Java: Convert support for fluent interfaces.

aschackmull · aschackmull · commit 2aba4d70a2bb · 2021-04-15T16:14:20.000+02:00
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
@@ -150,6 +150,14 @@ predicate simpleLocalFlowStep(Node node1, Node node2) {
   )
   or
   FlowSummaryImpl::Private::Steps::summaryLocalStep(node1, node2, true)
+  or
+  // If flow through a method updates a parameter from some input A, and that
+  // parameter also is returned through B, then we'd like a combined flow from A
+  // to B as well. As an example, this simplifies modeling of fluent methods:
+  // for `StringBuilder.append(x)` with a specified value flow from qualifier to
+  // return value and taint flow from argument 0 to the qualifier, then this
+  // allows the inferral of taint flow from argument 0 to the return value.
+  node1.(SummaryNode).(PostUpdateNode).getPreUpdateNode().(ParameterNode) = node2
 }
 
 /**
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -46,12 +46,6 @@ predicate localTaintStep(DataFlow::Node src, DataFlow::Node sink) {
  * different objects.
  */
 predicate localAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) {
-  localAdditionalBasicTaintStep(src, sink)
-  or
-  composedValueAndTaintModelStep(src, sink)
-}
-
-private predicate localAdditionalBasicTaintStep(DataFlow::Node src, DataFlow::Node sink) {
   localAdditionalTaintExprStep(src.asExpr(), sink.asExpr())
   or
   localAdditionalTaintUpdateStep(src.asExpr(),
@@ -67,26 +61,6 @@ private predicate localAdditionalBasicTaintStep(DataFlow::Node src, DataFlow::No
   not FlowSummaryImpl::Private::Steps::summaryLocalStep(src, sink, true)
 }
 
-/**
- * Holds if an additional step from `src` to `sink` through a call can be inferred from the
- * combination of a value-preserving step providing an alias between an input and the output
- * and a taint step from `src` to one the aliased nodes. For example, if we know that `f(a, b)` returns
- * the exact value of `a` and also propagates taint from `b` to `a`, then we also know that
- * the return value is tainted after `f` completes.
- */
-private predicate composedValueAndTaintModelStep(ArgumentNode src, DataFlow::Node sink) {
-  exists(Call call, ArgumentNode valueSource, DataFlow::PostUpdateNode valueSourcePost |
-    src.argumentOf(call, _) and
-    valueSource.argumentOf(call, _) and
-    src != valueSource and
-    valueSourcePost.getPreUpdateNode() = valueSource and
-    // in-x -value-> out-y and in-z -taint-> in-x ==> in-z -taint-> out-y
-    localAdditionalBasicTaintStep(src, valueSourcePost) and
-    DataFlow::localFlowStep(valueSource, DataFlow::exprNode(call)) and
-    sink = DataFlow::exprNode(call)
-  )
-}
-
 /**
  * Holds if the additional step from `src` to `sink` should be included in all
  * global taint flow configurations.

Original file line number	Diff line number	Diff line change
`@@ -150,6 +150,14 @@ predicate simpleLocalFlowStep(Node node1, Node node2) {`
`150`	`150`	`)`
`151`	`151`	`or`
`152`	`152`	`FlowSummaryImpl::Private::Steps::summaryLocalStep(node1, node2, true)`
	`153`	`+ or`
	`154`	`+ // If flow through a method updates a parameter from some input A, and that`
	`155`	`+ // parameter also is returned through B, then we'd like a combined flow from A`
	`156`	`+ // to B as well. As an example, this simplifies modeling of fluent methods:`
	`157`	+ // for `StringBuilder.append(x)` with a specified value flow from qualifier to
	`158`	`+ // return value and taint flow from argument 0 to the qualifier, then this`
	`159`	`+ // allows the inferral of taint flow from argument 0 to the return value.`
	`160`	`+ node1.(SummaryNode).(PostUpdateNode).getPreUpdateNode().(ParameterNode) = node2`
`153`	`161`	`}`
`154`	`162`
`155`	`163`	`/**`