Java: Clean up ContainerFlow, consider more methods #3918
Conversation
|
Thanks for the detailed list @Marcono1234 . This PR should address #3883 . It should include all of the suggestions you made except
If you spot any methods in this PR that I missed, other than the ones mentioned above, please let me know. |
aibaars
changed the title
There was a problem hiding this comment.
Thanks! I missed some Deque methods in #3883 and incorrectly listed Set.spliterator(), but luckily you spotted this. I have adjusted 3883 accordingly.
Often you only restricted the method using (CollectionMethod) or (MapMethod). I assume that this the reason why you then left out some methods, which - while not overriding any other method - are already being covered by one of the more generic (CollectionMethod) or (MapMethod) checks.
However, in my opinion it would be good to at least add them commented out (and mention where they are matched) so it is clear that the method was not left out by accident. Otherwise if later one of the more generic checks is refined, it might not match that (currently not listed) method anymore and that false negative would not be that obvious. I have left review comments at (hopefully) all places where this applies.
Additionally, what do you think about checking for Object.clone() as well? Unless I overlooked it, it appears there is currently no taint tracking for it.
java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
Outdated
Show resolved
Hide resolved
java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
Outdated
Show resolved
Hide resolved
java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
Outdated
Show resolved
Hide resolved
java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
Outdated
Show resolved
Hide resolved
While most flow for a qualifierToArgumentStep goes through a variable use this is not always the case. Therefore it is best to remove the restriction to RValue to allow taint steps to use postupdate nodes. See also: ba86dea
|
@Marcono1234 thanks for the detailed review. I addressed all your comments and also added a test case that should cover all the new flow that was implemented. |
Some method variants are captured by a super class. Added some comments to indicate where this happens to make review of missing methods easier in the future.
| // java.util.Map | ||
| m | ||
| .(MapMethod) | ||
| .hasName(["computeIfAbsent", "entrySet", "get", "getOrDefault", "merge", "put", "putIfAbsent", |
There was a problem hiding this comment.
I'm not sure we should include merge, as this is dependent on the merge function preserving taint.
java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll
Outdated
Show resolved
Hide resolved
Stack.push(E) returns its argument, it does not propagate taint from the stack to the return value.
|
This is btw. definitely a PR for which we'll want a Java-Differences job before merging, as there might be a performance impact. |
aschackmull
left a comment
aschackmull
left a comment
There was a problem hiding this comment.
If we remove merge from taintPreservingQualifierToMethod then I think this is ready to merge.
Marcono1234
left a comment
Marcono1234
left a comment
There was a problem hiding this comment.
Thanks, looks really good!
I noticed a few more minor things which could possibly be improved.
| m.(CollectionMethod).hasName(["peek", "pop"]) | ||
| or | ||
| // java.util.Queue | ||
| m.(CollectionMethod).hasName(["element", /*"peek", "remove"*/ "poll"]) |
There was a problem hiding this comment.
Did you remove the comment for peek by accident?
It would probably good to add a comment as well:
// covered by Stack: peek()
| // covered by Deque: offerFirst(E, long, TimeUnit), offerLast(E, long, TimeUnit) | ||
| method.(CollectionMethod).hasName(["putFirst", "putLast"]) and arg = 0 | ||
| or | ||
| //java.util.Dictionary |
There was a problem hiding this comment.
Would probably be good to add a space between // and java... to be consistent:
// java.util.Dictionary
| */ | ||
| private predicate taintPreservingArgumentToMethod(Method method, int arg) { | ||
| // java.util.Stack | ||
| method.(CollectionMethod).hasName("push") and arg = 0 |
There was a problem hiding this comment.
@aschackmull, isn't that even data flow then and not only tainting?
4 participants
Fixes: #3883