-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Expand file tree
/
Copy pathFlowTestCase.qll
More file actions
336 lines (313 loc) · 11.5 KB
/
FlowTestCase.qll
File metadata and controls
336 lines (313 loc) · 11.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
/**
* Classes pertaining to test cases themselves.
*/
import java
private import semmle.code.java.dataflow.internal.DataFlowUtil
private import semmle.code.java.dataflow.ExternalFlow
private import semmle.code.java.dataflow.FlowSummary
private import semmle.code.java.dataflow.internal.FlowSummaryImpl
private import FlowTestCaseUtils
private import FlowTestCaseSupportMethods
/**
* A CSV row to generate tests for. Users should extend this to define which
* tests to generate. There should already exist summaries for the rows specified here.
*/
class TargetSummaryModelCsv extends Unit {
/**
* Holds if a test should be generated for `row`.
*/
abstract predicate row(string r);
}
/** Holds if a summary model `row` exists for the given parameters. */
bindingset[row]
predicate summaryModelRow(
string package, string type, boolean subtypes, string name, string signature, string ext,
string input, string output, string kind, string provenance, string row
) {
summaryModel(package, type, subtypes, name, signature, ext, input, output, kind, provenance, _) and
row =
package + ";" //
+ type + ";" //
+ subtypes.toString() + ";" //
+ name + ";" //
+ signature + ";" //
+ ext + ";" //
+ input + ";" //
+ output + ";" //
+ kind + ";" //
+ provenance
}
/**
* Gets a CSV row for which a test has been requested, but where a summary has not already been defined.
*/
query string missingSummaryModel() {
any(TargetSummaryModelCsv target).row(result) and
not summaryModelRow(_, _, _, _, _, _, _, _, _, _, result)
}
/**
* Returns type of parameter `i` of `callable`, including the type of `this` for parameter -1.
*/
Type getParameterType(CallableToTest callable, int i) {
if i = -1 then result = callable.getDeclaringType() else result = callable.getParameterType(i)
}
private class CallableToTest extends Callable {
CallableToTest() {
exists(
string namespace, string type, boolean subtypes, string name, string signature, string ext
|
summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _, _, _) and
this = interpretElement(namespace, type, subtypes, name, signature, ext) and
this.isPublic() and
getRootType(this.getDeclaringType()).(RefType).isPublic()
)
}
}
/**
* A test snippet (a fragment of Java code that checks that `row` causes `callable` to propagate value/taint (according to `preservesValue`)
* from `input` to `output`). Usually there is one of these per CSV row (`row`), but there may be more if `row` describes more than one
* override or overload of a particular method, or if the input or output specifications cover more than one argument.
*/
private newtype TTestCase =
MkTestCase(
CallableToTest callable, SummaryComponentStack input, SummaryComponentStack output, string kind,
string row
) {
exists(
string namespace, string type, boolean subtypes, string name, string signature, string ext,
string inputSpec, string outputSpec
|
any(TargetSummaryModelCsv tsmc).row(row) and
summaryModelRow(namespace, type, subtypes, name, signature, ext, inputSpec, outputSpec, kind,
_, row) and
callable = interpretElement(namespace, type, subtypes, name, signature, ext) and
Private::External::interpretSpec(inputSpec, input) and
Private::External::interpretSpec(outputSpec, output)
)
}
/**
* A test snippet (as `TTestCase`, except `baseInput` and `baseOutput` hold the bottom of the summary stacks
* `input` and `output` respectively (hence, `baseInput` and `baseOutput` are parameters or return values).
*/
class TestCase extends TTestCase {
CallableToTest callable;
SummaryComponentStack input;
SummaryComponentStack output;
SummaryComponentStack baseInput;
SummaryComponentStack baseOutput;
string kind;
string row;
TestCase() {
this = MkTestCase(callable, input, output, kind, row) and
baseInput = input.drop(input.length() - 1) and
baseOutput = output.drop(output.length() - 1)
}
/**
* Returns a representation of this test case's parameters suitable for debugging.
*/
string toString() {
result =
row + " / " + callable + " / " + input + " / " + output + " / " + baseInput + " / " +
baseOutput + " / " + kind
}
/**
* Returns a value to pass as `callable`'s `argIdx`th argument whose value is irrelevant to the test
* being generated. This will be a zero or a null value, perhaps typecast if we need to disambiguate overloads.
*/
string getFiller(int argIdx) {
exists(Type t | t = callable.getParameterType(argIdx) |
t instanceof RefType and
(
if mayBeAmbiguous(callable)
then result = "(" + getShortNameIfPossible(t) + ")null"
else result = "null"
)
or
result = getZero(t)
)
}
/**
* Returns the value to pass for `callable`'s `i`th argument, which may be `in` if this is the input argument for
* this test, `out` if it is the output, `instance` if this is an instance method and the instance is neither the
* input nor the output, or a zero/null filler value otherwise.
*/
string getArgument(int i) {
(i = -1 or exists(callable.getParameter(i))) and
if baseInput = SummaryComponentStack::argument(i)
then result = "in"
else
if baseOutput = SummaryComponentStack::argument(i)
then result = "out"
else
if i = -1
then result = "instance"
else result = this.getFiller(i)
}
/**
* Returns a statement invoking `callable`, passing `input` and capturing `output` as needed.
