Merge branch 'main' into rdmarsh2/cpp/product-flow

Author: MathiasVP

cpp/ql/lib/experimental/semmle/code/cpp/semantic/SemanticExprSpecific.qll

@@ -162,7 +162,7 @@ module SemanticExprConfig {
   predicate phi(SsaVariable v) { v.asInstruction() instanceof IR::PhiInstruction }
 
   SsaVariable getAPhiInput(SsaVariable v) {
-    exists(IR::PhiInstruction instr |
+    exists(IR::PhiInstruction instr | v.asInstruction() = instr |
       result.asInstruction() = instr.getAnInput()
       or
       result.asOperand() = instr.getAnInputOperand()

java/kotlin-extractor/src/main/kotlin/KotlinFileExtractor.kt

@@ -2394,7 +2394,11 @@ open class KotlinFileExtractor(
             if (e.typeArgumentsCount > 0) {
                 logger.warnElement("Unexpected type arguments (${e.typeArgumentsCount}) for anonymous class constructor call", e)
             }
-            val c = eType.classifier.owner as IrClass
+            val c = eType.classifier.owner
+            if (c !is IrClass) {
+                logger.errorElement("Anonymous constructor call type not a class (${c.javaClass})", e)
+                return
+            }
             useAnonymousClass(c)
         } else {
             useType(eType)
@@ -4260,6 +4264,8 @@ open class KotlinFileExtractor(
      * Extracts a type access expression and its child type access expressions in case of a generic type. Nested generics are also handled.
      */
     private fun extractTypeAccessRecursive(t: IrType, location: Label<DbLocation>, parent: Label<out DbExprparent>, idx: Int, enclosingCallable: Label<out DbCallable>, enclosingStmt: Label<out DbStmt>, typeContext: TypeContext = TypeContext.OTHER): Label<out DbExpr> {
+        // TODO: `useType` substitutes types to their java equivalent, and sometimes that also means changing the number of type arguments. The below logic doesn't take this into account.
+        // For example `KFunction2<Int,Double,String>` becomes `KFunction<String>` with three child type access expressions: `Int`, `Double`, `String`.
         val typeAccessId = extractTypeAccess(useType(t, typeContext), location, parent, idx, enclosingCallable, enclosingStmt)
         if (t is IrSimpleType) {
             extractTypeArguments(t.arguments.filterIsInstance<IrType>(), location, typeAccessId, enclosingCallable, enclosingStmt)

java/ql/lib/change-notes/2022-08-31-kotlin-stdlib.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added flow sinks, sources and summaries for the Kotlin standard library.

java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll

@@ -153,7 +153,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.JMS
   private import semmle.code.java.frameworks.RabbitMQ
   private import semmle.code.java.regex.RegexFlowModels
-  private import semmle.code.java.frameworks.KotlinStdLib
+  private import semmle.code.java.frameworks.kotlin.StdLib
 }
 
 /**

java/ql/lib/semmle/code/java/frameworks/KotlinStdLib.qll

@@ -6,4 +6,5 @@ import java
 
 private module GeneratedFrameworks {
   private import apache.IOGenerated
+  private import kotlin.StdLibGenerated
 }

java/ql/lib/semmle/code/java/frameworks/generated.qll

@@ -0,0 +1,14 @@
+/** Definitions of taint steps in the KotlinStdLib framework */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+private class KotlinStdLibSummaryCsv extends SummaryModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        "kotlin.jvm.internal;ArrayIteratorKt;false;iterator;(Object[]);;Argument[0].ArrayElement;ReturnValue.Element;value;manual",
+        "kotlin.collections;ArraysKt;false;withIndex;(Object[]);;Argument[0].ArrayElement;ReturnValue;taint;manual"
+      ]
+  }
+}

java/ql/lib/semmle/code/java/frameworks/kotlin/NegativeStdLibGenerated.qll

@@ -4,17 +4,17 @@ class ListFlowTest {
 
     fun test(l: MutableList<String>) {
         l[0] = taint("a")
-        sink(l)
-        sink(l[0])
+        sink(l)             // $ hasTaintFlow=a
+        sink(l[0])          // $ hasValueFlow=a
         for (s in l) {
-            sink(s)
+            sink(s)         // $ hasValueFlow=a
         }
 
-        val a = arrayOf(taint("a"), "b")
-        sink(a)
-        sink(a[0])
+        val a = arrayOf(taint("b"), "c")
+        sink(a)             // $ hasTaintFlow=b
+        sink(a[0])          // $ hasValueFlow=b
         for (s in a) {
-            sink(s)
+            sink(s)         // $ hasValueFlow=b
         }
     }
 }