Support propagating taint of inner object

Benjamin Muskalla · Benjamin Muskalla · commit b8809a20d8eb · 2021-11-12T09:39:59.000+01:00
diff --git a/java/ql/src/utils/model-generator/CaptureSummaryModels.ql b/java/ql/src/utils/model-generator/CaptureSummaryModels.ql
@@ -5,7 +5,6 @@
  */
 
 import java
-import ModelGeneratorUtils
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.internal.DataFlowImplCommon
 import semmle.code.java.dataflow.internal.DataFlowNodes
@@ -148,6 +147,8 @@ private predicate thisAccess(DataFlow::Node n) {
   n.asExpr().(InstanceAccess).isOwnInstanceAccess()
   or
   n.(DataFlow::ImplicitInstanceAccess).getInstanceAccess() instanceof OwnInstanceAccess
+  or
+  n.asExpr().(FieldAccess).isOwnFieldAccess()
 }
 
 /**
diff --git a/java/ql/test/utils/model-generator/CaptureSummaryModels.expected b/java/ql/test/utils/model-generator/CaptureSummaryModels.expected
@@ -9,6 +9,7 @@
 | p;ImmutablePojo;false;or;(String);;Argument[0];ReturnValue;taint |
 | p;InnerClasses$CaptureMe;true;yesCm;(String);;Argument[0];ReturnValue;taint |
 | p;InnerClasses;true;yes;(String);;Argument[0];ReturnValue;taint |
+| p;InnerHolder;false;append;(String);;Argument[0];Argument[-1];taint |
 | p;InnerHolder;false;explicitSetContext;(String);;Argument[0];Argument[-1];taint |
 | p;InnerHolder;false;getValue;();;Argument[-1];ReturnValue;taint |
 | p;InnerHolder;false;setContext;(String);;Argument[0];Argument[-1];taint |
diff --git a/java/ql/test/utils/model-generator/p/InnerHolder.java b/java/ql/test/utils/model-generator/p/InnerHolder.java
@@ -16,6 +16,8 @@ public String getValue() {
 
     private Context context = null;
 
+    private StringBuilder sb = new StringBuilder();
+
     public void setContext(String value) {
         context = new Context(value);
     }
@@ -24,6 +26,10 @@ public void explicitSetContext(String value) {
         this.context = new Context(value);
     }
 
+    public void append(String value) {
+        sb.append(value);
+    }
+
     public String getValue() {
         return context.getValue();
     }

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,8 @@ public String getValue() {`
`16`	`16`
`17`	`17`	`private Context context = null;`
`18`	`18`
	`19`	`+ private StringBuilder sb = new StringBuilder();`
	`20`	`+`
`19`	`21`	`public void setContext(String value) {`
`20`	`22`	`context = new Context(value);`
`21`	`23`	`}`
`@@ -24,6 +26,10 @@ public void explicitSetContext(String value) {`
`24`	`26`	`this.context = new Context(value);`
`25`	`27`	`}`
`26`	`28`
	`29`	`+ public void append(String value) {`
	`30`	`+ sb.append(value);`
	`31`	`+ }`
	`32`	`+`
`27`	`33`	`public String getValue() {`
`28`	`34`	`return context.getValue();`
`29`	`35`	`}`