*/
string makeCall() {
// For example, one of:
// out = in.method(filler);
// or
// out = filler.method(filler, in, filler);
// or
// out = Type.method(filler, in, filler);
// or
// filler.method(filler, in, out, filler);
// or
// Type.method(filler, in, out, filler);
// or
// out = new Type(filler, in, filler);
// or
// new Type(filler, in, out, filler);
// or
// in.method(filler, out, filler);
// or
// out.method(filler, in, filler);
exists(string storePrefix, string invokePrefix, string args |
(
if
baseOutput = SummaryComponentStack::return()
or
callable instanceof Constructor and baseOutput = SummaryComponentStack::argument(-1)
then storePrefix = "out = "
else storePrefix = ""
) and
(
if callable instanceof Constructor
then invokePrefix = "new "
else
if callable.(Method).isStatic()
then invokePrefix = getShortNameIfPossible(callable.getDeclaringType()) + "."
else invokePrefix = this.getArgument(-1) + "."
) and
args = concat(int i | i >= 0 | this.getArgument(i), ", " order by i) and
result = storePrefix + invokePrefix + callable.getName() + "(" + args + ")"
)
}
/**
* Returns an inline test expectation appropriate to this CSV row.
*/
string getExpectation() {
kind = "value" and result = "// $ hasValueFlow"
or
kind = "taint" and result = "// $ hasTaintFlow"
}
/**
* Returns a declaration and initialisation of a variable named `instance` if required; otherwise returns an empty string.
*/
string getInstancePrefix() {
if
callable instanceof Method and
not callable.(Method).isStatic() and
baseOutput != SummaryComponentStack::argument(-1) and
baseInput != SummaryComponentStack::argument(-1)
then
// In this case `out` is the instance.
result = getShortNameIfPossible(callable.getDeclaringType()) + " instance = null;\n\t\t\t"
else result = ""
}
/**
* Returns the type of the output for this test.
*/
Type getOutputType() {
if baseOutput = SummaryComponentStack::return()
then result = callable.getReturnType()
else
exists(int i |
baseOutput = SummaryComponentStack::argument(i) and
result = getParameterType(callable, i)
)
}
/**
* Returns the type of the input for this test.
*/
Type getInputType() {
exists(int i |
baseInput = SummaryComponentStack::argument(i) and
result = getParameterType(callable, i)
)
}
/**
* Returns the Java name for the type of the input to this test.
*/
string getInputTypeString() { result = getShortNameIfPossible(this.getInputType()) }
/**
* Returns a call to `source()` wrapped in `newWith` methods as needed according to `input`.
* For example, if the `stack` is `Argument[0].MapValue.ArrayElement`, this
* will return `newWithMapValue(newWithArrayElement(source()))`.
*/
string getInput(SummaryComponentStack stack) {
stack = input and result = "source()"
or
exists(SummaryComponentStack s | s.tail() = stack |
// we currently only know the type if the stack is one level in
if stack = baseInput
then result = SupportMethod::genMethodFor(this.getInputType(), s).getCall(this.getInput(s))
else result = SupportMethod::genMethodForContent(s).getCall(this.getInput(s))
)
}
/**
* Returns `out` wrapped in `get` methods as needed according to `output`.
* For example, if the `componentStack` is `Argument[0].MapValue.ArrayElement`, this
* will return `getArrayElement(getMapValue(out))`.
*/
string getOutput(SummaryComponentStack componentStack) {
componentStack = output.drop(_) and
(
if componentStack = baseOutput
then result = "out"
else
if componentStack.tail() = baseOutput
then
result =
SupportMethod::getMethodFor(this.getOutputType(), componentStack)
.getCall(this.getOutput(componentStack.tail()))
else
result =
SupportMethod::getMethodForContent(componentStack)
.getCall(this.getOutput(componentStack.tail()))
)
}
/**
* Returns the definition of a `newWith` method needed to set up the input or a `get` method needed to set up the output for this test.
*/
SupportMethod getASupportMethod() {
exists(SummaryComponentStack s | s = input.drop(_) and s.tail() != baseInput |
result = SupportMethod::genMethodForContent(s)
)
or
exists(SummaryComponentStack s | s = input.drop(_) and s.tail() = baseInput |
result = SupportMethod::genMethodFor(this.getInputType(), s)
)
or
result = SupportMethod::getMethodFor(this.getOutputType(), output)
or
result = SupportMethod::getMethodForContent(output.tail().drop(_))
}
/**
* Gets an outer class name that this test would ideally import (and will, unless it clashes with another
* type of the same name).
*/
Type getADesiredImport() {
result =
getRootSourceDeclaration([
this.getOutputType(), this.getInputType(), callable.getDeclaringType()
])
or
// Will refer to parameter types in disambiguating casts, like `(String)null`
mayBeAmbiguous(callable) and result = getRootSourceDeclaration(callable.getAParamType())
}
/**
* Gets a test snippet (test body fragment) testing this `callable` propagates value or taint from
* `input` to `output`, as specified by `row_` (which necessarily equals `row`).
*/
string getATestSnippetForRow(string row_) {
row_ = row and
result =
"\t\t{\n\t\t\t// \"" + row + "\"\n\t\t\t" + getShortNameIfPossible(this.getOutputType()) +
" out = null;\n\t\t\t" + this.getInputTypeString() + " in = (" + this.getInputTypeString() +
")" + this.getInput(baseInput) + ";\n\t\t\t" + this.getInstancePrefix() + this.makeCall() +
";\n\t\t\t" + "sink(" + this.getOutput(output) + "); " + this.getExpectation() + "\n\t\t}\n"
}
}