Merge pull request #5126 from smowton/smowton/feature/commons-stringutils

Java: Add support for Apache Commons Lang StringUtils

Author: aschackmull

config/identical-files.json

@@ -356,6 +356,7 @@
   ],
   "Inline Test Expectations": [
     "cpp/ql/test/TestUtilities/InlineExpectationsTest.qll",
+    "java/ql/test/TestUtilities/InlineExpectationsTest.qll",
     "python/ql/test/TestUtilities/InlineExpectationsTest.qll"
   ],
   "C++ ExternalAPIs": [

java/change-notes/2021-02-09-commons-string-utils.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added support for the Apache Commons Lang StringUtils library.

java/ql/src/semmle/code/java/frameworks/apache/Lang.qll

@@ -63,3 +63,58 @@ private class ApacheLangArrayUtilsTaintPreservingMethod extends TaintPreservingC
     src = [0, 2]
   }
 }
+
+private Type getAnExcludedParameterType() {
+  result instanceof PrimitiveType or
+  result.(RefType).hasQualifiedName("java.nio.charset", "Charset") or
+  result.(RefType).hasQualifiedName("java.util", "Locale")
+}
+
+private class ApacheStringUtilsTaintPreservingMethod extends TaintPreservingCallable {
+  ApacheStringUtilsTaintPreservingMethod() {
+    this.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "StringUtils") and
+    this.hasName([
+        "abbreviate", "abbreviateMiddle", "appendIfMissing", "appendIfMissingIgnoreCase",
+        "capitalize", "center", "chomp", "chop", "defaultIfBlank", "defaultIfEmpty",
+        "defaultString", "deleteWhitespace", "difference", "firstNonBlank", "firstNonEmpty",
+        "getBytes", "getCommonPrefix", "getDigits", "getIfBlank", "getIfEmpty", "join", "joinWith",
+        "left", "leftPad", "lowerCase", "mid", "normalizeSpace", "overlay", "prependIfMissing",
+        "prependIfMissingIgnoreCase", "remove", "removeAll", "removeEnd", "removeEndIgnoreCase",
+        "removeFirst", "removeIgnoreCase", "removePattern", "removeStart", "removeStartIgnoreCase",
+        "repeat", "replace", "replaceAll", "replaceChars", "replaceEach", "replaceEachRepeatedly",
+        "replaceFirst", "replaceIgnoreCase", "replaceOnce", "replaceOnceIgnoreCase",
+        "replacePattern", "reverse", "reverseDelimited", "right", "rightPad", "rotate", "split",
+        "splitByCharacterType", "splitByCharacterTypeCamelCase", "splitByWholeSeparator",
+        "splitByWholeSeparatorPreserveAllTokens", "splitPreserveAllTokens", "strip", "stripAccents",
+        "stripAll", "stripEnd", "stripStart", "stripToEmpty", "stripToNull", "substring",
+        "substringAfter", "substringAfterLast", "substringBefore", "substringBeforeLast",
+        "substringBetween", "substringsBetween", "swapCase", "toCodePoints", "toEncodedString",
+        "toRootLowerCase", "toRootUpperCase", "toString", "trim", "trimToEmpty", "trimToNull",
+        "truncate", "uncapitalize", "unwrap", "upperCase", "valueOf", "wrap", "wrapIfMissing"
+      ])
+  }
+
+  private predicate isExcludedParameter(int arg) {
+    this.getName().matches(["appendIfMissing%", "prependIfMissing%"]) and arg = [2, 3]
+    or
+    this.getName().matches(["remove%", "split%", "substring%", "strip%"]) and
+    arg = [1 .. getNumberOfParameters() - 1]
+    or
+    this.getName().matches(["chomp", "getBytes", "replace%", "toString", "unwrap"]) and arg = 1
+    or
+    this.getName() = "join" and
+    // Exclude joins of types that render numerically (char[] and non-primitive arrays
+    // are still considered taint sources)
+    exists(PrimitiveType pt |
+      this.getParameterType(arg).(Array).getComponentType() = pt and
+      not pt instanceof CharacterType
+    ) and
+    arg = 0
+  }
+
+  override predicate returnsTaintFrom(int arg) {
+    arg = [0 .. getNumberOfParameters() - 1] and
+    not this.getParameterType(arg) = getAnExcludedParameterType() and
+    not isExcludedParameter(arg)
+  }
+}