From 0cf3a29429dacc1e0876d1198b71ec1b5aaa7e7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= Date: Wed, 10 Feb 2021 13:09:57 +0100 Subject: [PATCH 1/5] Add support for Apache Commons Lang ArrayUtils --- .../code/java/frameworks/apache/Lang.qll | 49 +++++++++++++++---- 1 file changed, 40 insertions(+), 9 deletions(-) diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll index dcf91b361327..e31b2e308616 100644 --- a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll +++ b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll @@ -1,27 +1,58 @@ /** Definitions related to the Apache Commons Lang library. */ import java +private import semmle.code.java.dataflow.FlowSteps -/*--- Types ---*/ -/** The class `org.apache.commons.lang.RandomStringUtils` or `org.apache.commons.lang3.RandomStringUtils`. */ +/** + * The class `org.apache.commons.lang.RandomStringUtils` or `org.apache.commons.lang3.RandomStringUtils`. + */ class TypeApacheRandomStringUtils extends Class { TypeApacheRandomStringUtils() { - hasQualifiedName("org.apache.commons.lang", "RandomStringUtils") or - hasQualifiedName("org.apache.commons.lang3", "RandomStringUtils") + this.hasQualifiedName(["org.apache.commons.lang", "org.apache.commons.lang3"], "RandomStringUtils") + } +} + +/** + * The class `org.apache.commons.lang.ArrayUtils` or `org.apache.commons.lang3.ArrayUtils`. + */ +class TypeApacheArrayUtils extends Class { + TypeApacheArrayUtils() { + hasQualifiedName(["org.apache.commons.lang", "org.apache.commons.lang3"], "ArrayUtils") } } -/*--- Methods ---*/ /** * The method `deserialize` in either `org.apache.commons.lang.SerializationUtils` * or `org.apache.commons.lang3.SerializationUtils`. */ class MethodApacheSerializationUtilsDeserialize extends Method { MethodApacheSerializationUtilsDeserialize() { - ( - this.getDeclaringType().hasQualifiedName("org.apache.commons.lang", "SerializationUtils") or - this.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "SerializationUtils") - ) and + this.getDeclaringType().hasQualifiedName(["org.apache.commons.lang", "org.apache.commons.lang3"], "SerializationUtils") and this.hasName("deserialize") } } + +/** + * A taint preserving method on `org.apache.commons.lang.ArrayUtils` or `org.apache.commons.lang3.ArrayUtils` + */ +private class ApacheLangArrayUtilsTaintPreservingMethod extends TaintPreservingCallable { + ApacheLangArrayUtilsTaintPreservingMethod() { + this.getDeclaringType() instanceof TypeApacheArrayUtils + } + + override predicate returnsTaintFrom(int src) { + this.hasName(["addAll", "addFirst"]) and + src = [0 .. getNumberOfParameters()] + or + this.hasName(["clone", "nullToEmpty", "remove", "removeAll", "removeElement", "removeElements", "reverse", "shift", "shuffle", "subarray", "swap", "toArray", "toMap", "toObject", "toPrimitive", "toString", "toStringArray"]) and + src = 0 + or + this.hasName("add") and + this.getNumberOfParameters() = 2 and + src = [0,1,2] + or + this.hasName("add") and + this.getNumberOfParameters() = 3 and + src = [0, 2] + } +} From 49eda8ced626299e28d5257634369e7c9cc40570 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= Date: Fri, 12 Feb 2021 14:56:10 +0100 Subject: [PATCH 2/5] apply LSP formatter --- .../code/java/frameworks/apache/Lang.qll | 23 ++++++++++++------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll index e31b2e308616..c9af49464e06 100644 --- a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll +++ b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll @@ -3,17 +3,18 @@ import java private import semmle.code.java.dataflow.FlowSteps -/** - * The class `org.apache.commons.lang.RandomStringUtils` or `org.apache.commons.lang3.RandomStringUtils`. +/** + * The class `org.apache.commons.lang.RandomStringUtils` or `org.apache.commons.lang3.RandomStringUtils`. */ class TypeApacheRandomStringUtils extends Class { TypeApacheRandomStringUtils() { - this.hasQualifiedName(["org.apache.commons.lang", "org.apache.commons.lang3"], "RandomStringUtils") + this.hasQualifiedName(["org.apache.commons.lang", "org.apache.commons.lang3"], + "RandomStringUtils") } } -/** - * The