Support lambda flow for source models

Benjamin Muskalla · Benjamin Muskalla · commit 9500c9c8bc60 · 2021-11-10T16:30:24.000+01:00
Also rely on public API to detect the source node
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll b/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll
@@ -889,17 +889,10 @@ module Private {
      * model.
      */
     predicate isSourceNode(InterpretNode node, string kind) {
-      exists(InterpretNode ref, string output | isSourceNode(ref, node, output, kind))
-    }
-
-    // TODO: I wonder if this is actually the interface we want to expose.
-    predicate isSourceNode(InterpretNode node, string output, string kind) {
-      exists(InterpretNode ref | isSourceNode(ref, node, output, kind))
-    }
-
-    predicate isSourceNode(InterpretNode ref, InterpretNode node, string output, string kind) {
-      sourceElementRef(ref, output, kind) and
-      interpretOutput(output, 0, ref, node)
+      exists(InterpretNode ref, string output |
+        sourceElementRef(ref, output, kind) and
+        interpretOutput(output, 0, ref, node)
+      )
     }
 
     /**
diff --git a/java/ql/src/utils/model-generator/CaptureSourceModels.ql b/java/ql/src/utils/model-generator/CaptureSourceModels.ql
@@ -13,6 +13,7 @@ private import ModelGeneratorUtils
 private import semmle.code.java.dataflow.internal.FlowSummaryImplSpecific
 private import semmle.code.java.dataflow.internal.FlowSummaryImpl
 private import semmle.code.java.dataflow.internal.DataFlowImplCommon
+import semmle.code.java.dataflow.internal.DataFlowNodes::Private
 
 class FromSourceConfiguration extends TaintTracking::Configuration {
   FromSourceConfiguration() { this = "FromSourceConfiguration" }
@@ -26,24 +27,33 @@ class FromSourceConfiguration extends TaintTracking::Configuration {
       c.isPublic() and
       c.fromSource()
     )
+    or
+    exists(MethodAccess c | sink.asExpr() = c.getAnArgument())
   }
 }
 
-// TODO: better way than rely on internals to capture kind?
-cached
-predicate specificSourceNode(DataFlow::Node node, string output, string kind) {
-  exists(InterpretNode n | Private::External::isSourceNode(n, output, kind) and n.asNode() = node)
+string asOutput(DataFlow::Node node) {
+  if node instanceof ReturnNodeExt
+  then result = "ReturnValue"
+  else
+    result =
+      "Parameter[" +
+        node.(ArgumentNode)
+            .getCall()
+            .asCall()
+            .getQualifier()
+            .(VarAccess)
+            .getVariable()
+            .(Parameter)
+            .getPosition() + "]"
 }
 
 string captureSource(Callable api) {
-  exists(
-    DataFlow::Node src, DataFlow::Node sink, FromSourceConfiguration config, string kind,
-    string output
-  |
+  exists(DataFlow::Node src, DataFlow::Node sink, FromSourceConfiguration config, string kind |
     config.hasFlow(src, sink) and
-    specificSourceNode(sink, output, kind) and
+    sourceNode(sink, kind) and
     api = src.getEnclosingCallable() and
-    result = asSourceModel(api, output, kind)
+    result = asSourceModel(api, asOutput(sink), kind)
   )
 }
 
diff --git a/java/ql/test/utils/model-generator/CaptureSourceModels.expected b/java/ql/test/utils/model-generator/CaptureSourceModels.expected
@@ -1 +1,3 @@
-| p;Sources;true;readUrl;(URL);;ReturnValue;remote; |
+| p;Sources;true;consumeSource;(int,Consumer);;Parameter[1];remote; |
+| p;Sources;true;readUrl;(URL);;ReturnValue;remote; |
+| p;Sources;true;socketStream;();;ReturnValue;remote; |
diff --git a/java/ql/test/utils/model-generator/p/Sources.java b/java/ql/test/utils/model-generator/p/Sources.java
@@ -2,7 +2,9 @@
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.net.ServerSocket;
 import java.net.URL;
+import java.util.function.Consumer;
 
 
 public class Sources {
@@ -11,4 +13,13 @@ public InputStream readUrl(final URL url) throws IOException {
         return url.openConnection().getInputStream();
     }
 
+    public InputStream socketStream() throws IOException {
+        ServerSocket socket = new ServerSocket(123);
+        return socket.accept().getInputStream();
+    }
+
+    public void consumeSource(int port, Consumer<InputStream> consumer) throws IOException {
+        ServerSocket socket = new ServerSocket(port);
+        consumer.accept(socket.accept().getInputStream());
+    }
 }
