Fix Gson's JsonArray.add models

atorralba · atorralba · commit 35b4c438ff09 · 2023-06-07T14:12:20.000+02:00
When the type of the argument isn't JsonElement, the summary must be taint flow instead of value flow
diff --git a/java/ql/lib/ext/com.google.gson.model.yml b/java/ql/lib/ext/com.google.gson.model.yml
@@ -26,7 +26,12 @@ extensions:
       - ["com.google.gson", "JsonElement", True, "getAsJsonPrimitive", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["com.google.gson", "JsonElement", True, "getAsString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
       - ["com.google.gson", "JsonElement", True, "toString", "()", "", "Argument[this]", "ReturnValue", "taint", "manual"]
-      - ["com.google.gson", "JsonArray", True, "add", "", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
+      - ["com.google.gson", "JsonArray", True, "add", "(Boolean)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"]
+      - ["com.google.gson", "JsonArray", True, "add", "(Character)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"]
+      - ["com.google.gson", "JsonArray", True, "add", "(JsonElement)", "", "Argument[0]", "Argument[this].Element", "value", "manual"]
+      - ["com.google.gson", "JsonArray", True, "add", "(Number)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"]
+      - ["com.google.gson", "JsonArray", True, "add", "(String)", "", "Argument[0]", "Argument[this].Element", "taint", "manual"]
+      - ["com.google.gson", "JsonArray", True, "add", "(JsonArray)", "", "Argument[0].Element", "Argument[this].Element", "value", "manual"]
       - ["com.google.gson", "JsonArray", True, "asList", "", "", "Argument[this].Element", "ReturnValue.Element", "value", "manual"]
       - ["com.google.gson", "JsonArray", True, "get", "", "", "Argument[this].Element", "ReturnValue", "value", "manual"]
       - ["com.google.gson", "JsonArray", True, "set", "", "", "Argument[1]", "Argument[this].Element", "value", "manual"]
diff --git a/java/ql/test/library-tests/frameworks/gson/Test.java b/java/ql/test/library-tests/frameworks/gson/Test.java
@@ -25,7 +25,7 @@ public class Test {
 	<K> K getMapKeyDefault(Map.Entry<K,?> container) { return container.getKey(); }
 	JsonElement getMapValueDefault(JsonObject container) { return container.get(null); }
 	<V> V  getMapValueDefault(Map.Entry<?,V> container) { return container.getValue(); }
-	JsonArray newWithElementDefault(String element) { JsonArray a = new JsonArray(); a.add(element); return a; }
+	JsonArray newWithElementDefault(JsonElement element) { JsonArray a = new JsonArray(); a.add(element); return a; }
 	JsonObject newWithMapKeyDefault(String key) { JsonObject o = new JsonObject(); o.add(key, (JsonElement) null); return o; }
 	JsonObject newWithMapValueDefault(JsonElement element) { JsonObject o = new JsonObject(); o.add(null, element); return o; }
 	Object source() { return null; }
@@ -232,51 +232,51 @@ public void test() throws Exception {
 			sink(out); // $ hasTaintFlow
 		}
 		{
-			// "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"
+			// "com.google.gson;JsonArray;true;add;(Boolean);;Argument[0];Argument[this].Element;taint;manual"
 			JsonArray out = null;
 			Boolean in = (Boolean)source();
 			out.add(in);
-			sink(getElement(out)); // $ hasValueFlow
+			sink(getElement(out)); // $ hasTaintFlow
 		}
 		{
-			// "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"
+			// "com.google.gson;JsonArray;true;add;(Character);;Argument[0];Argument[this].Element;taint;manual"
 			JsonArray out = null;
 			Character in = (Character)source();
 			out.add(in);
-			sink(getElement(out)); // $ hasValueFlow
+			sink(getElement(out)); // $ hasTaintFlow
 		}
 		{
-			// "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"
+			// "com.google.gson;JsonArray;true;add;(JsonElement);;Argument[0];Argument[this].Element;value;manual"
 			JsonArray out = null;
 			JsonElement in = (JsonElement)source();
 			out.add(in);
 			sink(getElement(out)); // $ hasValueFlow
 		}
 		{
-			// "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"
+			// "com.google.gson;JsonArray;true;add;(Number);;Argument[0];Argument[this].Element;taint;manual"
 			JsonArray out = null;
 			Number in = (Number)source();
 			out.add(in);
-			sink(getElement(out)); // $ hasValueFlow
+			sink(getElement(out)); // $ hasTaintFlow
 		}
 		{
-			// "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"
+			// "com.google.gson;JsonArray;true;add;(JsonArray);;Argument[0].Element;Argument[this].Element;value;manual"
 			JsonArray out = null;
-			String in = (String)source();
+			JsonElement in = (JsonElement)source();
 			out.add(in);
 			sink(getElement(out)); // $ hasValueFlow
 		}
 		{
