github · hvitved · Jan 24, 2024 · Jan 24, 2024 · Jan 25, 2024 · Jan 25, 2024
@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -31,17 +31,17 @@ edges
 | CollectionFlow.cs:26:58:26:61 | dict : Dictionary<T,T> [element, property Value] : A | CollectionFlow.cs:26:67:26:70 | access to parameter dict : Dictionary<T,T> [element, property Value] : A | provenance |  |
 | CollectionFlow.cs:26:67:26:70 | access to parameter dict : Dictionary<T,T> [element, property Value] : A | CollectionFlow.cs:26:67:26:73 | access to indexer : A | provenance |  |
 | CollectionFlow.cs:28:59:28:62 | dict : Dictionary<T,T> [element, property Value] : A | CollectionFlow.cs:28:68:28:71 | access to parameter dict : Dictionary<T,T> [element, property Value] : A | provenance |  |
-| CollectionFlow.cs:28:68:28:71 | access to parameter dict : Dictionary<T,T> [element, property Value] : A | CollectionFlow.cs:28:68:28:79 | call to method First<KeyValuePair<Int32,T>> : KeyValuePair<Int32,T> [property Value] : A | provenance |  |
-| CollectionFlow.cs:28:68:28:79 | call to method First<KeyValuePair<Int32,T>> : KeyValuePair<Int32,T> [property Value] : A | CollectionFlow.cs:28:68:28:85 | access to property Value : A | provenance |  |
+| CollectionFlow.cs:28:68:28:71 | access to parameter dict : Dictionary<T,T> [element, property Value] : A | CollectionFlow.cs:28:68:28:79 | call to method First<KeyValuePair<Int32,T>> : Object [property Value] : A | provenance |  |
+| CollectionFlow.cs:28:68:28:79 | call to method First<KeyValuePair<Int32,T>> : Object [property Value] : A | CollectionFlow.cs:28:68:28:85 | access to property Value : A | provenance |  |
 | CollectionFlow.cs:30:60:30:63 | dict : Dictionary<T,T> [element, property Value] : A | CollectionFlow.cs:30:69:30:72 | access to parameter dict : Dictionary<T,T> [element, property Value] : A | provenance |  |
 | CollectionFlow.cs:30:69:30:72 | access to parameter dict : Dictionary<T,T> [element, property Value] : A | CollectionFlow.cs:30:69:30:79 | access to property Values : ICollection<T> [element] : A | provenance |  |
 | CollectionFlow.cs:30:69:30:79 | access to property Values : ICollection<T> [element] : A | CollectionFlow.cs:30:69:30:87 | call to method First<T> : A | provenance |  |
 | CollectionFlow.cs:32:58:32:61 | dict : Dictionary<T,T> [element, property Key] : A | CollectionFlow.cs:32:67:32:70 | access to parameter dict : Dictionary<T,T> [element, property Key] : A | provenance |  |
 | CollectionFlow.cs:32:67:32:70 | access to parameter dict : Dictionary<T,T> [element, property Key] : A | CollectionFlow.cs:32:67:32:75 | access to property Keys : ICollection<T> [element] : A | provenance |  |
 | CollectionFlow.cs:32:67:32:75 | access to property Keys : ICollection<T> [element] : A | CollectionFlow.cs:32:67:32:83 | call to method First<T> : A | provenance |  |
 | CollectionFlow.cs:34:57:34:60 | dict : Dictionary<T,T> [element, property Key] : A | CollectionFlow.cs:34:66:34:69 | access to parameter dict : Dictionary<T,T> [element, property Key] : A | provenance |  |
-| CollectionFlow.cs:34:66:34:69 | access to parameter dict : Dictionary<T,T> [element, property Key] : A | CollectionFlow.cs:34:66:34:77 | call to method First<KeyValuePair<T,Int32>> : KeyValuePair<T,Int32> [property Key] : A | provenance |  |
-| CollectionFlow.cs:34:66:34:77 | call to method First<KeyValuePair<T,Int32>> : KeyValuePair<T,Int32> [property Key] : A | CollectionFlow.cs:34:66:34:81 | access to property Key : A | provenance |  |
