Merge pull request #8032 from JLLeitschuh/feat/JLL/check_os

Java: Add Guard Classes for checking OS & unify System Property Access
github · Mar 18, 2022 · 7674535 · 7674535
2 parents 929419a + b11340c
commit 7674535
Show file tree

Hide file tree

Showing 36 changed files with 3,222 additions and 169 deletions.
diff --git a/java/ql/lib/semmle/code/java/JDK.qll b/java/ql/lib/semmle/code/java/JDK.qll
@@ -4,6 +4,7 @@
 
 import Member
 import semmle.code.java.security.ExternalProcess
+private import semmle.code.java.dataflow.FlowSteps
 
 // --- Standard types ---
 /** The class `java.lang.Object`. */
@@ -37,6 +38,27 @@ class StringLengthMethod extends Method {
   StringLengthMethod() { this.hasName("length") and this.getDeclaringType() instanceof TypeString }
 }
 
+/**
+ * The methods on the class `java.lang.String` that are used to perform partial matches with a specified substring or char.
+ */
+class StringPartialMatchMethod extends Method {
+  StringPartialMatchMethod() {
+    this.hasName([
+        "contains", "startsWith", "endsWith", "matches", "indexOf", "lastIndexOf", "regionMatches"
+      ]) and
+    this.getDeclaringType() instanceof TypeString
+  }
+
+  /**
+   * Gets the index of the parameter that is being matched against.
+   */
+  int getMatchParameterIndex() {
+    if this.hasName("regionMatches")
+    then this.getParameterType(result) instanceof TypeString
+    else result = 0
+  }
+}
+
 /** The class `java.lang.StringBuffer`. */
 class TypeStringBuffer extends Class {
   TypeStringBuffer() { this.hasQualifiedName("java.lang", "StringBuffer") }
@@ -228,11 +250,13 @@ class MethodSystemGetenv extends Method {
 /**
  * Any method named `getProperty` on class `java.lang.System`.
  */
-class MethodSystemGetProperty extends Method {
+class MethodSystemGetProperty extends ValuePreservingMethod {
   MethodSystemGetProperty() {
     this.hasName("getProperty") and
     this.getDeclaringType() instanceof TypeSystem
   }
+
+  override predicate returnsValue(int arg) { arg = 1 }
 }
 
 /**
@@ -244,6 +268,9 @@ class MethodAccessSystemGetProperty extends MethodAccess {
   /**
    * Holds if this call has a compile-time constant first argument with the value `propertyName`.
    * For example: `System.getProperty("user.dir")`.
+   *
+   * Note: Better to use `semmle.code.java.environment.SystemProperty#getSystemProperty` instead
+   * as that predicate covers ways of accessing the same information via various libraries.
    */
   predicate hasCompileTimeConstantGetPropertyName(string propertyName) {
     this.getArgument(0).(CompileTimeConstantExpr).getStringValue() = propertyName

diff --git a/java/ql/lib/semmle/code/java/StringFormat.qll b/java/ql/lib/semmle/code/java/StringFormat.qll
@@ -4,6 +4,7 @@
 
 import java
 import dataflow.DefUse
+private import semmle.code.java.environment.SystemProperty
 
 /**
  * A library method that formats a number of its arguments according to a
@@ -312,27 +313,7 @@ private predicate formatStringValue(Expr e, string fmtvalue) {
     or
     formatStringValue(e.(ChooseExpr).getAResultExpr(), fmtvalue)
     or
-    exists(Method getprop, MethodAccess ma, string prop |
-      e = ma and
-      ma.getMethod() = getprop and
-      getprop.hasName("getProperty") and
-      getprop.getDeclaringType().hasQualifiedName("java.lang", "System") and
-      getprop.getNumberOfParameters() = 1 and
-      ma.getAnArgument().(StringLiteral).getValue() = prop and
-      (prop = "line.separator" or prop = "file.separator" or prop = "path.separator") and
-      fmtvalue = "x" // dummy value
-    )
-    or
-    exists(Field f |
-      e = f.getAnAccess() and
-      f.getDeclaringType() instanceof TypeFile and
-      fmtvalue = "x" // dummy value
-    |
-      f.hasName("pathSeparator") or
-      f.hasName("pathSeparatorChar") or
-      f.hasName("separator") or
-      f.hasName("separatorChar")
-    )
+    e = getSystemProperty(["line.separator", "file.separator", "path.separator"]) and fmtvalue = "x" // dummy value
   )
 }
 

diff --git a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
@@ -203,6 +203,7 @@ class EnvReadMethod extends Method {
   EnvReadMethod() {
     this instanceof MethodSystemGetenv or
     this instanceof PropertiesGetPropertyMethod or
+    this instanceof PropertiesGetMethod or
     this instanceof MethodSystemGetProperty
   }
 }

diff --git a/java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll b/java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll
@@ -10,11 +10,13 @@ private import semmle.code.java.dataflow.DataFlow
  * ensuring that they are visible to the taint tracking library.
  */
 private module Frameworks {
+  private import semmle.code.java.JDK
   private import semmle.code.java.frameworks.jackson.JacksonSerializability
   private import semmle.code.java.frameworks.android.AsyncTask
   private import semmle.code.java.frameworks.android.Intent
   private import semmle.code.java.frameworks.android.SQLite
   private import semmle.code.java.frameworks.Guice
+  private import semmle.code.java.frameworks.Properties
   private import semmle.code.java.frameworks.Protobuf
   private import semmle.code.java.frameworks.guava.Guava
   private import semmle.code.java.frameworks.apache.Lang