Merge pull request #9817 from smowton/smowton/feature/model-java-util-properties

smowton · web-flow · commit 80cbddf626b9 · 2022-07-13T17:12:11.000+01:00
Java: Model `java.util.Properties.getProperty`
diff --git a/java/ql/lib/change-notes/2022-07-13-properites.md b/java/ql/lib/change-notes/2022-07-13-properites.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added data-flow models for `java.util.Properites`. Additional results may be found where relevant data is stored in and then retrieved from a `Properties` instance.
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/ContainerFlow.qll b/java/ql/lib/semmle/code/java/dataflow/internal/ContainerFlow.qll
@@ -241,6 +241,9 @@ private class ContainerFlowSummaries extends SummaryModelCsv {
         "java.util;NavigableSet;true;pollLast;();;Argument[-1].Element;ReturnValue;value;manual",
         "java.util;NavigableSet;true;subSet;(Object,boolean,Object,boolean);;Argument[-1].Element;ReturnValue.Element;value;manual",
         "java.util;NavigableSet;true;tailSet;(Object,boolean);;Argument[-1].Element;ReturnValue.Element;value;manual",
+        "java.util;Properties;true;getProperty;(String);;Argument[-1].MapValue;ReturnValue;value;manual",
+        "java.util;Properties;true;getProperty;(String,String);;Argument[-1].MapValue;ReturnValue;value;manual",
+        "java.util;Properties;true;getProperty;(String,String);;Argument[1];ReturnValue;value;manual",
         "java.util;Scanner;true;next;(Pattern);;Argument[-1];ReturnValue;taint;manual",
         "java.util;Scanner;true;next;(String);;Argument[-1];ReturnValue;taint;manual",
         "java.util;SortedMap;true;headMap;(Object);;Argument[-1].MapKey;ReturnValue.MapKey;value;manual",
diff --git a/java/ql/lib/semmle/code/java/frameworks/Properties.qll b/java/ql/lib/semmle/code/java/frameworks/Properties.qll
@@ -10,13 +10,11 @@ class TypeProperty extends Class {
 }
 
 /** The `getProperty` method of the class `java.util.Properties`. */
-class PropertiesGetPropertyMethod extends ValuePreservingMethod {
+class PropertiesGetPropertyMethod extends Method {
   PropertiesGetPropertyMethod() {
     getDeclaringType() instanceof TypeProperty and
     hasName("getProperty")
   }
-
-  override predicate returnsValue(int arg) { arg = 1 }
 }
 
 /** The `get` method of the class `java.util.Properties`. */
diff --git a/java/ql/test/library-tests/dataflow/collections/Test.java b/java/ql/test/library-tests/dataflow/collections/Test.java
@@ -78,4 +78,14 @@ public void run3() {
       sink(x18); // Flow
     });
   }
+
+  public void run4() {
+    Properties p = new Properties();
+    p.put("key", tainted);
+    sink(p.getProperty("key")); // Flow
+    sink(p.getProperty("key", "defaultValue")); // Flow
+    
+    Properties clean = new Properties();
+    sink(clean.getProperty("key", tainted)); // Flow
+  }
 }
diff --git a/java/ql/test/library-tests/dataflow/collections/flow.expected b/java/ql/test/library-tests/dataflow/collections/flow.expected
@@ -11,3 +11,6 @@
 | Test.java:49:20:49:26 | tainted | Test.java:60:12:60:14 | x14 |
 | Test.java:73:11:73:17 | tainted | Test.java:75:10:75:12 | x17 |
 | Test.java:73:11:73:17 | tainted | Test.java:78:12:78:14 | x18 |
+| Test.java:84:18:84:24 | tainted | Test.java:85:10:85:29 | getProperty(...) |
+| Test.java:84:18:84:24 | tainted | Test.java:86:10:86:45 | getProperty(...) |
+| Test.java:89:35:89:41 | tainted | Test.java:89:10:89:42 | getProperty(...) |

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added data-flow models for `java.util.Properites`. Additional results may be found where relevant data is stored in and then retrieved from a `Properties` instance.
Original file line number	Diff line number	Diff line change
`@@ -10,13 +10,11 @@ class TypeProperty extends Class {`
`10`	`10`	`}`
`11`	`11`
`12`	`12`	/** The `getProperty` method of the class `java.util.Properties`. */
`13`		`-class PropertiesGetPropertyMethod extends ValuePreservingMethod {`
	`13`	`+class PropertiesGetPropertyMethod extends Method {`
`14`	`14`	`PropertiesGetPropertyMethod() {`
`15`	`15`	`getDeclaringType() instanceof TypeProperty and`
`16`	`16`	`hasName("getProperty")`
`17`	`17`	`}`
`18`		`-`
`19`		`- override predicate returnsValue(int arg) { arg = 1 }`
`20`	`18`	`}`
`21`	`19`
`22`	`20`	/** The `get` method of the class `java.util.Properties`. */