Add support for qualifier flow

Benjamin Muskalla · Benjamin Muskalla · commit ec772fb6b2fd · 2021-11-10T16:30:17.000+01:00
diff --git a/java/ql/src/utils/model-generator/CaptureSummaryModels.ql b/java/ql/src/utils/model-generator/CaptureSummaryModels.ql
@@ -4,3 +4,33 @@
  * @id TBD
  */
 
+import java
+import ModelGeneratorUtils
+
+string captureFlow(Callable api) { result = captureQualifierFlow(api) }
+
+string captureQualifierFlow(Callable api) {
+  exists(ReturnStmt rtn |
+    rtn.getEnclosingCallable() = api and
+    rtn.getResult() instanceof ThisAccess
+  ) and
+  result = asValueModel(api, "Argument[-1]", "ReturnValue")
+}
+
+// TODO: handle cases like Ticker
+// TODO: "com.google.common.base;Converter;true;convertAll;(Iterable);;Element of Argument[0];Element of ReturnValue;taint",
+// TODO: infer interface from multiple implementations? e.g. UriComponentsContributor
+// TODO: distinguish between taint and value flows. If we find a value flow, omit the taint flow
+class TargetAPI extends Callable {
+  TargetAPI() {
+    this.isPublic() and
+    this.fromSource() and
+    this.getDeclaringType().isPublic() and
+    not this.getCompilationUnit().getFile().getAbsolutePath().matches("%src/test/%") and
+    not this.getCompilationUnit().getFile().getAbsolutePath().matches("%src/guava-tests/%")
+  }
+}
+
+from TargetAPI api, string flow
+where flow = captureFlow(api)
+select flow order by flow
diff --git a/java/ql/src/utils/model-generator/ModelGeneratorUtils.qll b/java/ql/src/utils/model-generator/ModelGeneratorUtils.qll
@@ -0,0 +1,28 @@
+import java
+import semmle.code.java.dataflow.ExternalFlow
+
+string isExtensible(RefType ref) { if ref.isFinal() then result = "false" else result = "true" }
+
+bindingset[input, output]
+string asTaintModel(Callable api, string input, string output) {
+  result = asSummaryModel(api, input, output, "taint")
+}
+
+bindingset[input, output]
+string asValueModel(Callable api, string input, string output) {
+  result = asSummaryModel(api, input, output, "value")
+}
+
+bindingset[input, output, kind]
+string asSummaryModel(Callable api, string input, string output, string kind) {
+  result =
+    api.getCompilationUnit().getPackage().getName() + ";" //
+      + api.getDeclaringType().nestedName() + ";" //
+      + isExtensible(api.getDeclaringType()).toString() + ";" //
+      + api.getName() + ";" //
+      + paramsString(api) + ";" //
+      + /* ext + */ ";" //
+      + input + ";" //
+      + output + ";" //
+      + kind + ";" //
+}
diff --git a/java/ql/test/utils/model-generator/CaptureSummaryModels.expected b/java/ql/test/utils/model-generator/CaptureSummaryModels.expected
@@ -0,0 +1 @@
+| p;FluentAPI;false;returnsThis;(String);;Argument[-1];ReturnValue;value; |
diff --git a/java/ql/test/utils/model-generator/p/FluentAPI.java b/java/ql/test/utils/model-generator/p/FluentAPI.java
@@ -0,0 +1,9 @@
+package p;
+
+public final class FluentAPI {
+
+    public FluentAPI returnsThis(String input) {
+        return this;
+    }
+
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| p;FluentAPI;false;returnsThis;(String);;Argument[-1];ReturnValue;value; \|`