+| CollectionFlow.cs:34:66:34:69 | access to parameter dict : Dictionary<T,T> [element, property Key] : A | CollectionFlow.cs:34:66:34:77 | call to method First<KeyValuePair<T,Int32>> : Object [property Key] : A | provenance |  |
+| CollectionFlow.cs:34:66:34:77 | call to method First<KeyValuePair<T,Int32>> : Object [property Key] : A | CollectionFlow.cs:34:66:34:81 | access to property Key : A | provenance |  |
 | CollectionFlow.cs:36:49:36:52 | args : A[] [element] : A | CollectionFlow.cs:36:63:36:66 | access to parameter args : A[] [element] : A | provenance |  |
 | CollectionFlow.cs:36:49:36:52 | args : null [element] : A | CollectionFlow.cs:36:63:36:66 | access to parameter args : null [element] : A | provenance |  |
 | CollectionFlow.cs:36:63:36:66 | access to parameter args : A[] [element] : A | CollectionFlow.cs:36:63:36:69 | access to array element | provenance |  |
@@ -318,7 +318,7 @@ nodes
 | CollectionFlow.cs:26:67:26:73 | access to indexer : A | semmle.label | access to indexer : A |
 | CollectionFlow.cs:28:59:28:62 | dict : Dictionary<T,T> [element, property Value] : A | semmle.label | dict : Dictionary<T,T> [element, property Value] : A |
 | CollectionFlow.cs:28:68:28:71 | access to parameter dict : Dictionary<T,T> [element, property Value] : A | semmle.label | access to parameter dict : Dictionary<T,T> [element, property Value] : A |
-| CollectionFlow.cs:28:68:28:79 | call to method First<KeyValuePair<Int32,T>> : KeyValuePair<Int32,T> [property Value] : A | semmle.label | call to method First<KeyValuePair<Int32,T>> : KeyValuePair<Int32,T> [property Value] : A |
+| CollectionFlow.cs:28:68:28:79 | call to method First<KeyValuePair<Int32,T>> : Object [property Value] : A | semmle.label | call to method First<KeyValuePair<Int32,T>> : Object [property Value] : A |
 | CollectionFlow.cs:28:68:28:85 | access to property Value : A | semmle.label | access to property Value : A |
 | CollectionFlow.cs:30:60:30:63 | dict : Dictionary<T,T> [element, property Value] : A | semmle.label | dict : Dictionary<T,T> [element, property Value] : A |
 | CollectionFlow.cs:30:69:30:72 | access to parameter dict : Dictionary<T,T> [element, property Value] : A | semmle.label | access to parameter dict : Dictionary<T,T> [element, property Value] : A |
@@ -330,7 +330,7 @@ nodes
 | CollectionFlow.cs:32:67:32:83 | call to method First<T> : A | semmle.label | call to method First<T> : A |
 | CollectionFlow.cs:34:57:34:60 | dict : Dictionary<T,T> [element, property Key] : A | semmle.label | dict : Dictionary<T,T> [element, property Key] : A |
 | CollectionFlow.cs:34:66:34:69 | access to parameter dict : Dictionary<T,T> [element, property Key] : A | semmle.label | access to parameter dict : Dictionary<T,T> [element, property Key] : A |
-| CollectionFlow.cs:34:66:34:77 | call to method First<KeyValuePair<T,Int32>> : KeyValuePair<T,Int32> [property Key] : A | semmle.label | call to method First<KeyValuePair<T,Int32>> : KeyValuePair<T,Int32> [property Key] : A |
+| CollectionFlow.cs:34:66:34:77 | call to method First<KeyValuePair<T,Int32>> : Object [property Key] : A | semmle.label | call to method First<KeyValuePair<T,Int32>> : Object [property Key] : A |
 | CollectionFlow.cs:34:66:34:81 | access to property Key : A | semmle.label | access to property Key : A |
 | CollectionFlow.cs:36:49:36:52 | args : A[] [element] : A | semmle.label | args : A[] [element] : A |
 | CollectionFlow.cs:36:49:36:52 | args : null [element] : A | semmle.label | args : null [element] : A |

