Merge pull request #6591 from bmuskalla/inlineFlowTest

Java: Simplify setup for flow tests using `InlineExpectationsTest`

Author: aschackmull

java/ql/test/TestUtilities/InlineFlowTest.qll

@@ -0,0 +1,100 @@
+/**
+ * Provides a simple base test for flow-related tests using inline expectations.
+ *
+ * Example for a test.ql:
+ * ```ql
+ * import java
+ * import TestUtilities.InlineFlowTest
+ * ```
+ *
+ * To declare expecations, you can use the $hasTaintFlow or $hasValueFlow comments within the test source files.
+ * Example of the corresponding test file, e.g. Test.java
+ * ```java
+ * public class Test {
+ *
+ * 	Object source() { return null; }
+ * 	String taint() { return null; }
+ * 	void sink(Object o) { }
+ *
+ * 	public void test() {
+ * 		Object s = source();
+ * 		sink(s); //$hasValueFlow
+ * 		String t = "foo" + taint();
+ * 		sink(t); //$hasTaintFlow
+ * 	}
+ *
+ * }
+ * ```
+ *
+ * If you're not interested in a specific flow type, you can disable either value or taint flow expectations as follows:
+ * ```ql
+ * class HasFlowTest extends InlineFlowTest {
+ *   override DataFlow::Configuration getTaintFlowConfig() { none() }
+ *
+ *   override DataFlow::Configuration getValueFlowConfig() { none() }
+ * }
+ * ```
+ *
+ * If you need more fine-grained tuning, consider implementing a test using `InlineExpectationsTest`.
+ */
+
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.dataflow.ExternalFlow
+import semmle.code.java.dataflow.TaintTracking
+import TestUtilities.InlineExpectationsTest
+
+class DefaultValueFlowConf extends DataFlow::Configuration {
+  DefaultValueFlowConf() { this = "qltest:defaultValueFlowConf" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().getName() = ["source", "taint"]
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+  }
+
+  override int fieldFlowBranchLimit() { result = 1000 }
+}
+
+class DefaultTaintFlowConf extends TaintTracking::Configuration {
+  DefaultTaintFlowConf() { this = "qltest:defaultTaintFlowConf" }
+
+  override predicate isSource(DataFlow::Node n) {
+    n.asExpr().(MethodAccess).getMethod().getName() = ["source", "taint"]
+  }
+
+  override predicate isSink(DataFlow::Node n) {
+    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
+  }
+
+  override int fieldFlowBranchLimit() { result = 1000 }
+}
+
+class InlineFlowTest extends InlineExpectationsTest {
+  InlineFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = ["hasValueFlow", "hasTaintFlow"] }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "hasValueFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink | getValueFlowConfig().hasFlow(src, sink) |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+    or
+    tag = "hasTaintFlow" and
+    exists(DataFlow::Node src, DataFlow::Node sink |
+      getTaintFlowConfig().hasFlow(src, sink) and not getValueFlowConfig().hasFlow(src, sink)
+    |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+
+  DataFlow::Configuration getValueFlowConfig() { result = any(DefaultValueFlowConf config) }
+
+  DataFlow::Configuration getTaintFlowConfig() { result = any(DefaultTaintFlowConf config) }
+}

java/ql/test/library-tests/dataflow/collections/containerflow.ql

@@ -1,8 +1,7 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.ExternalFlow
-import TestUtilities.InlineExpectationsTest
-import DataFlow
+import TestUtilities.InlineFlowTest
 
 class SummaryModelTest extends SummaryModelCsv {
   override predicate row(string row) {
@@ -15,25 +14,6 @@ class SummaryModelTest extends SummaryModelCsv {
   }
 }
 
