Support flow into field of referenced objects

Benjamin Muskalla · Benjamin Muskalla · commit dbd393b77a23 · 2021-11-10T16:30:27.000+01:00
diff --git a/java/ql/src/utils/model-generator/CaptureSinkModels.ql b/java/ql/src/utils/model-generator/CaptureSinkModels.ql
@@ -27,6 +27,10 @@ class PropagateToSinkConfiguration extends TaintTracking::Configuration {
   }
 
   override predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) }
+
+  override DataFlow::FlowFeature getAFeature() {
+    result instanceof DataFlow::FeatureHasSourceCallContext
+  }
 }
 
 string asInputArgument(DataFlow::Node source) {
@@ -50,6 +54,4 @@ string captureSink(Callable api) {
 
 from TargetAPI api, string sink
 where sink = captureSink(api)
-// and
-// api.hasName("openStream")
 select sink order by sink
diff --git a/java/ql/src/utils/model-generator/CaptureSourceModels.ql b/java/ql/src/utils/model-generator/CaptureSourceModels.ql
@@ -30,6 +30,10 @@ class FromSourceConfiguration extends TaintTracking::Configuration {
     or
     exists(MethodAccess c | sink.asExpr() = c.getAnArgument())
   }
+
+  override DataFlow::FlowFeature getAFeature() {
+    result instanceof DataFlow::FeatureHasSourceCallContext
+  }
 }
 
 string asOutput(DataFlow::Node node) {
diff --git a/java/ql/src/utils/model-generator/CaptureSummaryModels.ql b/java/ql/src/utils/model-generator/CaptureSummaryModels.ql
@@ -9,6 +9,8 @@ import ModelGeneratorUtils
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.internal.DataFlowImplCommon
 import semmle.code.java.dataflow.internal.DataFlowNodes
+import semmle.code.java.dataflow.internal.DataFlowPrivate
+import semmle.code.java.dataflow.InstanceAccess
 import ModelGeneratorUtils
 
 string captureFlow(Callable api) {
@@ -39,6 +41,36 @@ string captureQualifierFlow(Callable api) {
   result = asValueModel(api, "Argument[-1]", "ReturnValue")
 }
 