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -33,6 +33,16 @@ private module DispatchImpl {
     result.asSummarizedCallable().getACall() = c.asCall()
   }
 
+  private DataFlowCallable testviableCallable(DataFlowCall c) {
+    result = viableCallable(c) and
+    result.asCallable().hasName("_getMember")
+  }
+
+  private DataFlowCallable viableCallable(DataFlowCall c, int k) {
+    result = viableCallable(c) and
+    k = strictcount(viableCallable(c))
+  }
+
   /**
    * Holds if the set of viable implementations that can be called by `ma`
    * might be improved by knowing the call context. This is the case if the
@@ -122,6 +132,26 @@ private module DispatchImpl {
     mayBenefitFromCallContext(call.asCall(), _, _)
   }
 
+  private DataFlowCallable testviableImplInCallContext(DataFlowCall call, DataFlowCall ctx) {
+    result = viableImplInCallContext(call, ctx) and
+    call.toString() = "getClassName(...)"
+  }
+
+  pragma[nomagic]
+  private predicate foo(DataFlowCall call, DataFlowCall ctx1, DataFlowCall ctx2) {
+    forex(DataFlowCallable c | c = viableImplInCallContext(call, ctx1) |
+      c = viableImplInCallContext(call, ctx2)
+    )
+  }
+
+  private DataFlowCallable testviableImplInCallContext(
+    DataFlowCall call, DataFlowCall ctx1, DataFlowCall ctx2
+  ) {
+    result = viableImplInCallContext(call, ctx1) and
+    foo(call, ctx1, ctx2) and
+    foo(call, ctx2, ctx1)
+  }
+
   /**
    * Gets a viable dispatch target of `call` in the context `ctx`. This is
    * restricted to those `call`s for which a context might make a difference.

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -1,5 +1,5 @@
 /**
- * DEPRECATED: Use `Global` and `GlobalWithState` instead.
+ *  DEPRECATED: Use `Global` and `GlobalWithState` instead.
  *
  * Provides a `Configuration` class backwards-compatible interface to the data
  * flow library.

@@ -10,6 +10,7 @@ private import semmle.code.java.dataflow.FlowSummary
 private import FlowSummaryImpl as FlowSummaryImpl
 private import DataFlowNodes
 private import codeql.dataflow.VariableCapture as VariableCapture
+private import semmle.code.java.dispatch.VirtualDispatch as VirtualDispatch
 import DataFlowNodes::Private
 
 private newtype TReturnKind = TNormalReturnKind()
@@ -204,22 +205,62 @@ predicate jumpStep(Node node1, Node node2) {
  * Holds if `fa` is an access to an instance field that occurs as the
  * destination of an assignment of the value `src`.
  */
-private predicate instanceFieldAssign(Expr src, FieldAccess fa) {
-  exists(AssignExpr a |
-    a.getSource() = src and
-    a.getDest() = fa and
-    fa.getField() instanceof InstanceField
+private predicate instanceFieldAssign(AssignExpr a, Expr src, FieldAccess fa) {
+  a.getSource() = src and
+  a.getDest() = fa and
+  fa.getField() instanceof InstanceField
+}
+
+pragma[nomagic]
+private predicate isExactArgument(ArgumentNode arg, BasicBlock bb, Method m, ArgumentPosition apos) {
+  exists(MethodCall mc, DataFlowCall call |
+    mc = call.asCall() and
+    m = VirtualDispatch::exactVirtualMethod(mc) and
+    arg.argumentOf(call, apos) and
+    bb = mc.getBasicBlock()
+  )
+}
+
+pragma[nomagic]
+private predicate setsInstanceField(Field f, Node qualifier, BasicBlock bb) {
+  exists(AssignExpr a, FieldAccess fa |
+    instanceFieldAssign(a, _, fa) and
+    f = fa.getField() and
+    bb = a.getBasicBlock() and
+    qualifier = getFieldQualifier(fa)
+  )
+  or
+  exists(Method m, ArgumentPosition apos |
+    isExactArgument(qualifier, bb, m, apos) and
+    isInstanceFieldSetter(m, apos, f)
   )
 }
 
