Fix dataflow for kotlin.Array.iterator()

tamasvajk · smowton · commit 538e05995a10 · 2022-05-12T22:37:03.000+01:00
diff --git a/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll b/java/ql/lib/semmle/code/java/dataflow/ExternalFlow.qll
@@ -143,6 +143,7 @@ private module Frameworks {
   private import semmle.code.java.frameworks.JMS
   private import semmle.code.java.frameworks.RabbitMQ
   private import semmle.code.java.regex.RegexFlowModels
+  private import semmle.code.java.frameworks.KotlinStdLib
 }
 
 private predicate sourceModelCsv(string row) {
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
@@ -205,6 +205,11 @@ private predicate canContainBool(Type t) {
   any(BooleanType b).(RefType).getASourceSupertype+() = t
 }
 
+private predicate isArray(Type t) {
+  t instanceof Array or
+  t.(RefType).getSourceDeclaration().hasQualifiedName("kotlin", "Array")
+}
+
 /**
  * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
  * a node of type `t1` to a node of type `t2`.
@@ -221,6 +226,9 @@ predicate compatibleTypes(Type t1, Type t2) {
     erasedHaveIntersection(e1, e2)
     or
     canContainBool(e1) and canContainBool(e2)
+    or
+    // Make java array and `kotlin.Array` types compatible.
+    isArray(e1) and isArray(e2)
   )
 }
 
diff --git a/java/ql/lib/semmle/code/java/frameworks/KotlinStdLib.qll b/java/ql/lib/semmle/code/java/frameworks/KotlinStdLib.qll
@@ -0,0 +1,10 @@
+/** Definitions of taint steps in the KotlinStdLib framework */
+
+import java
+private import semmle.code.java.dataflow.ExternalFlow
+
+private class KotlinStdLibSummaryCsv extends SummaryModelCsv {
+  override predicate row(string row) {
+    row = ["kotlin;Array;false;iterator;();;Argument[-1].ArrayElement;ReturnValue.Element;value"]
+  }
+}
diff --git a/java/ql/test/kotlin/library-tests/dataflow/foreach/test.expected b/java/ql/test/kotlin/library-tests/dataflow/foreach/test.expected
@@ -5,3 +5,4 @@
 | C2.kt:8:32:8:32 | a | C2.kt:9:14:9:14 | l |
 | C2.kt:8:32:8:32 | a | C2.kt:10:14:10:17 | ...[...] |
 | C2.kt:8:32:8:32 | a | C2.kt:12:18:12:21 | ...[...] |
+| C2.kt:8:32:8:32 | a | C2.kt:15:18:15:18 | s |

Original file line number	Diff line number	Diff line change
`@@ -143,6 +143,7 @@ private module Frameworks {`
`143`	`143`	`private import semmle.code.java.frameworks.JMS`
`144`	`144`	`private import semmle.code.java.frameworks.RabbitMQ`
`145`	`145`	`private import semmle.code.java.regex.RegexFlowModels`
	`146`	`+ private import semmle.code.java.frameworks.KotlinStdLib`
`146`	`147`	`}`
`147`	`148`
`148`	`149`	`private predicate sourceModelCsv(string row) {`
Original file line number	Diff line number	Diff line change
`@@ -205,6 +205,11 @@ private predicate canContainBool(Type t) {`
`205`	`205`	`any(BooleanType b).(RefType).getASourceSupertype+() = t`
`206`	`206`	`}`
`207`	`207`
	`208`	`+private predicate isArray(Type t) {`
	`209`	`+ t instanceof Array or`
	`210`	`+ t.(RefType).getSourceDeclaration().hasQualifiedName("kotlin", "Array")`
	`211`	`+}`
	`212`	`+`
`208`	`213`	`/**`
`209`	`214`	* Holds if `t1` and `t2` are compatible, that is, whether data can flow from
`210`	`215`	* a node of type `t1` to a node of type `t2`.
`@@ -221,6 +226,9 @@ predicate compatibleTypes(Type t1, Type t2) {`
`221`	`226`	`erasedHaveIntersection(e1, e2)`
`222`	`227`	`or`
`223`	`228`	`canContainBool(e1) and canContainBool(e2)`
	`229`	`+ or`
	`230`	+ // Make java array and `kotlin.Array` types compatible.
	`231`	`+ isArray(e1) and isArray(e2)`
`224`	`232`	`)`
`225`	`233`	`}`
`226`	`234`