github
diff --git a/‎java/change-notes/2021-02-09-commons-string-utils.md‎
Lines changed: 2 additions & 0 deletions b/‎java/change-notes/2021-02-09-commons-string-utils.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎java/ql/src/semmle/code/java/frameworks/apache/Lang.qll‎
Lines changed: 55 additions & 0 deletions b/‎java/ql/src/semmle/code/java/frameworks/apache/Lang.qll‎
Lines changed: 55 additions & 0 deletions
diff --git a/‎java/ql/test/library-tests/frameworks/apache-commons-lang3/Test.java‎
Lines changed: 278 additions & 0 deletions b/‎java/ql/test/library-tests/frameworks/apache-commons-lang3/Test.java‎
Lines changed: 278 additions & 0 deletions
diff --git a/‎java/ql/test/library-tests/frameworks/apache-commons-lang3/flow.expected‎ b/‎java/ql/test/library-tests/frameworks/apache-commons-lang3/flow.expected‎
diff --git a/‎java/ql/test/library-tests/frameworks/apache-commons-lang3/flow.ql‎
Lines changed: 30 additions & 0 deletions b/‎java/ql/test/library-tests/frameworks/apache-commons-lang3/flow.ql‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎java/ql/test/library-tests/frameworks/apache-commons-lang3/options‎
Lines changed: 1 addition & 0 deletions b/‎java/ql/test/library-tests/frameworks/apache-commons-lang3/options‎
Lines changed: 1 addition & 0 deletions
@@ -0,0 +1,2 @@
+lgtm,codescanning
+* Added support for the Apache Commons Lang StringUtils library.
@@ -63,3 +63,58 @@ private class ApacheLangArrayUtilsTaintPreservingMethod extends TaintPreservingC
     src = [0, 2]
   }
 }
+
+private Type getAnExcludedParameterType() {
+  result instanceof PrimitiveType or
+  result.(RefType).hasQualifiedName("java.nio.charset", "Charset") or
+  result.(RefType).hasQualifiedName("java.util", "Locale")
+}
+
+private class ApacheStringUtilsTaintPreservingMethod extends TaintPreservingCallable {
+  ApacheStringUtilsTaintPreservingMethod() {
+    this.getDeclaringType().hasQualifiedName("org.apache.commons.lang3", "StringUtils") and
+    this.hasName([
+        "abbreviate", "abbreviateMiddle", "appendIfMissing", "appendIfMissingIgnoreCase",
+        "capitalize", "center", "chomp", "chop", "defaultIfBlank", "defaultIfEmpty",
+        "defaultString", "deleteWhitespace", "difference", "firstNonBlank", "firstNonEmpty",
+        "getBytes", "getCommonPrefix", "getDigits", "getIfBlank", "getIfEmpty", "join", "joinWith",
+        "left", "leftPad", "lowerCase", "mid", "normalizeSpace", "overlay", "prependIfMissing",
+        "prependIfMissingIgnoreCase", "remove", "removeAll", "removeEnd", "removeEndIgnoreCase",
+        "removeFirst", "removeIgnoreCase", "removePattern", "removeStart", "removeStartIgnoreCase",
+        "repeat", "replace", "replaceAll", "replaceChars", "replaceEach", "replaceEachRepeatedly",
+        "replaceFirst", "replaceIgnoreCase", "replaceOnce", "replaceOnceIgnoreCase",
+        "replacePattern", "reverse", "reverseDelimited", "right", "rightPad", "rotate", "split",
+        "splitByCharacterType", "splitByCharacterTypeCamelCase", "splitByWholeSeparator",
+        "splitByWholeSeparatorPreserveAllTokens", "splitPreserveAllTokens", "strip", "stripAccents",
+        "stripAll", "stripEnd", "stripStart", "stripToEmpty", "stripToNull", "substring",
+        "substringAfter", "substringAfterLast", "substringBefore", "substringBeforeLast",
+        "substringBetween", "substringsBetween", "swapCase", "toCodePoints", "toEncodedString",
+        "toRootLowerCase", "toRootUpperCase", "toString", "trim", "trimToEmpty", "trimToNull",
+        "truncate", "uncapitalize", "unwrap", "upperCase", "valueOf", "wrap", "wrapIfMissing"
+      ])
+  }
+
+  private predicate isExcludedParameter(int arg) {
+    this.getName().matches(["appendIfMissing%", "prependIfMissing%"]) and arg = [2, 3]
+    or
+    this.getName().matches(["remove%", "split%", "substring%", "strip%"]) and
+    arg = [1 .. getNumberOfParameters() - 1]
+    or
+    this.getName().matches(["chomp", "getBytes", "replace%", "toString", "unwrap"]) and arg = 1
+    or
+    this.getName() = "join" and
+    // Exclude joins of types that render numerically (char[] and non-primitive arrays
+    // are still considered taint sources)
+    exists(PrimitiveType pt |
+      this.getParameterType(arg).(Array).getComponentType() = pt and
+      not pt instanceof CharacterType
+    ) and
+    arg = 0
+  }
+
+  override predicate returnsTaintFrom(int arg) {
+    arg = [0 .. getNumberOfParameters() - 1] and
+    not this.getParameterType(arg) = getAnExcludedParameterType() and
+    not isExcludedParameter(arg)
+  }
+}
@@ -0,0 +1,30 @@
+import java
+import semmle.code.java.dataflow.TaintTracking
+import TestUtilities.InlineExpectationsTest
+
+class Conf extends TaintTracking::Configuration {
+  Conf() { this = "qltest:frameworks:apache-commons-lang3" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().hasName("taint")
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+  }
+}
+
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = "hasTaintFlow" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasTaintFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = "y"
+    )
+  }
+}
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/apache-commons-lang3-3.7
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+lgtm,codescanning`
	`2`	`+* Added support for the Apache Commons Lang StringUtils library.`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/apache-commons-lang3-3.7`