api) {
106169
exists(Parameter p |
107170
p = api.getAParameter() and
@@ -111,6 +174,22 @@ string captureParameterFlowToReturnValue(Callable api) {
111174
)
112175
}
113176

177+
/**
178+
* Capture APIs that pass tainted data from a parameter to a parameter.
179+
* Example:
180+
* ```
181+
* public class Foo {
182+
*
183+
* public void addToList(String tainted, List<String> foo) {
184+
* foo.add(tainted);
185+
* }
186+
* }
187+
* ```
188+
* Captured Model:
189+
* ```
190+
* p;Foo;true;addToList;;Argument[0];Argument[1];taint
191+
* ```
192+
*/
114193
string captureParameterToParameterFlow(Callable api) {
115194
exists(DataFlow::ParameterNode source, DataFlow::PostUpdateNode sink |
116195
source.getEnclosingCallable() = api and

0 commit comments

Comments
 (0)