Add tests for org.springframework.util;StringUtils taint models

Sauyon Lee · Sauyon Lee · commit 07959b5a9069 · 2021-04-02T01:30:38.000-07:00
diff --git a/java/ql/test/library-tests/frameworks/spring/StringUtilsTest.java b/java/ql/test/library-tests/frameworks/spring/StringUtilsTest.java
@@ -0,0 +1,125 @@
+import org.springframework.util.StringUtils;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Enumeration;
+import java.util.Locale;
+import java.lang.String;
+
+class StringUtilsTest {
+  String taint() { return "tainted"; }
+
+  String[] taintArray() { return null; }
+
+  Locale taintLocale() { return null; }
+
+  Collection<String> taintedCollection() { return null; }
+
+  Enumeration<String> taintedEnumeration() { return null; }
+
+  void sink(Object o) {}
+
+  void test() throws Exception {
+    sink(StringUtils.addStringToArray(null, taint())); // $hasTaintFlow
+
+    sink(StringUtils.addStringToArray(taintArray(), "")); // $hasTaintFlow
+
+    sink(StringUtils.applyRelativePath("/", taint())); // $hasTaintFlow
+    sink(StringUtils.applyRelativePath(taint(), "../../test")); // $hasTaintFlow
+
+    sink(StringUtils.arrayToCommaDelimitedString(taintArray())); // $hasTaintFlow
+
+    sink(StringUtils.arrayToDelimitedString(taintArray(), ":")); // $hasTaintFlow
+    sink(StringUtils.arrayToDelimitedString(null, taint())); // $hasTaintFlow
+
+    sink(StringUtils.capitalize(taint())); // $hasTaintFlow
+
+    sink(StringUtils.cleanPath(taint())); // $hasTaintFlow
+
+    sink(StringUtils.collectionToCommaDelimitedString(taintedCollection()));  // $hasTaintFlow
+
+    sink(StringUtils.collectionToDelimitedString(taintedCollection(), ":")); // $hasTaintFlow
+    sink(StringUtils.collectionToDelimitedString(null, taint())); // $hasTaintFlow
+
+    sink(StringUtils.collectionToDelimitedString(taintedCollection(), ":", "", "")); // $hasTaintFlow
+    sink(StringUtils.collectionToDelimitedString(null, taint(), "", "")); // $hasTaintFlow
+    sink(StringUtils.collectionToDelimitedString(null, ":", taint(), "")); // $hasTaintFlow
+    sink(StringUtils.collectionToDelimitedString(null, ":", "", taint())); // $hasTaintFlow
+
+    sink(StringUtils.commaDelimitedListToSet(taint())); // $hasTaintFlow
+
+    sink(StringUtils.commaDelimitedListToStringArray(taint())); // $hasTaintFlow
+
+    sink(StringUtils.concatenateStringArrays(taintArray(), null)); // $hasTaintFlow
+    sink(StringUtils.concatenateStringArrays(null, taintArray())); // $hasTaintFlow
+
+    sink(StringUtils.delete(taint(), "")); // $hasTaintFlow
+
+    sink(StringUtils.deleteAny(taint(), "")); // $hasTaintFlow
+
+    sink(StringUtils.delimitedListToStringArray(taint(), ":")); // $hasTaintFlow
+    sink(StringUtils.delimitedListToStringArray(taint(), ":", ".")); // $hasTaintFlow
+
+    sink(StringUtils.getFilename(taint())); // $hasTaintFlow
+
+    sink(StringUtils.getFilenameExtension(taint())); // $hasTaintFlow
+
+    sink(StringUtils.mergeStringArrays(taintArray(), null)); // $hasTaintFlow
+    sink(StringUtils.mergeStringArrays(null, taintArray())); // $hasTaintFlow
+
+    sink(StringUtils.parseLocale(taint()));
+
+    sink(StringUtils.parseLocaleString(taint()));
+
+    sink(StringUtils.parseTimeZoneString(taint()));
+
+    sink(StringUtils.quote(taint())); // $hasTaintFlow
+
+    sink(StringUtils.quoteIfString(taint())); // $hasTaintFlow
+
+    sink(StringUtils.removeDuplicateStrings(taintArray())); // $hasTaintFlow
+
+    sink(StringUtils.replace(taint(), "", "")); // $hasTaintFlow