class `org.apache.commons.lang.ArrayUtils` or `org.apache.commons.lang3.ArrayUtils`. +/** + * The class `org.apache.commons.lang.ArrayUtils` or `org.apache.commons.lang3.ArrayUtils`. */ class TypeApacheArrayUtils extends Class { TypeApacheArrayUtils() { @@ -27,7 +28,9 @@ class TypeApacheArrayUtils extends Class { */ class MethodApacheSerializationUtilsDeserialize extends Method { MethodApacheSerializationUtilsDeserialize() { - this.getDeclaringType().hasQualifiedName(["org.apache.commons.lang", "org.apache.commons.lang3"], "SerializationUtils") and + this.getDeclaringType() + .hasQualifiedName(["org.apache.commons.lang", "org.apache.commons.lang3"], + "SerializationUtils") and this.hasName("deserialize") } } @@ -44,12 +47,16 @@ private class ApacheLangArrayUtilsTaintPreservingMethod extends TaintPreservingC this.hasName(["addAll", "addFirst"]) and src = [0 .. getNumberOfParameters()] or - this.hasName(["clone", "nullToEmpty", "remove", "removeAll", "removeElement", "removeElements", "reverse", "shift", "shuffle", "subarray", "swap", "toArray", "toMap", "toObject", "toPrimitive", "toString", "toStringArray"]) and + this.hasName([ + "clone", "nullToEmpty", "remove", "removeAll", "removeElement", "removeElements", "reverse", + "shift", "shuffle", "subarray", "swap", "toArray", "toMap", "toObject", "toPrimitive", + "toString", "toStringArray" + ]) and src = 0 or this.hasName("add") and this.getNumberOfParameters() = 2 and - src = [0,1,2] + src = [0, 1, 2] or this.hasName("add") and this.getNumberOfParameters() = 3 and From 8606386c2ce297221e08ff9cf81c261225a0d1c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= Date: Fri, 12 Feb 2021 14:59:28 +0100 Subject: [PATCH 3/5] add bidirectional import --- java/ql/src/semmle/code/java/dataflow/FlowSteps.qll | 1 + 1 file changed, 1 insertion(+) diff --git a/java/ql/src/semmle/code/java/dataflow/FlowSteps.qll b/java/ql/src/semmle/code/java/dataflow/FlowSteps.qll index d129ee6544ef..cb2196504140 100644 --- a/java/ql/src/semmle/code/java/dataflow/FlowSteps.qll +++ b/java/ql/src/semmle/code/java/dataflow/FlowSteps.qll @@ -16,6 +16,7 @@ module Frameworks { private import semmle.code.java.frameworks.Guice private import semmle.code.java.frameworks.Protobuf private import semmle.code.java.frameworks.guava.Guava + private import semmle.code.java.frameworks.apache.Lang } /** From 7d294361dc2e762948a59344a64e753a7e02d7e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 12 Feb 2021 15:40:44 +0100 Subject: [PATCH 4/5] Update java/ql/src/semmle/code/java/frameworks/apache/Lang.qll Co-authored-by: Joe Farebrother --- java/ql/src/semmle/code/java/frameworks/apache/Lang.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll index c9af49464e06..6f0d87393821 100644 --- a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll +++ b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll @@ -56,7 +56,7 @@ private class ApacheLangArrayUtilsTaintPreservingMethod extends TaintPreservingC or this.hasName("add") and this.getNumberOfParameters() = 2 and - src = [0, 1, 2] + src = [0, 1] or this.hasName("add") and this.getNumberOfParameters() = 3 and From 504d119749143302ff45e6583928a8aad82ae489 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mun=CC=83oz?= Date: Mon, 15 Feb 2021 10:58:17 +0100 Subject: [PATCH 5/5] adjust max parameter number --- java/ql/src/semmle/code/java/frameworks/apache/Lang.qll | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll index c9af49464e06..2e124235bb7c 100644 --- a/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll +++ b/java/ql/src/semmle/code/java/frameworks/apache/Lang.qll @@ -45,7 +45,7 @@ private class ApacheLangArrayUtilsTaintPreservingMethod extends TaintPreservingC override predicate returnsTaintFrom(int src) { this.hasName(["addAll", "addFirst"]) and - src = [0 .. getNumberOfParameters()] + src = [0 .. getNumberOfParameters() - 1] or this.hasName([ "clone", "nullToEmpty", "remove", "removeAll", "removeElement", "removeElements", "reverse",