Exclude models for simpler types

Benjamin Muskalla · Benjamin Muskalla · commit f36bb8baafa6 · 2021-11-10T16:30:22.000+01:00
Avoid generating models for types that can't really propagate taint
in a valuable way (e.g. primitivies, BigInt, ..). Keep tracking
bulk-like data (e.g. char[] or byte[]).
diff --git a/java/ql/src/utils/model-generator/CaptureSummaryModels.ql b/java/ql/src/utils/model-generator/CaptureSummaryModels.ql
@@ -31,7 +31,7 @@ string captureFieldFlow(Callable api) {
   exists(FieldAccess fa, ReturnNodeExt postUpdate |
     not (fa.getField().isStatic() and fa.getField().isFinal()) and
     postUpdate.getEnclosingCallable() = api and
-    not api.getReturnType() instanceof PrimitiveType and
+    isRelevantType(api.getReturnType()) and
     not api.getDeclaringType() instanceof EnumType and
     TaintTracking::localTaint(DataFlow::exprNode(fa), postUpdate)
   |
@@ -55,7 +55,7 @@ class ParameterToFieldConfig extends TaintTracking::Configuration {
 
   override predicate isSource(DataFlow::Node source) {
     source instanceof DataFlow::ParameterNode and
-    not source.getType() instanceof PrimitiveType
+    isRelevantType(source.getType())
   }
 
   override predicate isSink(DataFlow::Node sink) {
@@ -82,10 +82,8 @@ class ParameterToReturnValueTaintConfig extends TaintTracking::Configuration {
     exists(Callable api |
       source instanceof DataFlow::ParameterNode and
       api = source.asParameter().getCallable() and
-      not api.getReturnType() instanceof PrimitiveType and
-      not api.getReturnType() instanceof TypeClass and
-      not source.asParameter().getType() instanceof PrimitiveType and
-      not source.asParameter().getType() instanceof TypeClass
+      isRelevantType(api.getReturnType()) and
+      isRelevantType(source.asParameter().getType())
     )
   }
 
@@ -120,6 +118,18 @@ string captureParameterToParameterFlow(Callable api) {
   )
 }
 
+predicate isRelevantType(Type t) {
+  not t instanceof TypeClass and
+  not t instanceof EnumType and
+  not t instanceof PrimitiveType and
+  not t instanceof BoxedType and
+  not t.(RefType).hasQualifiedName("java.math", "BigInteger") and
+  not t.(Array).getElementType() instanceof PrimitiveType and
+  not t.(Array).getElementType().(PrimitiveType).getName().regexpMatch("byte|char") and
+  not t.(Array).getElementType() instanceof BoxedType and
+  not t.(CollectionType).getElementType() instanceof BoxedType
+}
+
 // TODO: "com.google.common.base;Converter;true;convertAll;(Iterable);;Element of Argument[0];Element of ReturnValue;taint",
 // TODO: infer interface from multiple implementations? e.g. UriComponentsContributor
 // TODO: distinguish between taint and value flows. If we find a value flow, omit the taint flow
diff --git a/java/ql/test/utils/model-generator/p/Pojo.java b/java/ql/test/utils/model-generator/p/Pojo.java
@@ -1,5 +1,7 @@
 package p;
 
+import java.math.BigInteger;
+import java.util.Collection;
 import java.util.List;
 
 public final class Pojo {
@@ -37,6 +39,34 @@ public int getIntValue() {
         return intValue;
     }
 
+    public Integer getBoxedValue() {
+        return Integer.valueOf(intValue);
+    }
+
+    public int[] getPrimitiveArray() {
+        return new int[] { intValue };
+    }
+
+    public char[] getCharArray() {
+        return Character.toChars(intValue);
+    }
+
+    public byte[] getByteArray() {
+        return new byte[] { (byte) intValue };
+    }
+    
+    public Integer[] getBoxedArray() {
+        return new Integer[] { Integer.valueOf(intValue) };
+    }
+    
+    public Collection<Integer> getBoxedCollection() {
+        return List.of(Integer.valueOf(intValue));
+    }
+
+    public BigInteger getBigInt() {
+        return BigInteger.valueOf(intValue);
+    }
+
     public void fillIn(List<String> target) {
         target.add(value);
     }