+    sink(StringUtils.replace("", "", taint())); // $hasTaintFlow
+
+    sink(StringUtils.sortStringArray(taintArray())); // $hasTaintFlow
+
+    sink(StringUtils.split(taint(), "")); // $hasTaintFlow
+
+    sink(StringUtils.splitArrayElementsIntoProperties(taintArray(), "")); // $hasTaintFlow
+    sink(StringUtils.splitArrayElementsIntoProperties(taintArray(), "", "")); // $hasTaintFlow
+
+    sink(StringUtils.stripFilenameExtension(taint())); // $hasTaintFlow
+
+    sink(StringUtils.tokenizeToStringArray(taint(), "")); // $hasTaintFlow
+    sink(StringUtils.tokenizeToStringArray(taint(), "", true, true)); // $hasTaintFlow
+
+    sink(StringUtils.toLanguageTag(taintLocale()));
+
+    sink(StringUtils.toStringArray(taintedCollection())); // $hasTaintFlow
+
+    sink(StringUtils.toStringArray(taintedEnumeration())); // $hasTaintFlow
+
+    sink(StringUtils.trimAllWhitespace(taint())); // $hasTaintFlow
+
+    sink(StringUtils.trimArrayElements(taintArray())); // $hasTaintFlow
+
+    sink(StringUtils.trimLeadingCharacter(taint(), 'a')); // $hasTaintFlow
+
+    sink(StringUtils.trimLeadingWhitespace(taint())); // $hasTaintFlow
+
+    sink(StringUtils.trimTrailingCharacter(taint(), 'a')); // $hasTaintFlow
+
+    sink(StringUtils.trimTrailingWhitespace(taint())); // $hasTaintFlow
+
+    sink(StringUtils.trimWhitespace(taint())); // $hasTaintFlow
+
+    sink(StringUtils.uncapitalize(taint())); // $hasTaintFlow
+
+    sink(StringUtils.unqualify(taint())); // $hasTaintFlow
+
+    sink(StringUtils.unqualify(taint(), '.')); // $hasTaintFlow
+
+    sink(StringUtils.uriDecode(taint(), java.nio.charset.StandardCharsets.UTF_8)); // $hasTaintFlow
+  }
+}
diff --git a/java/ql/test/library-tests/frameworks/spring/flow.expected b/java/ql/test/library-tests/frameworks/spring/flow.expected
diff --git a/java/ql/test/library-tests/frameworks/spring/flow.ql b/java/ql/test/library-tests/frameworks/spring/flow.ql
@@ -0,0 +1,53 @@
+import java
+import semmle.code.java.frameworks.spring.Spring
+import semmle.code.java.dataflow.TaintTracking
+import TestUtilities.InlineExpectationsTest
+
+class TaintFlowConf extends TaintTracking::Configuration {
+  TaintFlowConf() { this = "qltest:frameworks:spring-taint-flow" }
+
+  override predicate isSource(DataFlow::Node n) {
+    exists(string name | name.matches("taint%") |
+      n.asExpr().(MethodAccess).getMethod().hasName(name)
+    )
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+  }
+}
+
+class ValueFlowConf extends DataFlow::Configuration {
+  ValueFlowConf() { this = "qltest:frameworks:spring-value-flow" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+  }
+}
+
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = ["hasTaintFlow", "hasValueFlow"] }
+
+  override predicate hasActualResult(Location ___location, string element, string tag, string value) {
+    tag = "hasTaintFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf | conf.hasFlow(src, sink) |
+      not any(ValueFlowConf vconf).hasFlow(src, sink) and
+      sink.getLocation() = ___location and
+      element = sink.toString() and
+      value = ""
+    )
+    or
+    tag = "hasValueFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = ___location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}
diff --git a/java/ql/test/library-tests/frameworks/spring/options b/java/ql/test/library-tests/frameworks/spring/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.2.3

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.2.3`