-class ContainerFlowConf extends Configuration {
-  ContainerFlowConf() { this = "qltest:ContainerFlowConf" }
-
-  override predicate isSource(Node n) { n.asExpr().(MethodAccess).getMethod().hasName("source") }
-
-  override predicate isSink(Node n) { n.asExpr().(Argument).getCall().getCallee().hasName("sink") }
-}
-
-class HasFlowTest extends InlineExpectationsTest {
-  HasFlowTest() { this = "HasFlowTest" }
-
-  override string getARelevantTag() { result = "hasValueFlow" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "hasValueFlow" and
-    exists(Node src, Node sink, ContainerFlowConf conf | conf.hasFlow(src, sink) |
-      sink.getLocation() = location and
-      element = sink.toString() and
-      value = ""
-    )
-  }
+class HasFlowTest extends InlineFlowTest {
+  override DataFlow::Configuration getTaintFlowConfig() { none() }
 }

java/ql/test/library-tests/dataflow/fluent-methods/flow.ql

@@ -1,19 +1,7 @@
 import java
 import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.FlowSteps
-import TestUtilities.InlineExpectationsTest
-
-class Conf extends DataFlow::Configuration {
-  Conf() { this = "qltest:dataflow:fluent-methods" }
-
-  override predicate isSource(DataFlow::Node n) {
-    n.asExpr().(MethodAccess).getMethod().hasName("source")
-  }
-
-  override predicate isSink(DataFlow::Node n) {
-    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
-  }
-}
+import TestUtilities.InlineFlowTest
 
 class Model extends FluentMethod {
   Model() { this.getName() = "modelledFluentMethod" }
@@ -25,17 +13,6 @@ class IdentityModel extends ValuePreservingMethod {
   override predicate returnsValue(int arg) { arg = 0 }
 }
 
-class HasFlowTest extends InlineExpectationsTest {
-  HasFlowTest() { this = "HasFlowTest" }
-
-  override string getARelevantTag() { result = "hasTaintFlow" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "hasTaintFlow" and
-    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
-      sink.getLocation() = location and
-      element = sink.toString() and
-      value = ""
-    )
-  }
+class HasFlowTest extends InlineFlowTest {
+  override DataFlow::Configuration getValueFlowConfig() { none() }
 }

java/ql/test/library-tests/dataflow/taint-format/A.java

@@ -1,47 +1,47 @@
 import java.util.Formatter;
 import java.lang.StringBuilder;
 
-
-
 class A {
-    public static String taint() { return "tainted"; }
+    public static String source() {
+        return "tainted";
+    }
 
     public static void test1() {
-        String bad = taint();
+        String bad = source(); // $ hasTaintFlow
         String good = "hi";
 
-        bad.formatted(good);
-        good.formatted("a", bad, "b", good);
-        String.format("%s%s", bad, good);
+        bad.formatted(good); // $ hasTaintFlow
+        good.formatted("a", bad, "b", good); // $ hasTaintFlow
+        String.format("%s%s", bad, good); // $ hasTaintFlow
         String.format("%s", good);
-        String.format("%s %s %s %s %s %s %s %s %s %s ", "a", "a", "a", "a", "a", "a", "a", "a", "a", bad);
+        String.format("%s %s %s %s %s %s %s %s %s %s ", "a", "a", "a", "a", "a", "a", "a", "a", "a", bad); // $ hasTaintFlow
     }
 
     public static void test2() {
-        String bad = taint();
+        String bad = source();  // $ hasTaintFlow
         Formatter f = new Formatter();
 
         f.toString();
-        f.format("%s", bad);
-        f.toString();
+        f.format("%s", bad);  // $ hasTaintFlow
+        f.toString(); // $ hasTaintFlow
     }
 
     public static void test3() {
-        String bad = taint();
+        String bad = source();  // $ hasTaintFlow
         StringBuilder sb = new StringBuilder();
         Formatter f = new Formatter(sb);
 
-        sb.toString(); // false positive
-        f.format("%s", bad);
-        sb.toString();
+        sb.toString(); // $ hasTaintFlow false positive 
+        f.format("%s", bad);  // $ hasTaintFlow
+        sb.toString(); // $ hasTaintFlow
     }
 
     public static void test4() {
-        String bad = taint();
+        String bad = source();  // $ hasTaintFlow
         StringBuilder sb = new StringBuilder();
 