+class FieldToReturnConfig extends TaintTracking::Configuration {
+  FieldToReturnConfig() { this = "FieldToReturnConfig" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof DataFlow::InstanceParameterNode
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof ReturnNodeExt }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(DataFlow::Content f |
+      readStep(node1, f, node2) and
+      if f instanceof DataFlow::FieldContent
+      then isRelevantType(f.(DataFlow::FieldContent).getField().getType())
+      else any()
+    )
+    or
+    exists(DataFlow::Content f | storeStep(node1, f, node2) |
+      f instanceof DataFlow::ArrayContent or
+      f instanceof DataFlow::CollectionContent or
+      f instanceof DataFlow::MapKeyContent or
+      f instanceof DataFlow::MapValueContent
+    )
+  }
+
+  override DataFlow::FlowFeature getAFeature() {
+    result instanceof DataFlow::FeatureEqualSourceSinkCallContext
+  }
+}
+
 /**
  * Capture APIs that return tainted instance data.
  * Example of an API that returns tainted instance data:
@@ -62,15 +94,17 @@ string captureQualifierFlow(Callable api) {
  * ```
  */
 string captureFieldFlow(Callable api) {
-  exists(FieldAccess fa, ReturnNodeExt returnNode |
-    not (fa.getField().isStatic() and fa.getField().isFinal()) and
-    fa.getField().getDeclaringType() = api.getDeclaringType() and
-    returnNode.getEnclosingCallable() = api and
-    isRelevantType(api.getReturnType()) and
+  exists(FieldToReturnConfig config, ReturnNodeExt returnNodeExt |
+    config.hasFlow(_, returnNodeExt) and
+    returnNodeExt.getEnclosingCallable() = api and
     not api.getDeclaringType() instanceof EnumType and
-    TaintTracking::localTaint(DataFlow::exprNode(fa), returnNode)
+    isRelevantType(returnNodeExt.getType()) and
+    not (
+      returnNodeExt.getKind() instanceof ValueReturnKind and
+      exists(captureQualifierFlow(api))
+    )
   |
-    result = asTaintModel(api, "Argument[-1]", asOutput(api, returnNode))
+    result = asTaintModel(api, "Argument[-1]", asOutput(api, returnNodeExt))
   )
 }
 
@@ -94,12 +128,26 @@ class ParameterToFieldConfig extends TaintTracking::Configuration {
   }
 
   override predicate isSink(DataFlow::Node sink) {
+    thisAccess(sink.(DataFlow::PostUpdateNode).getPreUpdateNode())
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(FieldAssignment a |
-      a.getSource() = sink.asExpr() and
-      a.getDest().(FieldAccess).getField().getDeclaringType() =
-        sink.getEnclosingCallable().getDeclaringType()
+      a.getSource() = node1.asExpr() and
+      DataFlow::getFieldQualifier(a.getDest()) = node2.(DataFlow::PostUpdateNode).getPreUpdateNode() and
+      isRelevantType(a.getDest().(FieldAccess).getField().getType())
     )
   }
+
+  override DataFlow::FlowFeature getAFeature() {
+    result instanceof DataFlow::FeatureEqualSourceSinkCallContext
+  }
+}
+
+private predicate thisAccess(DataFlow::Node n) {
+  n.asExpr().(InstanceAccess).isOwnInstanceAccess()
+  or
+  n.(DataFlow::ImplicitInstanceAccess).getInstanceAccess() instanceof OwnInstanceAccess
 }
 
 /**
@@ -116,30 +164,16 @@ class ParameterToFieldConfig extends TaintTracking::Configuration {
  * `p;Foo;true;doSomething;(String);Argument[0];Argument[-1];taint`
  */
 string captureFieldFlowIn(Callable api) {
-  exists(DataFlow::PathNode source, DataFlow::PathNode sink |
+  exists(DataFlow::Node source, ParameterToFieldConfig config |
     not api.isStatic() and
-    restrictedFlow(source, sink) and
-    source.getNode().asParameter().getCallable() = api
+    config.hasFlow(source, _) and
+    source.asParameter().getCallable() = api
   |
     result =
-      asTaintModel(api, "Argument[" + source.getNode().asParameter().getPosition() + "]",
-        "Argument[-1]")
+      asTaintModel(api, "Argument[" + source.asParameter().getPosition() + "]", "Argument[-1]")
   )
 }
 
-predicate restrictedEdge(DataFlow::PathNode n1, DataFlow::PathNode n2) {
-  n1.getASuccessor() = n2 and
-  n1.getNode().getEnclosingCallable().getDeclaringType() =
-    n2.getNode().getEnclosingCallable().getDeclaringType()
-}
-
-predicate restrictedFlow(DataFlow::PathNode src, DataFlow::PathNode sink) {
-  src.getConfiguration() instanceof ParameterToFieldConfig and
-  src.isSource() and
-  src.getConfiguration().isSink(sink.getNode()) and
-  restrictedEdge*(src, sink)
-}
-
 class ParameterToReturnValueTaintConfig extends TaintTracking::Configuration {
   ParameterToReturnValueTaintConfig() { this = "ParameterToReturnValueTaintConfig" }
 
diff --git a/java/ql/test/utils/model-generator/CaptureSummaryModels.expected b/java/ql/test/utils/model-generator/CaptureSummaryModels.expected
@@ -9,6 +9,9 @@
 | p;ImmutablePojo;false;or;(String);;Argument[0];ReturnValue;taint |
 | p;InnerClasses$CaptureMe;true;yesCm;(String);;Argument[0];ReturnValue;taint |
 | p;InnerClasses;true;yes;(String);;Argument[0];ReturnValue;taint |
+| p;InnerHolder;false;explicitSetContext;(String);;Argument[0];Argument[-1];taint |
+| p;InnerHolder;false;getValue;();;Argument[-1];ReturnValue;taint |
+| p;InnerHolder;false;setContext;(String);;Argument[0];Argument[-1];taint |
 | p;Joiner;false;Joiner;(CharSequence);;Argument[0];Argument[-1];taint |
 | p;Joiner;false;Joiner;(CharSequence,CharSequence,CharSequence);;Argument[0];Argument[-1];taint |