+pragma[nomagic]
+private predicate isInstanceFieldSetter(Method m, ArgumentPosition apos, Field f) {
+  exists(BasicBlock bb, Node qualifier, ParameterNode p, ParameterPosition ppos |
+    setsInstanceField(f, qualifier, bb) and
+    m = bb.getEnclosingCallable() and
+    bb.bbPostDominates(m.getBody().getBasicBlock()) and
+    localMustFlowStep+(p, qualifier) and
+    p.isParameterOf(_, ppos) and
+    parameterMatch(ppos, apos)
+  )
+}
+
+private predicate sdf(Field f, Class c) {
+  f.getName() = "m_clusterRoot" and
+  c.hasName("Folder")
+}
+
 /**
  * Holds if data can flow from `node1` to `node2` via an assignment to `f`.
  * Thus, `node2` references an object with a field `f` that contains the
  * value of `node1`.
  */
 predicate storeStep(Node node1, ContentSet f, Node node2) {
   exists(FieldAccess fa |
-    instanceFieldAssign(node1.asExpr(), fa) and
+    instanceFieldAssign(_, node1.asExpr(), fa) and
     node2.(PostUpdateNode).getPreUpdateNode() = getFieldQualifier(fa) and
     f.(FieldContent).getField() = fa.getField()
   )
@@ -308,8 +349,9 @@ predicate readStep(Node node1, ContentSet f, Node node2) {
  * in `x.f = newValue`.
  */
 predicate clearsContent(Node n, ContentSet c) {
+  // setsInstanceField(c.(FieldContent).getField(), n, _)
   exists(FieldAccess fa |
-    instanceFieldAssign(_, fa) and
+    instanceFieldAssign(_, _, fa) and
     n = getFieldQualifier(fa) and
     c.(FieldContent).getField() = fa.getField()
   )
@@ -352,6 +394,7 @@ class DataFlowType extends SrcRefType {
 pragma[nomagic]
 predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { t1.getASourceSupertype+() = t2 }
 
+// predicate typeStrongerThan(DataFlowType t1, DataFlowType t2) { none() }
 pragma[noinline]
 DataFlowType getNodeType(Node n) {
   result = getErasedRepr(n.getTypeBound())
@@ -371,6 +414,12 @@ private predicate compatibleTypes0(DataFlowType t1, DataFlowType t2) {
   erasedHaveIntersection(t1, t2)
 }
 
+private predicate sdef(DataFlowType t1, DataFlowType t2) {
+  t1.toString() = "String" and
+  t2.toString() = "ArrayList" and
+  compatibleTypes(t1, t2)
+}
+
 /**
  * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
  * a node of type `t1` to a node of type `t2`.

@@ -66,7 +66,9 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
 
   predicate isBarrier(DataFlow::Node sanitizer) {
     sanitizer instanceof SimpleTypeSanitizer or
-    sanitizer instanceof PathInjectionSanitizer
+    sanitizer instanceof PathInjectionSanitizer or
+    sanitizer.getLocation().getFile().getBaseName() =
+      [/*"BaseObject.java", "SimpleNode.java",*/ "Context.java"]
   }
 
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
@@ -94,6 +96,4 @@ module TaintedPathLocalConfig implements DataFlow::ConfigSig {
     any(TaintedPathAdditionalTaintStep s).step(n1, n2)
   }
 }
-
-/** Tracks flow from local user input to the creation of a path. */
-module TaintedPathLocalFlow = TaintTracking::Global<TaintedPathLocalConfig>;
+// module TaintedPathLocalFlow = TaintTracking::Global<TaintedPathLocalConfig>;