From a484aff76dca5fb9158fbd0a7eae73a1db35afbd Mon Sep 17 00:00:00 2001 From: Arthur Baars Date: Mon, 13 Jul 2020 11:09:05 +0200 Subject: [PATCH 1/2] Java: improve comments --- .../src/semmle/code/java/dataflow/internal/ContainerFlow.qll | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll b/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll index af8b44d5df84..687b2406f6a3 100644 --- a/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll +++ b/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll @@ -130,6 +130,7 @@ private predicate taintPreservingQualifierToMethod(Method m) { m.(CollectionMethod).hasName(["peek", "pop"]) or // java.util.Queue + // covered by Stack: peek() m.(CollectionMethod).hasName(["element", "poll"]) or m.(CollectionMethod).hasName("remove") and m.getNumberOfParameters() = 0 @@ -254,7 +255,7 @@ private predicate taintPreservingArgumentToQualifier(Method method, int arg) { // covered by Deque: offerFirst(E, long, TimeUnit), offerLast(E, long, TimeUnit) method.(CollectionMethod).hasName(["putFirst", "putLast"]) and arg = 0 or - //java.util.Dictionary + // java.util.Dictionary method .getDeclaringType() .getSourceDeclaration() From b1e604b490e6b907baa2ec7489c9c8714592cb82 Mon Sep 17 00:00:00 2001 From: Arthur Baars Date: Mon, 13 Jul 2020 11:36:34 +0200 Subject: [PATCH 2/2] Java: treat Stack.push as data flow instead of taint flow --- .../code/java/dataflow/internal/ContainerFlow.qll | 3 --- .../code/java/dataflow/internal/DataFlowUtil.qll | 12 ++++++++++++ 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll b/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll index 687b2406f6a3..133810cd998f 100644 --- a/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll +++ b/java/ql/src/semmle/code/java/dataflow/internal/ContainerFlow.qll @@ -270,9 +270,6 @@ private predicate taintPreservingArgumentToQualifier(Method method, int arg) { * `arg`th argument is tainted. */ private predicate taintPreservingArgumentToMethod(Method method, int arg) { - // java.util.Stack - method.(CollectionMethod).hasName("push") and arg = 0 - or method.getDeclaringType().hasQualifiedName("java.util", "Collections") and ( method diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll index 8434d74d839d..b6ca8986307d 100644 --- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll +++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll @@ -413,6 +413,18 @@ predicate simpleLocalFlowStep(Node node1, Node node2) { m.hasName("toString") and node1.asExpr() = ma.getArgument(1) ) ) + or + exists(MethodAccess ma, Method m | + ma = node2.asExpr() and + m = ma.getMethod() and + m + .getDeclaringType() + .getSourceDeclaration() + .getASourceSupertype*() + .hasQualifiedName("java.util", "Stack") and + m.hasName("push") and + node1.asExpr() = ma.getArgument(0) + ) } /**