-        sb.append(bad);
+        sb.append(bad);  // $ hasTaintFlow
 
-        new Formatter(sb).format("ok").toString();
+        new Formatter(sb).format("ok").toString();  // $ hasTaintFlow
     }
 }

java/ql/test/library-tests/dataflow/taint-format/test.expected

@@ -1,49 +0,0 @@
-| A.java:10:22:10:28 | taint(...) | A.java:10:22:10:28 | taint(...) |
-| A.java:10:22:10:28 | taint(...) | A.java:13:9:13:11 | bad |
-| A.java:10:22:10:28 | taint(...) | A.java:13:9:13:27 | formatted(...) |
-| A.java:10:22:10:28 | taint(...) | A.java:14:9:14:43 | formatted(...) |
-| A.java:10:22:10:28 | taint(...) | A.java:14:9:14:43 | new ..[] { .. } |
-| A.java:10:22:10:28 | taint(...) | A.java:14:29:14:31 | bad |
-| A.java:10:22:10:28 | taint(...) | A.java:15:9:15:40 | format(...) |
-| A.java:10:22:10:28 | taint(...) | A.java:15:9:15:40 | new ..[] { .. } |
-| A.java:10:22:10:28 | taint(...) | A.java:15:31:15:33 | bad |
-| A.java:10:22:10:28 | taint(...) | A.java:17:9:17:105 | format(...) |
-| A.java:10:22:10:28 | taint(...) | A.java:17:9:17:105 | new ..[] { .. } |
-| A.java:10:22:10:28 | taint(...) | A.java:17:102:17:104 | bad |
-| A.java:10:22:10:28 | taint(...) | file:///modules/java.base/java/lang/String.class:0:0:0:0 | [summary] read: [] of argument 0 in formatted |
-| A.java:10:22:10:28 | taint(...) | file:///modules/java.base/java/lang/String.class:0:0:0:0 | [summary] read: [] of argument 1 in format |
-| A.java:10:22:10:28 | taint(...) | file:///modules/java.base/java/lang/String.class:0:0:0:0 | [summary] to write: return (return) in format |
-| A.java:10:22:10:28 | taint(...) | file:///modules/java.base/java/lang/String.class:0:0:0:0 | [summary] to write: return (return) in formatted |
-| A.java:10:22:10:28 | taint(...) | file:///modules/java.base/java/lang/String.class:0:0:0:0 | parameter this |
-| A.java:10:22:10:28 | taint(...) | file://:0:0:0:0 | p0 |
-| A.java:10:22:10:28 | taint(...) | file://:0:0:0:0 | p1 |
-| A.java:21:22:21:28 | taint(...) | A.java:21:22:21:28 | taint(...) |
-| A.java:21:22:21:28 | taint(...) | A.java:25:9:25:9 | f [post update] |
-| A.java:21:22:21:28 | taint(...) | A.java:25:9:25:27 | format(...) |
-| A.java:21:22:21:28 | taint(...) | A.java:25:9:25:27 | new ..[] { .. } |
-| A.java:21:22:21:28 | taint(...) | A.java:25:24:25:26 | bad |
-| A.java:21:22:21:28 | taint(...) | A.java:26:9:26:9 | f |
-| A.java:21:22:21:28 | taint(...) | A.java:26:9:26:20 | toString(...) |
-| A.java:30:22:30:28 | taint(...) | A.java:30:22:30:28 | taint(...) |
-| A.java:30:22:30:28 | taint(...) | A.java:34:9:34:10 | sb |
-| A.java:30:22:30:28 | taint(...) | A.java:34:9:34:21 | toString(...) |
-| A.java:30:22:30:28 | taint(...) | A.java:35:9:35:9 | f [post update] |
-| A.java:30:22:30:28 | taint(...) | A.java:35:9:35:27 | format(...) |
-| A.java:30:22:30:28 | taint(...) | A.java:35:9:35:27 | new ..[] { .. } |
-| A.java:30:22:30:28 | taint(...) | A.java:35:24:35:26 | bad |
-| A.java:30:22:30:28 | taint(...) | A.java:36:9:36:10 | sb |
-| A.java:30:22:30:28 | taint(...) | A.java:36:9:36:21 | toString(...) |
-| A.java:30:22:30:28 | taint(...) | file:///modules/java.base/java/lang/StringBuilder.class:0:0:0:0 | [summary] to write: return (return) in toString |
-| A.java:30:22:30:28 | taint(...) | file:///modules/java.base/java/lang/StringBuilder.class:0:0:0:0 | parameter this |
-| A.java:40:22:40:28 | taint(...) | A.java:40:22:40:28 | taint(...) |
-| A.java:40:22:40:28 | taint(...) | A.java:43:9:43:10 | sb [post update] |
-| A.java:40:22:40:28 | taint(...) | A.java:43:9:43:22 | append(...) |
-| A.java:40:22:40:28 | taint(...) | A.java:43:19:43:21 | bad |
-| A.java:40:22:40:28 | taint(...) | A.java:45:9:45:25 | new Formatter(...) |
-| A.java:40:22:40:28 | taint(...) | A.java:45:9:45:38 | format(...) |
-| A.java:40:22:40:28 | taint(...) | A.java:45:9:45:49 | toString(...) |
-| A.java:40:22:40:28 | taint(...) | A.java:45:23:45:24 | sb |
-| A.java:40:22:40:28 | taint(...) | file:///modules/java.base/java/lang/StringBuilder.class:0:0:0:0 | [summary] to write: argument -1 in append |
-| A.java:40:22:40:28 | taint(...) | file:///modules/java.base/java/lang/StringBuilder.class:0:0:0:0 | [summary] to write: return (return) in append |
-| A.java:40:22:40:28 | taint(...) | file:///modules/java.base/java/lang/StringBuilder.class:0:0:0:0 | parameter this |
-| A.java:40:22:40:28 | taint(...) | file://:0:0:0:0 | p0 |

