Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java: Extend String dataflow models #7019

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Java: Extend String dataflow models #7019

wants to merge 1 commit into from

Conversation

Reviewers
No reviews
Assignees
No one assigned
Labels
Java
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

1 participant
@Marcono1234
@Marcono1234
Copy link
Contributor

@Marcono1234 Marcono1234 commented Nov 1, 2021

Extends the dataflow String models to cover more methods.

I am not that familiar with the CSV model yet, and also don't know how to use the tools to automatically generate test cases.
Additionally there are a few open questions (see comments).

Any feedback is appreciated, but also feel free to just pick this changes up and complete them, if that would be easiest for you.
@github-actions github-actions bot added the Java label Nov 1, 2021
@Marcono1234
Java: Extend String dataflow models
1fe4204
@Marcono1234 Marcono1234 force-pushed the marcono1234/extend-String-models branch from 55288d1 to 1fe4204 Nov 1, 2021
@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Nov 1, 2021

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    Java Standard Library,``java.*``,3,519,30,13,,,7,,,10
+    Java Standard Library,``java.*``,3,543,30,13,,,7,,,10
-    Totals,,175,5341,408,13,6,10,107,33,1,66
+    Totals,,175,5365,408,13,6,10,107,33,1,66
  • Changes to framework-coverage-java.csv:
- java.io,3,,27,,3,,,,,,,,,,,,,,,,,,,26,1
+ java.io,3,,29,,3,,,,,,,,,,,,,,,,,,,28,1
- java.lang,,,51,,,,,,,,,,,,,,,,,,,,,41,10
+ java.lang,,,72,,,,,,,,,,,,,,,,,,,,,52,20
- java.util,,,429,,,,,,,,,,,,,,,,,,,,,15,414
+ java.util,,,430,,,,,,,,,,,,,,,,,,,,,15,415

Marcono1234
Marcono1234 reviewed Nov 1, 2021
View changes
java/ql/lib/semmle/code/java/frameworks/Strings.qll
@@ -11,19 +11,28 @@ private class StringSummaryCsv extends SummaryModelCsv {
"java.lang;String;false;concat;(String);;Argument[0];ReturnValue;taint",
"java.lang;String;false;concat;(String);;Argument[-1];ReturnValue;taint",
"java.lang;String;false;copyValueOf;;;Argument[0];ReturnValue;taint",
"java.lang;String;false;endsWith;;;Argument[-1];ReturnValue;taint",
Copy link
Contributor Author

@Marcono1234 Marcono1234 Nov 1, 2021

Have removed this because no other boolean returning methods are modelled.

java/ql/lib/semmle/code/java/frameworks/Strings.qll
"java.lang;String;false;indent;;;Argument[-1];ReturnValue;taint",
"java.lang;String;false;intern;;;Argument[-1];ReturnValue;taint",
"java.lang;String;false;join;;;Argument[0..1];ReturnValue;taint",
"java.lang;String;false;join;;;Argument[0..1];ReturnValue;taint", // TODO: ArrayElement of Argument?
Copy link
Contributor Author

@Marcono1234 Marcono1234 Nov 1, 2021

Should this here and maybe also in other cases use ArrayElement of Argument instead? What is the difference between tracking taint form an array (or varargs?) compared to tracking taint from the elements?

java/ql/lib/semmle/code/java/frameworks/Strings.qll
// TODO: Should `append` and `write` be modelled for Appendable and Writer instead?
// Could then remove some of the modelled `append` method here and for StringBuilder
Copy link
Contributor Author

@Marcono1234 Marcono1234 Nov 1, 2021

Should Appendable and Writer be modelled?

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Nov 1, 2021

⚠️ The head of this PR and the base branch were compared for differences in the framework coverage reports. The generated reports are available in the artifacts of this workflow run. The differences will be picked up by the nightly job after the PR gets merged.

Click to show differences in coverage

java

Generated file changes for java

  • Changes to framework-coverage-java.rst:
-    Java Standard Library,``java.*``,3,519,30,13,,,7,,,10
+    Java Standard Library,``java.*``,3,542,30,13,,,7,,,10
-    Totals,,175,5341,408,13,6,10,107,33,1,66
+    Totals,,175,5364,408,13,6,10,107,33,1,66
  • Changes to framework-coverage-java.csv:
- java.io,3,,27,,3,,,,,,,,,,,,,,,,,,,26,1
+ java.io,3,,29,,3,,,,,,,,,,,,,,,,,,,28,1
- java.lang,,,51,,,,,,,,,,,,,,,,,,,,,41,10
+ java.lang,,,71,,,,,,,,,,,,,,,,,,,,,51,20
- java.util,,,429,,,,,,,,,,,,,,,,,,,,,15,414
+ java.util,,,430,,,,,,,,,,,,,,,,,,,,,15,415

Marcono1234
Marcono1234 reviewed Nov 1, 2021
View changes
java/ql/lib/semmle/code/java/frameworks/Strings.qll
"java.lang;StringBuilder;true;StringBuilder;(CharSequence);;Argument[0];Argument[-1];taint",
"java.lang;StringBuilder;true;StringBuilder;(String);;Argument[0];Argument[-1];taint",
Copy link
Contributor Author

@Marcono1234 Marcono1234 Nov 1, 2021

Have specified the parameter types here to avoid tracking StringBuilder(int) where the argument only represents the capacitiy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment