Support CharSequence#toString

Benjamin Muskalla · Benjamin Muskalla · commit 7dae6122d9d3 · 2021-11-10T16:30:20.000+01:00
Given CharSequence is often used as an
alias for String, ensure taint through toString is flowing
diff --git a/java/ql/lib/semmle/code/java/frameworks/Strings.qll b/java/ql/lib/semmle/code/java/frameworks/Strings.qll
@@ -54,7 +54,8 @@ private class StringSummaryCsv extends SummaryModelCsv {
         "java.lang;StringBuffer;true;StringBuffer;(CharSequence);;Argument[0];Argument[-1];taint",
         "java.lang;StringBuffer;true;StringBuffer;(String);;Argument[0];Argument[-1];taint",
         "java.lang;StringBuilder;true;StringBuilder;;;Argument[0];Argument[-1];taint",
-        "java.lang;CharSequence;true;subSequence;;;Argument[-1];ReturnValue;taint"
+        "java.lang;CharSequence;true;subSequence;;;Argument[-1];ReturnValue;taint",
+        "java.lang;CharSequence;true;toString;;;Argument[-1];ReturnValue;taint"
       ]
   }
 }
diff --git a/java/ql/test/library-tests/dataflow/taint/CharSeq.java b/java/ql/test/library-tests/dataflow/taint/CharSeq.java
@@ -9,5 +9,8 @@ void test1() {
   
       CharSequence seqFromSeq = seq.subSequence(0, 1);
       sink(seqFromSeq);
+
+      String stringFromSeq = seq.toString();
+      sink(stringFromSeq);
     }
   }
diff --git a/java/ql/test/library-tests/dataflow/taint/test.expected b/java/ql/test/library-tests/dataflow/taint/test.expected
@@ -43,6 +43,7 @@
 | B.java:15:21:15:27 | taint(...) | B.java:157:10:157:46 | toFile(...) |
 | CharSeq.java:7:26:7:32 | taint(...) | CharSeq.java:8:12:8:14 | seq |
 | CharSeq.java:7:26:7:32 | taint(...) | CharSeq.java:11:12:11:21 | seqFromSeq |
+| CharSeq.java:7:26:7:32 | taint(...) | CharSeq.java:14:12:14:24 | stringFromSeq |
 | MethodFlow.java:7:22:7:28 | taint(...) | MethodFlow.java:8:10:8:16 | tainted |
 | MethodFlow.java:9:31:9:37 | taint(...) | MethodFlow.java:10:10:10:17 | tainted2 |
 | MethodFlow.java:11:35:11:41 | taint(...) | MethodFlow.java:12:10:12:17 | tainted3 |

Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,8 @@ private class StringSummaryCsv extends SummaryModelCsv {`
`54`	`54`	`"java.lang;StringBuffer;true;StringBuffer;(CharSequence);;Argument[0];Argument[-1];taint",`
`55`	`55`	`"java.lang;StringBuffer;true;StringBuffer;(String);;Argument[0];Argument[-1];taint",`
`56`	`56`	`"java.lang;StringBuilder;true;StringBuilder;;;Argument[0];Argument[-1];taint",`
`57`		`- "java.lang;CharSequence;true;subSequence;;;Argument[-1];ReturnValue;taint"`
	`57`	`+ "java.lang;CharSequence;true;subSequence;;;Argument[-1];ReturnValue;taint",`
	`58`	`+ "java.lang;CharSequence;true;toString;;;Argument[-1];ReturnValue;taint"`
`58`	`59`	`]`
`59`	`60`	`}`
`60`	`61`	`}`
Original file line number	Diff line number	Diff line change
`@@ -9,5 +9,8 @@ void test1() {`
`9`	`9`
`10`	`10`	`CharSequence seqFromSeq = seq.subSequence(0, 1);`
`11`	`11`	`sink(seqFromSeq);`
	`12`	`+`
	`13`	`+ String stringFromSeq = seq.toString();`
	`14`	`+ sink(stringFromSeq);`
`12`	`15`	`}`
`13`	`16`	`}`