java/ql/test/library-tests/dataflow/taint-format/test.ql

@@ -1,16 +1,8 @@
 import java
+import semmle.code.java.dataflow.DataFlow
 import semmle.code.java.dataflow.TaintTracking
+import TestUtilities.InlineFlowTest
 
-class Conf extends TaintTracking::Configuration {
-  Conf() { this = "qltest:dataflow:format" }
-
-  override predicate isSource(DataFlow::Node n) {
-    n.asExpr().(MethodAccess).getMethod().hasName("taint")
-  }
-
-  override predicate isSink(DataFlow::Node n) { any() }
+class TaintFlowConf extends DefaultTaintFlowConf {
+  override predicate isSink(DataFlow::Node n) { n instanceof DataFlow::ExprNode }
 }
-
-from DataFlow::Node src, DataFlow::Node sink, Conf conf
-where conf.hasFlow(src, sink)
-select src, sink

java/ql/test/library-tests/dataflow/taint-jackson/dataFlow.ql

@@ -1,34 +1,2 @@
 import java
-import semmle.code.java.dataflow.DataFlow
-import semmle.code.java.dataflow.TaintTracking
-import semmle.code.java.dataflow.FlowSources
-import TestUtilities.InlineExpectationsTest
-
-class Conf extends TaintTracking::Configuration {
-  Conf() { this = "qltest:dataflow:jackson" }
-
-  override predicate isSource(DataFlow::Node n) {
-    n.asExpr().(MethodAccess).getMethod().hasName("taint")
-    or
-    n instanceof RemoteFlowSource
-  }
-
-  override predicate isSink(DataFlow::Node n) {
-    exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
-  }
-}
-
-class HasFlowTest extends InlineExpectationsTest {
-  HasFlowTest() { this = "HasFlowTest" }
-
-  override string getARelevantTag() { result = "hasTaintFlow" }
-
-  override predicate hasActualResult(Location location, string element, string tag, string value) {
-    tag = "hasTaintFlow" and
-    exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
-      sink.getLocation() = location and
-      element = sink.toString() and
-      value = ""
-    )
-  }
-}
+import TestUtilities.InlineFlowTest