Merge pull request github#4600 from porcupineyhairs/urirefactor

aschackmull · web-flow · commit cb77e460ae71 · 2020-11-06T09:35:09.000+01:00
Java : Refactor all instances of `java.net.URI` into TypeUri
diff --git a/java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql b/java/ql/src/experimental/Security/CWE/CWE-522/InsecureBasicAuth.ql
@@ -61,7 +61,7 @@ class URLConstructor extends ClassInstanceExpr {
  * Class of Java URI constructor.
  */
 class URIConstructor extends ClassInstanceExpr {
-  URIConstructor() { this.getConstructor().getDeclaringType().hasQualifiedName("java.net", "URI") }
+  URIConstructor() { this.getConstructor().getDeclaringType() instanceof TypeUri }
 
   predicate hasHttpStringArg() {
     (
@@ -185,7 +185,7 @@ predicate createURI(DataFlow::Node node1, DataFlow::Node node2) {
   exists(
     StaticMethodAccess ma // URI.create
   |
-    ma.getMethod().getDeclaringType().hasQualifiedName("java.net", "URI") and
+    ma.getMethod().getDeclaringType() instanceof TypeUri and
     ma.getMethod().hasName("create") and
     node1.asExpr() = ma.getArgument(0) and
     node2.asExpr() = ma
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -9,6 +9,7 @@ private import semmle.code.java.Maps
 private import semmle.code.java.dataflow.internal.ContainerFlow
 private import semmle.code.java.frameworks.spring.SpringController
 private import semmle.code.java.frameworks.spring.SpringHttp
+private import semmle.code.java.frameworks.Networking
 import semmle.code.java.dataflow.FlowSteps
 
 /**
@@ -341,7 +342,7 @@ private predicate taintPreservingQualifierToMethod(Method m) {
   m.getDeclaringType() instanceof TypeFile and
   m.hasName("toURI")
   or
-  m.getDeclaringType().hasQualifiedName("java.net", "URI") and
+  m.getDeclaringType() instanceof TypeUri and
   m.hasName("toURL")
   or
   m instanceof GetterMethod and m.getDeclaringType() instanceof SpringUntrustedDataType
@@ -469,7 +470,7 @@ private predicate taintPreservingArgumentToMethod(Method method, int arg) {
   arg = 0
   or
   // A URI created from a tainted string is still tainted.
-  method.getDeclaringType().hasQualifiedName("java.net", "URI") and
+  method.getDeclaringType() instanceof TypeUri and
   method.hasName("create") and
   arg = 0
   or
diff --git a/java/ql/src/semmle/code/java/frameworks/Networking.qll b/java/ql/src/semmle/code/java/frameworks/Networking.qll
@@ -19,6 +19,11 @@ class TypeUrl extends RefType {
   TypeUrl() { hasQualifiedName("java.net", "URL") }
 }
 
+/** The type `java.net.URI`. */
+class TypeUri extends RefType {
+  TypeUri() { hasQualifiedName("java.net", "URI") }
+}
+
 /** The method `java.net.URLConnection::getInputStream`. */
 class URLConnectionGetInputStreamMethod extends Method {
   URLConnectionGetInputStreamMethod() {
