Merge pull request #5134 from pwntester/ArrayUtils

aschackmull · web-flow · commit b9a479dd3189 · 2021-02-15T13:50:01.000+01:00
Add support for Apache Commons Lang ArrayUtils
diff --git a/java/ql/src/semmle/code/java/dataflow/FlowSteps.qll b/java/ql/src/semmle/code/java/dataflow/FlowSteps.qll
@@ -16,6 +16,7 @@ module Frameworks {
   private import semmle.code.java.frameworks.Guice
   private import semmle.code.java.frameworks.Protobuf
   private import semmle.code.java.frameworks.guava.Guava
+  private import semmle.code.java.frameworks.apache.Lang
 }
 
 /**
diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll
@@ -1,27 +1,65 @@
 /** Definitions related to the Apache Commons Lang library. */
 
 import java
+private import semmle.code.java.dataflow.FlowSteps
 
-/*--- Types ---*/
-/** The class `org.apache.commons.lang.RandomStringUtils` or `org.apache.commons.lang3.RandomStringUtils`. */
+/**
+ * The class `org.apache.commons.lang.RandomStringUtils` or `org.apache.commons.lang3.RandomStringUtils`.
+ */
 class TypeApacheRandomStringUtils extends Class {
   TypeApacheRandomStringUtils() {
-    hasQualifiedName("org.apache.commons.lang", "RandomStringUtils") or
-    hasQualifiedName("org.apache.commons.lang3", "RandomStringUtils")
+    this.hasQualifiedName(["org.apache.commons.lang", "org.apache.commons.lang3"],
+      "RandomStringUtils")
+  }
+}
+
+/**
+ * The class `org.apache.commons.lang.ArrayUtils` or `org.apache.commons.lang3.ArrayUtils`.
+ */
+class TypeApacheArrayUtils extends Class {
+  TypeApacheArrayUtils() {
+    hasQualifiedName(["org.apache.commons.lang", "org.apache.commons.lang3"], "ArrayUtils")
   }
 }
 
-/*--- Methods ---*/
 /**
  * The method `deserialize` in either `org.apache.commons.lang.SerializationUtils`
  * or `org.apache.commons.lang3.SerializationUtils`.
  */
 class MethodApacheSerializationUtilsDeserialize extends Method {
   MethodApacheSerializationUtilsDeserialize() {
-    (
-      this.getDeclaringType().hasQualifiedName("org.apache.commons.lang", "SerializationUtils") or
-      this.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "SerializationUtils")
-    ) and
+    this.getDeclaringType()
+        .hasQualifiedName(["org.apache.commons.lang", "org.apache.commons.lang3"],
+          "SerializationUtils") and
     this.hasName("deserialize")
   }
 }
+
+/**
+ * A taint preserving method on `org.apache.commons.lang.ArrayUtils` or `org.apache.commons.lang3.ArrayUtils`
+ */
+private class ApacheLangArrayUtilsTaintPreservingMethod extends TaintPreservingCallable {
+  ApacheLangArrayUtilsTaintPreservingMethod() {
+    this.getDeclaringType() instanceof TypeApacheArrayUtils
+  }
+
+  override predicate returnsTaintFrom(int src) {
+    this.hasName(["addAll", "addFirst"]) and
+    src = [0 .. getNumberOfParameters() - 1]
+    or
+    this.hasName([
+        "clone", "nullToEmpty", "remove", "removeAll", "removeElement", "removeElements", "reverse",
+        "shift", "shuffle", "subarray", "swap", "toArray", "toMap", "toObject", "toPrimitive",
+        "toString", "toStringArray"
+      ]) and
+    src = 0
+    or
+    this.hasName("add") and
+    this.getNumberOfParameters() = 2 and
+    src = [0, 1]
+    or
+    this.hasName("add") and
+    this.getNumberOfParameters() = 3 and
+    src = [0, 2]
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@ module Frameworks {`
`16`	`16`	`private import semmle.code.java.frameworks.Guice`
`17`	`17`	`private import semmle.code.java.frameworks.Protobuf`
`18`	`18`	`private import semmle.code.java.frameworks.guava.Guava`
	`19`	`+ private import semmle.code.java.frameworks.apache.Lang`
`19`	`20`	`}`
`20`	`21`
`21`	`22`	`/**`