Java: Merge TaintPreservingMethod with TaintTransferringMethod

joefarebrother · joefarebrother · commit 5d487b97da8a · 2020-10-12T15:50:46.000+01:00
diff --git a/java/ql/src/semmle/code/java/dataflow/FlowSteps.qll b/java/ql/src/semmle/code/java/dataflow/FlowSteps.qll
@@ -32,31 +32,23 @@ class AdditionalTaintStep extends Unit {
 }
 
 /**
- * A method that returns tainted data when one of its inputs (an argument or the qualifier) is tainted.
+ * A method that preserves taint.
  *
- * Extend this class to add additional taint steps through a method that should
- * apply to all taint configurations.
+ * Extend this class and override at least one of `returnsTaint` or `transfersTaint`
+ * to add additional taint steps through a method that should apply to all taint configurations.
  */
 abstract class TaintPreservingMethod extends Method {
   /**
    * Holds if this method returns tainted data when `arg` tainted.
    * `arg` is a parameter index, or is -1 to indicate the qualifier.
    */
-  abstract predicate returnsTaint(int arg);
-}
+  predicate returnsTaint(int arg) { none() }
 
-/**
- * A method that transfers taint from one of its inputs (an argument or the qualifier) to another.
- *
- * Extend this class to add additional taint steps through a method that should
- * apply to all taint configurations.
- */
-abstract class TaintTransferringMethod extends Method {
   /**
    * Holds if this method writes tainted data to `sink` when `src` is tainted.
    * `src` and `sink` are parameter indices, or -1 to indicate the qualifier.
    */
-  abstract predicate transfersTaint(int src, int sink);
+  predicate transfersTaint(int src, int sink) { none() }
 }
 
 private class StringTaintPreservingMethod extends TaintPreservingMethod {
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -296,7 +296,7 @@ private predicate taintPreservingQualifierToArgument(Method m, int arg) {
   m.hasName("read") and
   arg = 0
   or
-  m.(TaintTransferringMethod).transfersTaint(-1, arg)
+  m.(TaintPreservingMethod).transfersTaint(-1, arg)
 }
 
 /** Access to a method that passes taint from the qualifier. */
@@ -571,7 +571,7 @@ private predicate taintPreservingArgToArg(Method method, int input, int output)
   input = 0 and
   output = 2
   or
-  method.(TaintTransferringMethod).transfersTaint(input, output)
+  method.(TaintPreservingMethod).transfersTaint(input, output)
 }
 
 /**
@@ -610,7 +610,7 @@ private predicate taintPreservingArgumentToQualifier(Method method, int arg) {
     append.getDeclaringType().hasQualifiedName("java.io", "StringWriter")
   )
   or
-  method.(TaintTransferringMethod).transfersTaint(arg, -1)
+  method.(TaintPreservingMethod).transfersTaint(arg, -1)
 }
 
 /** A comparison or equality test with a constant. */
@@ -734,7 +734,7 @@ private class TypeFormatter extends Class {
   TypeFormatter() { this.hasQualifiedName("java.util", "Formatter") }
 }
 
-private class FormatterMethod extends TaintPreservingMethod, TaintTransferringMethod {
+private class FormatterMethod extends TaintPreservingMethod {
   FormatterMethod() {
     getDeclaringType() instanceof TypeFormatter and
     hasName(["format", "out", "toString"])
diff --git a/java/ql/src/semmle/code/java/frameworks/android/SQLite.qll b/java/ql/src/semmle/code/java/frameworks/android/SQLite.qll
@@ -256,7 +256,7 @@ private class QueryBuilderBuildMethod extends TaintPreservingMethod {
   override predicate returnsTaint(int arg) { argument = arg }
 }
 
