Java: Implement code review changes

joefarebrother · joefarebrother · commit a510f5886528 · 2020-10-12T15:50:46.000+01:00
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -265,7 +265,7 @@ private int argToParam(MethodAccess ma, int arg) {
   exists(ma.getArgument(arg)) and
   exists(Method m | m = ma.getMethod() |
     if m.isVarargs() and arg >= m.getNumberOfParameters()
-    then result = m.getNumberOfParameters() - 2
+    then result = m.getNumberOfParameters() - 1
     else result = arg
   )
 }
diff --git a/java/ql/src/semmle/code/java/frameworks/android/SQLite.qll b/java/ql/src/semmle/code/java/frameworks/android/SQLite.qll
@@ -229,30 +229,31 @@ private class ContentProviderUpdateMethod extends SQLiteRunner {
 }
 
 private class QueryBuilderBuildMethod extends TaintPreservingMethod {
+  int argument;
+
   QueryBuilderBuildMethod() {
-    this.getDeclaringType().getASourceSupertype*() instanceof TypeSQLiteQueryBuilder and
+    this.getDeclaringType().getASourceSupertype*() instanceof Class and
     // buildQuery(String[] projectionIn, String selection, String groupBy, String having, String sortOrder, String limit)
     // buildQuery(String[] projectionIn, String selection, String[] selectionArgs, String groupBy, String having, String sortOrder, String limit)
     // buildUnionQuery(String[] subQueries, String sortOrder, String limit)
     // buildUnionSubQuery(String typeDiscriminatorColumn, String[] unionColumns, Set<String> columnsPresentInTable, int computedColumnsOffset, String typeDiscriminatorValue, String selection, String[] selectionArgs, String groupBy, String having)
     // buildUnionSubQuery(String typeDiscriminatorColumn, String[] unionColumns, Set<String> columnsPresentInTable, int computedColumnsOffset, String typeDiscriminatorValue, String selection, String groupBy, String having)
     // static buildQueryString(boolean distinct, String tables, String[] columns, String where, String groupBy, String having, String orderBy, String limit)
-    this.hasName(["buildQuery", "buildUnionQuery", "buildUnionSubQuery", "buildQueryString"])
-  }
-
-  override predicate returnsTaint(int arg) {
-    arg = -1
+    this.hasName(["buildQuery", "buildUnionQuery", "buildUnionSubQuery"]) and
+    argument = -1
     or
     hasName(["buildQuery", "buildUnionQuery"]) and
-    arg = [0 .. getNumberOfParameters()]
+    argument = [0 .. getNumberOfParameters()]
     or
     hasName("buildQueryString") and
-    arg = [1 .. getNumberOfParameters()]
+    argument = [1 .. getNumberOfParameters()]
     or
     hasName("buildUnionSubQuery") and
-    arg = [0 .. getNumberOfParameters()] and
-    arg != 3
+    argument = [0 .. getNumberOfParameters()] and
+    argument != 3
   }
+
+  override predicate returnsTaint(int arg) { argument = arg }
 }
 
 private class QueryBuilderAppendMethod extends TaintTransferringMethod {

Original file line number	Diff line number	Diff line change
`@@ -265,7 +265,7 @@ private int argToParam(MethodAccess ma, int arg) {`
`265`	`265`	`exists(ma.getArgument(arg)) and`
`266`	`266`	`exists(Method m \| m = ma.getMethod() \|`
`267`	`267`	`if m.isVarargs() and arg >= m.getNumberOfParameters()`
`268`		`- then result = m.getNumberOfParameters() - 2`
	`268`	`+ then result = m.getNumberOfParameters() - 1`
`269`	`269`	`else result = arg`
`270`	`270`	`)`
`271`	`271`	`}`