Merge pull request #16064 from github/max-schaefer/fix-unexploitable-…

…types Automodel: Filter unexploitable types in application mode.
github · Apr 9, 2024 · 3656376 · 3656376
2 parents 5253c96 + deb78b2
commit 3656376
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 13 deletions.
diff --git a/java/ql/automodel/src/AutomodelApplicationModeCharacteristics.qll b/java/ql/automodel/src/AutomodelApplicationModeCharacteristics.qll
@@ -28,25 +28,27 @@ newtype TApplicationModeEndpoint =
     AutomodelJavaUtil::isFromSource(call) and
     exists(Argument argExpr |
       arg.asExpr() = argExpr and call = argExpr.getCall() and not argExpr.isVararg()
-    )
+    ) and
+    not AutomodelJavaUtil::isUnexploitableType(arg.getType())
   } or
   TInstanceArgument(Call call, DataFlow::Node arg) {
     AutomodelJavaUtil::isFromSource(call) and
     arg = DataFlow::getInstanceArgument(call) and
-    not call instanceof ConstructorCall
+    not call instanceof ConstructorCall and
+    not AutomodelJavaUtil::isUnexploitableType(arg.getType())
   } or
   TImplicitVarargsArray(Call call, DataFlow::ImplicitVarargsArray arg, int idx) {
     AutomodelJavaUtil::isFromSource(call) and
     call = arg.getCall() and
-    idx = call.getCallee().getVaragsParameterIndex()
+    idx = call.getCallee().getVaragsParameterIndex() and
+    not AutomodelJavaUtil::isUnexploitableType(arg.getType())
   } or
-  TMethodReturnValue(Call call) {
+  TMethodReturnValue(MethodCall call) {
     AutomodelJavaUtil::isFromSource(call) and
-    not call instanceof ConstructorCall
+    not AutomodelJavaUtil::isUnexploitableType(call.getType())
   } or
   TOverriddenParameter(Parameter p, Method overriddenMethod) {
     AutomodelJavaUtil::isFromSource(p) and
-    not p.getCallable().callsConstructor(_) and
     p.getCallable().(Method).overrides(overriddenMethod)
   }
 
@@ -163,7 +165,7 @@ class ImplicitVarargsArray extends CallArgument, TImplicitVarargsArray {
  * may be a source.
  */
 class MethodReturnValue extends ApplicationModeEndpoint, TMethodReturnValue {
-  Call call;
+  MethodCall call;
 
   MethodReturnValue() { this = TMethodReturnValue(call) }
 

diff --git a/java/ql/automodel/test/AutomodelApplicationModeExtraction/Test.java b/java/ql/automodel/test/AutomodelApplicationModeExtraction/Test.java
@@ -19,11 +19,11 @@ public static void main(String[] args) throws Exception {
 		AtomicReference<String> reference = new AtomicReference<>(); // uninteresting (parameterless constructor)
 		reference.set( // $ sinkModelCandidate=set(Object):Argument[this]
 			args[0] // $ negativeSinkExample=set(Object):Argument[0] // modeled as a flow step
-		);  // $ negativeSourceExample=set(Object):ReturnValue // return type is void
+		);  // not a source candidate (return type is void)
 	}
 
 	public static void callSupplier(Supplier<String> supplier) {
-		supplier.get(); // $ sourceModelCandidate=get():ReturnValue
+		supplier.get(); // not a source candidate (lambda flow)
 	}
 
 	public static void copyFiles(Path source, Path target, CopyOption option) throws Exception {
@@ -52,7 +52,7 @@ public static InputStream getInputStream(String openPath, String otherPath) thro
 	public static int compareFiles(File f1, File f2) {
 		return f1.compareTo( // $ negativeSinkExample=compareTo(File):Argument[this]
 			f2 // $ negativeSinkExample=compareTo(File):Argument[0] // modeled as not a sink
-		); // $ negativeSourceExample=compareTo(File):ReturnValue // return type is int
+		); // not a source candidate (return type is int)
 	}
 
 	public static void FilesWalkExample(Path p, FileVisitOption o) throws Exception {
@@ -66,6 +66,7 @@ public static void FilesWalkExample(Path p, FileVisitOption o) throws Exception
 
 	public static void WebSocketExample(URLConnection c) throws Exception {
 		c.getInputStream(); // $ sinkModelCandidate=getInputStream():Argument[this] positiveSourceExample=getInputStream():ReturnValue(remote) // not a source candidate (manual modeling)
+		c.connect(); // $ sinkModelCandidate=connect():Argument[this] // not a source candidate (return type is void)
 	}
 
 	public static void fileFilterExample(File f, FileFilter ff) {
@@ -102,10 +103,10 @@ public static void FilesListExample(Path p) throws Exception {
 
 		Files.delete(
 			p // $ sinkModelCandidate=delete(Path):Argument[0] positiveSinkExample=delete(Path):Argument[0](path-injection)
-		); // $ negativeSourceExample=delete(Path):ReturnValue // return type is void
+		); // not a source candidate (return type is void)
 
 		Files.deleteIfExists(
 			p // $ sinkModelCandidate=deleteIfExists(Path):Argument[0] positiveSinkExample=deleteIfExists(Path):Argument[0](path-injection)
-		); // $ negativeSourceExample=deleteIfExists(Path):ReturnValue // return type is boolean
+		); // not a source candidate (return type is boolean)
 	}
 }
diff --git a/java/ql/automodel/test/AutomodelFrameworkModeExtraction/com/github/codeql/test/MyWriter.java b/java/ql/automodel/test/AutomodelFrameworkModeExtraction/com/github/codeql/test/MyWriter.java
@@ -2,7 +2,7 @@
 
 public class MyWriter extends java.io.Writer {
     @Override
-    public void write(char[] cbuf, int off, int len) { // $ sinkModelCandidate=write(char[],int,int):Argument[this] sourceModelCandidate=write(char[],int,int):Parameter[this] sourceModelCandidate=write(char[],int,int):Parameter[0]
+    public void write(char[] cbuf, int off, int len) { // $ sinkModelCandidate=write(char[],int,int):Argument[this] positiveSinkExample=write(char[],int,int):Argument[0](file-content-store) sourceModelCandidate=write(char[],int,int):Parameter[this] sourceModelCandidate=write(char[],int,int):Parameter[0]
     }
 
     @Override