 | p;Joiner;false;Joiner;(CharSequence,CharSequence,CharSequence);;Argument[1];Argument[-1];taint |
diff --git a/java/ql/test/utils/model-generator/p/InnerHolder.java b/java/ql/test/utils/model-generator/p/InnerHolder.java
@@ -0,0 +1,31 @@
+package p;
+
+public final class InnerHolder {
+
+    private class Context {
+        private String value;
+
+        Context(String value) {
+            this.value = value;
+        }
+
+        public String getValue() {
+            return value;
+        }
+    }
+
+    private Context context = null;
+
+    public void setContext(String value) {
+        context = new Context(value);
+    }
+
+    public void explicitSetContext(String value) {
+        this.context = new Context(value);
+    }
+
+    public String getValue() {
+        return context.getValue();
+    }
+
+}
diff --git a/java/ql/test/utils/model-generator/p/Pojo.java b/java/ql/test/utils/model-generator/p/Pojo.java
@@ -1,6 +1,7 @@
 package p;
 
 import java.math.BigInteger;
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.List;
 
@@ -22,6 +23,12 @@ int length() {
 
     private int intValue = 2;
 
+    private byte[] byteArray = new byte[] {1, 2, 3} ;
+    private float[] floatArray = new float[] {1, 2, 3} ;
+    private char[] charArray = new char[] {'a', 'b', 'c'} ;
+    private List<Character> charList = Arrays.asList('a', 'b', 'c');
+    private Byte[] byteObjectArray = new Byte[] { 1, 2, 3 };
+
     public String getValue() {
         return value;
     }
@@ -48,15 +55,15 @@ public int[] getPrimitiveArray() {
     }
 
     public char[] getCharArray() {
-        return new char[] { (char) intValue };
+        return charArray;
     }
 
     public byte[] getByteArray() {
-        return new byte[] { (byte) intValue };
+        return byteArray;
     }
     
     public float[] getFloatArray() {
-        return new float[] { (float) intValue };
+        return floatArray;
     }
 
     public Integer[] getBoxedArray() {
@@ -68,11 +75,11 @@ public Collection<Integer> getBoxedCollection() {
     }
 
     public List<Character> getBoxedChars() {
-        return List.of((char)intValue);
+        return charList;
     }
 
     public Byte[] getBoxedBytes() {
-        return new Byte[] { Byte.valueOf((byte) intValue) };
+        return byteObjectArray;
     }
     
     public BigInteger getBigInt() {

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,10 @@ class PropagateToSinkConfiguration extends TaintTracking::Configuration {`
`27`	`27`	`}`
`28`	`28`
`29`	`29`	`override predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) }`
	`30`	`+`
	`31`	`+ override DataFlow::FlowFeature getAFeature() {`
	`32`	`+ result instanceof DataFlow::FeatureHasSourceCallContext`
	`33`	`+ }`
`30`	`34`	`}`
`31`	`35`
`32`	`36`	`string asInputArgument(DataFlow::Node source) {`
`@@ -50,6 +54,4 @@ string captureSink(Callable api) {`
`50`	`54`
`51`	`55`	`from TargetAPI api, string sink`
`52`	`56`	`where sink = captureSink(api)`
`53`		`-// and`
`54`		`-// api.hasName("openStream")`
`55`	`57`	`select sink order by sink`
Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,10 @@ class FromSourceConfiguration extends TaintTracking::Configuration {`
`30`	`30`	`or`
`31`	`31`	`exists(MethodAccess c \| sink.asExpr() = c.getAnArgument())`
`32`	`32`	`}`
	`33`	`+`
	`34`	`+ override DataFlow::FlowFeature getAFeature() {`
	`35`	`+ result instanceof DataFlow::FeatureHasSourceCallContext`
	`36`	`+ }`
`33`	`37`	`}`
`34`	`38`
`35`	`39`	`string asOutput(DataFlow::Node node) {`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`package p;`
`2`	`2`
`3`	`3`	`import java.math.BigInteger;`
	`4`	`+import java.util.Arrays;`
`4`	`5`	`import java.util.Collection;`
`5`	`6`	`import java.util.List;`
`6`	`7`
`@@ -22,6 +23,12 @@ int length() {`
`22`	`23`
`23`	`24`	`private int intValue = 2;`
`24`	`25`
	`26`	`+ private byte[] byteArray = new byte[] {1, 2, 3} ;`
	`27`	`+ private float[] floatArray = new float[] {1, 2, 3} ;`
	`28`	`+ private char[] charArray = new char[] {'a', 'b', 'c'} ;`
	`29`	`+ private List<Character> charList = Arrays.asList('a', 'b', 'c');`
	`30`	`+ private Byte[] byteObjectArray = new Byte[] { 1, 2, 3 };`
	`31`	`+`
`25`	`32`	`public String getValue() {`
`26`	`33`	`return value;`
`27`	`34`	`}`
`@@ -48,15 +55,15 @@ public int[] getPrimitiveArray() {`
`48`	`55`	`}`
`49`	`56`
`50`	`57`	`public char[] getCharArray() {`
`51`		`- return new char[] { (char) intValue };`
	`58`	`+ return charArray;`
`52`	`59`	`}`
`53`	`60`
`54`	`61`	`public byte[] getByteArray() {`
`55`		`- return new byte[] { (byte) intValue };`
	`62`	`+ return byteArray;`
`56`	`63`	`}`
`57`	`64`
`58`	`65`	`public float[] getFloatArray() {`
`59`		`- return new float[] { (float) intValue };`
	`66`	`+ return floatArray;`
`60`	`67`	`}`
`61`	`68`
`62`	`69`	`public Integer[] getBoxedArray() {`
`@@ -68,11 +75,11 @@ public Collection<Integer> getBoxedCollection() {`
`68`	`75`	`}`
`69`	`76`
`70`	`77`	`public List<Character> getBoxedChars() {`
`71`		`- return List.of((char)intValue);`
	`78`	`+ return charList;`
`72`	`79`	`}`
`73`	`80`
`74`	`81`	`public Byte[] getBoxedBytes() {`
`75`		`- return new Byte[] { Byte.valueOf((byte) intValue) };`
	`82`	`+ return byteObjectArray;`
`76`	`83`	`}`
`77`	`84`
`78`	`85`	`public BigInteger getBigInt() {`