Initial support for capturing sink models

Benjamin Muskalla · Benjamin Muskalla · commit f9fea15a52ae · 2021-11-10T16:30:18.000+01:00
diff --git a/java/ql/src/utils/model-generator/CaptureSinkModels.ql b/java/ql/src/utils/model-generator/CaptureSinkModels.ql
@@ -0,0 +1,37 @@
+import java
+import Telemetry.ExternalAPI
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.ExternalFlow
+import ModelGeneratorUtils
+
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "public methods calling sinks" }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(MethodAccess ma |
+      ma = source.asExpr() and
+      ma.getAnEnclosingStmt().getEnclosingCallable().isPublic() and
+      ma.getAnEnclosingStmt().getEnclosingCallable().fromSource()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) }
+}
+
+string asInputArgument(Expr source) { result = "Argument[" + source.(Argument).getPosition() + "]" }
+
+string captureSink(Callable api) {
+  exists(DataFlow::Node src, DataFlow::Node sink, Configuration config, string kind |
+    config.hasFlow(src, sink) and
+    sinkNode(sink, kind) and
+    api = src.asExpr().getEnclosingCallable() and
+    result = asSinkModel(api, asInputArgument(src.asExpr()), kind)
+  )
+}
+
+from Callable api, string sink
+where
+  sink = captureSink(api) and
+  not api.getCompilationUnit().getFile().getAbsolutePath().matches("%src/test/%")
+select sink order by sink
diff --git a/java/ql/src/utils/model-generator/ModelGeneratorUtils.qll b/java/ql/src/utils/model-generator/ModelGeneratorUtils.qll
@@ -16,16 +16,30 @@ string asValueModel(Callable api, string input, string output) {
 
 bindingset[input, output, kind]
 string asSummaryModel(Callable api, string input, string output, string kind) {
+  result =
+    asPartialModel(api) + input + ";" //
+      + output + ";" //
+      + kind + ";" //
+}
+
+bindingset[input, kind]
+string asSinkModel(Callable api, string input, string kind) {
+  result =
+    asPartialModel(api) + input + ";" //
+      + kind + ";" //
+}
+
+/**
+ * Computes the first 6 columns for CSV rows.
+ */
+private string asPartialModel(Callable api) {
   result =
     api.getCompilationUnit().getPackage().getName() + ";" //
       + api.getDeclaringType().nestedName() + ";" //
       + isExtensible(api.getDeclaringType()).toString() + ";" //
       + api.getName() + ";" //
       + paramsString(api) + ";" //
       + /* ext + */ ";" //
-      + input + ";" //
-      + output + ";" //
-      + kind + ";" //
 }
 
 string parameterAccess(Parameter p) {
diff --git a/java/ql/test/utils/model-generator/CaptureSinkModels.expected b/java/ql/test/utils/model-generator/CaptureSinkModels.expected
@@ -0,0 +1 @@
+| p;Sinks;true;copyFileToDirectory;(Path,Path,CopyOption[]);;Argument[1];create-file; |
diff --git a/java/ql/test/utils/model-generator/CaptureSinkModels.qlref b/java/ql/test/utils/model-generator/CaptureSinkModels.qlref
@@ -0,0 +1 @@
+utils/model-generator/CaptureSinkModels.ql
diff --git a/java/ql/test/utils/model-generator/p/Sinks.java b/java/ql/test/utils/model-generator/p/Sinks.java
@@ -0,0 +1,25 @@
+package p;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URL;
+import java.nio.file.CopyOption;
+import java.nio.charset.Charset;
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+public class Sinks {
+    
+    public Path copyFileToDirectory(final Path sourceFile, final Path targetDirectory, final CopyOption... copyOptions) throws IOException {
+        return Files.copy(sourceFile, targetDirectory.resolve(sourceFile.getFileName()), copyOptions);
+    }
+
+    // TODO: not detected
+    public String readUrl(final URL url, Charset encoding) throws IOException {
+        try (InputStream in = url.openStream()) {
+            byte[] bytes = in.readAllBytes();
+            return new String(bytes, encoding);
+        }
+    }
+
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| p;Sinks;true;copyFileToDirectory;(Path,Path,CopyOption[]);;Argument[1];create-file; \|`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+utils/model-generator/CaptureSinkModels.ql`