Java: Collapse all the shared code for summary, source and sink models into a single file.

michaelnebel · michaelnebel · commit 852d8a277071 · 2022-03-29T11:07:57.000+02:00
diff --git a/java/ql/src/utils/model-generator/CaptureModels.qll b/java/ql/src/utils/model-generator/CaptureModels.qll
@@ -1,9 +1,12 @@
 /**
- * Provides classes and predicates related to capturing summary models
- * of the Standard or a 3rd party library.
+ * Provides classes and predicates related to capturing summary, source,
+ * and sink models of the Standard or a 3rd party library.
  */
 
-import CaptureSummaryModelsSpecific
+private import CaptureSummaryModelsSpecific
+private import CaptureSinkModelsSpecific
+private import CaptureSourceModelsSpecific
+private import ModelGeneratorUtils
 
 /**
  * Gets the summary model of `api`, if it follows the `fluent` programming pattern (returns `this`).
@@ -96,3 +99,59 @@ string captureThroughFlow(TargetApi api) {
     result = asTaintModel(api, input, output)
   )
 }
+
+private class FromSourceConfiguration extends TaintTracking::Configuration {
+  FromSourceConfiguration() { this = "FromSourceConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) { sourceNode(source, _) }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(TargetApi c |
+      sink instanceof ReturnNodeExt and
+      sink.getEnclosingCallable() = c
+    )
+  }
+
+  override DataFlow::FlowFeature getAFeature() {
+    result instanceof DataFlow::FeatureHasSinkCallContext
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    isRelevantTaintStep(node1, node2)
+  }
+}
+
+/**
+ * Gets the source model(s) of `api`, if there is flow from an existing known source to the return of `api`.
+ */
+string captureSource(TargetApi api) {
+  exists(DataFlow::Node source, DataFlow::Node sink, FromSourceConfiguration config, string kind |
+    config.hasFlow(source, sink) and
+    sourceNode(source, kind) and
+    api = sink.getEnclosingCallable() and
+    result = asSourceModel(api, returnNodeAsOutput(sink), kind)
+  )
+}
+
+private class PropagateToSinkConfiguration extends PropagateToSinkConfigurationSpecific {
+  PropagateToSinkConfiguration() { this = "parameters or fields flowing into sinks" }
+
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) }
+
+  override DataFlow::FlowFeature getAFeature() {
+    result instanceof DataFlow::FeatureHasSourceCallContext
+  }
+}
+
+/**
+ * Gets the sink model(s) of `api`, if there is flow from a parameter to an existing known sink.
+ */
+string captureSink(TargetApi api) {
+  exists(DataFlow::Node src, DataFlow::Node sink, PropagateToSinkConfiguration config, string kind |
+    config.hasFlow(src, sink) and
+    sinkNode(sink, kind) and
+    api = src.getEnclosingCallable() and
+    not kind = "logging" and
+    result = asSinkModel(api, asInputArgument(src), kind)
+  )
+}
diff --git a/java/ql/src/utils/model-generator/CaptureSinkModels.ql b/java/ql/src/utils/model-generator/CaptureSinkModels.ql
@@ -5,7 +5,7 @@
  */
 
 private import ModelGeneratorUtils
-private import CaptureSinkModels
+private import CaptureModels
 
 from TargetApi api, string sink
 where sink = captureSink(api)
diff --git a/java/ql/src/utils/model-generator/CaptureSinkModels.qll b/java/ql/src/utils/model-generator/CaptureSinkModels.qll
diff --git a/java/ql/src/utils/model-generator/CaptureSourceModels.ql b/java/ql/src/utils/model-generator/CaptureSourceModels.ql
@@ -5,7 +5,7 @@
  */
 
 private import ModelGeneratorUtils
-private import CaptureSourceModels
+private import CaptureModels
 
 from TargetApi api, string sink
 where sink = captureSource(api)
diff --git a/java/ql/src/utils/model-generator/CaptureSourceModels.qll b/java/ql/src/utils/model-generator/CaptureSourceModels.qll
diff --git a/java/ql/src/utils/model-generator/CaptureSummaryModels.ql b/java/ql/src/utils/model-generator/CaptureSummaryModels.ql
@@ -4,7 +4,8 @@
  * @id java/utils/model-generator/summary-models
  */
 
-private import CaptureSummaryModels
+private import ModelGeneratorUtils
+private import CaptureModels
 
 /**
  * Capture fluent APIs that return `this`.