-private class QueryBuilderAppendMethod extends TaintTransferringMethod {
+private class QueryBuilderAppendMethod extends TaintPreservingMethod {
   QueryBuilderAppendMethod() {
     this.getDeclaringType().getASourceSupertype*() instanceof TypeSQLiteQueryBuilder and
     // setProjectionMap(Map<String, String> columnMap)
diff --git a/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll b/java/ql/src/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
@@ -28,7 +28,7 @@ abstract class JacksonSerializableType extends Type { }
  * A method used for serializing objects using Jackson. The final parameter is the object to be
  * serialized.
  */
-library class JacksonWriteValueMethod extends TaintPreservingMethod, TaintTransferringMethod {
+library class JacksonWriteValueMethod extends TaintPreservingMethod {
   JacksonWriteValueMethod() {
     (
       getDeclaringType().hasQualifiedName("com.fasterxml.jackson.databind", "ObjectWriter") or

Original file line number	Diff line number	Diff line change
`@@ -296,7 +296,7 @@ private predicate taintPreservingQualifierToArgument(Method m, int arg) {`
`296`	`296`	`m.hasName("read") and`
`297`	`297`	`arg = 0`
`298`	`298`	`or`
`299`		`- m.(TaintTransferringMethod).transfersTaint(-1, arg)`
	`299`	`+ m.(TaintPreservingMethod).transfersTaint(-1, arg)`
`300`	`300`	`}`
`301`	`301`
`302`	`302`	`/** Access to a method that passes taint from the qualifier. */`
`@@ -571,7 +571,7 @@ private predicate taintPreservingArgToArg(Method method, int input, int output)`
`571`	`571`	`input = 0 and`
`572`	`572`	`output = 2`
`573`	`573`	`or`
`574`		`- method.(TaintTransferringMethod).transfersTaint(input, output)`
	`574`	`+ method.(TaintPreservingMethod).transfersTaint(input, output)`
`575`	`575`	`}`
`576`	`576`
`577`	`577`	`/**`
`@@ -610,7 +610,7 @@ private predicate taintPreservingArgumentToQualifier(Method method, int arg) {`
`610`	`610`	`append.getDeclaringType().hasQualifiedName("java.io", "StringWriter")`
`611`	`611`	`)`
`612`	`612`	`or`
`613`		`- method.(TaintTransferringMethod).transfersTaint(arg, -1)`
	`613`	`+ method.(TaintPreservingMethod).transfersTaint(arg, -1)`
`614`	`614`	`}`
`615`	`615`
`616`	`616`	`/** A comparison or equality test with a constant. */`
`@@ -734,7 +734,7 @@ private class TypeFormatter extends Class {`
`734`	`734`	`TypeFormatter() { this.hasQualifiedName("java.util", "Formatter") }`
`735`	`735`	`}`
`736`	`736`
`737`		`-private class FormatterMethod extends TaintPreservingMethod, TaintTransferringMethod {`
	`737`	`+private class FormatterMethod extends TaintPreservingMethod {`
`738`	`738`	`FormatterMethod() {`
`739`	`739`	`getDeclaringType() instanceof TypeFormatter and`
`740`	`740`	`hasName(["format", "out", "toString"])`
Original file line number	Diff line number	Diff line change
`@@ -256,7 +256,7 @@ private class QueryBuilderBuildMethod extends TaintPreservingMethod {`
`256`	`256`	`override predicate returnsTaint(int arg) { argument = arg }`
`257`	`257`	`}`
`258`	`258`
`259`		`-private class QueryBuilderAppendMethod extends TaintTransferringMethod {`
	`259`	`+private class QueryBuilderAppendMethod extends TaintPreservingMethod {`
`260`	`260`	`QueryBuilderAppendMethod() {`
`261`	`261`	`this.getDeclaringType().getASourceSupertype*() instanceof TypeSQLiteQueryBuilder and`
`262`	`262`	`// setProjectionMap(Map<String, String> columnMap)`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ abstract class JacksonSerializableType extends Type { }`
`28`	`28`	`* A method used for serializing objects using Jackson. The final parameter is the object to be`
`29`	`29`	`* serialized.`
`30`	`30`	`*/`
`31`		`-library class JacksonWriteValueMethod extends TaintPreservingMethod, TaintTransferringMethod {`
	`31`	`+library class JacksonWriteValueMethod extends TaintPreservingMethod {`
`32`	`32`	`JacksonWriteValueMethod() {`
`33`	`33`	`(`
`34`	`34`	`getDeclaringType().hasQualifiedName("com.fasterxml.jackson.databind", "ObjectWriter") or`