 			// "com.google.gson;JsonArray;true;asList;;;Argument[this].Element;ReturnValue.Element;value;manual"
 			List out = null;
-			JsonArray in = (JsonArray)newWithElementDefault((String) source());
+			JsonArray in = (JsonArray)newWithElementDefault((JsonElement) source());
 			out = in.asList();
 			sink(getElement(out)); // $ hasValueFlow
 		}
 		{
 			// "com.google.gson;JsonArray;true;get;;;Argument[this].Element;ReturnValue;value;manual"
 			JsonElement out = null;
-			JsonArray in = (JsonArray)newWithElementDefault((String) source());
+			JsonArray in = (JsonArray)newWithElementDefault((JsonElement) source());
 			out = in.get(0);
 			sink(out); // $ hasValueFlow
 		}

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ public class Test {`
`25`	`25`	`<K> K getMapKeyDefault(Map.Entry<K,?> container) { return container.getKey(); }`
`26`	`26`	`JsonElement getMapValueDefault(JsonObject container) { return container.get(null); }`
`27`	`27`	`<V> V getMapValueDefault(Map.Entry<?,V> container) { return container.getValue(); }`
`28`		`- JsonArray newWithElementDefault(String element) { JsonArray a = new JsonArray(); a.add(element); return a; }`
	`28`	`+ JsonArray newWithElementDefault(JsonElement element) { JsonArray a = new JsonArray(); a.add(element); return a; }`
`29`	`29`	`JsonObject newWithMapKeyDefault(String key) { JsonObject o = new JsonObject(); o.add(key, (JsonElement) null); return o; }`
`30`	`30`	`JsonObject newWithMapValueDefault(JsonElement element) { JsonObject o = new JsonObject(); o.add(null, element); return o; }`
`31`	`31`	`Object source() { return null; }`
`@@ -232,51 +232,51 @@ public void test() throws Exception {`
`232`	`232`	`sink(out); // $ hasTaintFlow`
`233`	`233`	`}`
`234`	`234`	`{`
`235`		`- // "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"`
	`235`	`+ // "com.google.gson;JsonArray;true;add;(Boolean);;Argument[0];Argument[this].Element;taint;manual"`
`236`	`236`	`JsonArray out = null;`
`237`	`237`	`Boolean in = (Boolean)source();`
`238`	`238`	`out.add(in);`
`239`		`- sink(getElement(out)); // $ hasValueFlow`
	`239`	`+ sink(getElement(out)); // $ hasTaintFlow`
`240`	`240`	`}`
`241`	`241`	`{`
`242`		`- // "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"`
	`242`	`+ // "com.google.gson;JsonArray;true;add;(Character);;Argument[0];Argument[this].Element;taint;manual"`
`243`	`243`	`JsonArray out = null;`
`244`	`244`	`Character in = (Character)source();`
`245`	`245`	`out.add(in);`
`246`		`- sink(getElement(out)); // $ hasValueFlow`
	`246`	`+ sink(getElement(out)); // $ hasTaintFlow`
`247`	`247`	`}`
`248`	`248`	`{`
`249`		`- // "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"`
	`249`	`+ // "com.google.gson;JsonArray;true;add;(JsonElement);;Argument[0];Argument[this].Element;value;manual"`
`250`	`250`	`JsonArray out = null;`
`251`	`251`	`JsonElement in = (JsonElement)source();`
`252`	`252`	`out.add(in);`
`253`	`253`	`sink(getElement(out)); // $ hasValueFlow`
`254`	`254`	`}`
`255`	`255`	`{`
`256`		`- // "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"`
	`256`	`+ // "com.google.gson;JsonArray;true;add;(Number);;Argument[0];Argument[this].Element;taint;manual"`
`257`	`257`	`JsonArray out = null;`
`258`	`258`	`Number in = (Number)source();`
`259`	`259`	`out.add(in);`
`260`		`- sink(getElement(out)); // $ hasValueFlow`
	`260`	`+ sink(getElement(out)); // $ hasTaintFlow`
`261`	`261`	`}`
`262`	`262`	`{`
`263`		`- // "com.google.gson;JsonArray;true;add;;;Argument[0];Argument[this].Element;value;manual"`
	`263`	`+ // "com.google.gson;JsonArray;true;add;(JsonArray);;Argument[0].Element;Argument[this].Element;value;manual"`
`264`	`264`	`JsonArray out = null;`
`265`		`- String in = (String)source();`
	`265`	`+ JsonElement in = (JsonElement)source();`
`266`	`266`	`out.add(in);`
`267`	`267`	`sink(getElement(out)); // $ hasValueFlow`
`268`	`268`	`}`
`269`	`269`	`{`
`270`	`270`	`// "com.google.gson;JsonArray;true;asList;;;Argument[this].Element;ReturnValue.Element;value;manual"`
`271`	`271`	`List out = null;`
`272`		`- JsonArray in = (JsonArray)newWithElementDefault((String) source());`
	`272`	`+ JsonArray in = (JsonArray)newWithElementDefault((JsonElement) source());`
`273`	`273`	`out = in.asList();`
`274`	`274`	`sink(getElement(out)); // $ hasValueFlow`
`275`	`275`	`}`
`276`	`276`	`{`
`277`	`277`	`// "com.google.gson;JsonArray;true;get;;;Argument[this].Element;ReturnValue;value;manual"`
`278`	`278`	`JsonElement out = null;`
`279`		`- JsonArray in = (JsonArray)newWithElementDefault((String) source());`
	`279`	`+ JsonArray in = (JsonArray)newWithElementDefault((JsonElement) source());`
`280`	`280`	`out = in.get(0);`
`281`	`281`	`sink(out); // $ hasValueFlow`
`282`	`282`	`}`