Skip to content

Instantly share code, notes, and snippets.

@testanull

testanull/java_graph1.ql

Created October 8, 2024 10:00
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save testanull/b7c4dca00e287e5008943ece22ee3aa4 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save testanull/b7c4dca00e287e5008943ece22ee3aa4 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. testanull created this gist Oct 8, 2024.
    87 changes: 87 additions & 0 deletions java_graph1.ql
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,87 @@
    /**
    * @kind path-problem
    */

    import java

    class CustomSetterMethod extends Method {
    CustomSetterMethod() {
    getName().matches("set%") and
    not getName().length() = 3 and
    getNumberOfParameters() = 1 and
    hasModifier("public") and
    // getParameter(0).getType().getName() = "String" and
    not isStatic() and
    // and not getDeclaringType().getQualifiedName().matches("%cold%")
    exists(MethodAccess mc | mc.getEnclosingCallable() = this)
    }
    }

    query predicate edges(Callable a, Callable b) {
    a.calls(b) and
    not b.getName() = "_cast"
    }

    Callable getCallee(Callable n, int i) {
    i = 0 and result = n
    or
    exists(Callable c2 |
    n.calls(c2) and
    i > 0 and
    i < 7 and
    result = getCallee(c2, i - 1)
    )
    }

    predicate checkCls(RefType r) {
    r.getName().matches("ProcessBuilder") or

    // r.getName().matches("FileInputStream") or
    r.getName().matches("FileOutputStream") or
    r.getName().matches("Runtime")
    }

    predicate checkMethod(Callable m) {
    // m.getName().matches("getConstructor") or
    // or
    // m.getName().matches("write") or
    m.getName().matches("eval%")
    or
    // m.getName().matches("start") or
    m.getName().matches("exec") or
    m.getName() = "ObjectInputStream" or
    // m.getName().matches("doPrivileged")
    // m.getName().matches("lookup") or
    (m.getName().matches("setProperty") and m.getDeclaringType().getName() = "System")
    }

    class DeserSource extends Method {
    DeserSource(){(
    getName() = "readObject"
    or getName() = "toString"
    or (getName() = "get" and getNumberOfParameters() = 1
    and (getDeclaringType().getASupertype+().getName().matches("Map%")) )
    ) and (getDeclaringType().getASupertype+().getName() = "Serializable")
    }
    }
    predicate excludeCls(RefType r) { not r.hasName("MethodHandles") }

    from DeserSource src, Call ma, Callable c1, Callable c2, int i
    where
    c1 = getCallee(src, i) and
    // c1.calls(c2) and
    ma.getCallee() = c2 and
    ma.getCaller() = c1 and
    // ctor.getDeclaringType().getName() = "JdbcRowSetImpl" and
    // and c2.getName().matches("exec%")
    (
    checkCls(c2.getDeclaringType()) or
    checkMethod(c2) or
    (
    c2.getName().matches("getConstructor") and
    ma.getNumArgument() = 1
    and ma.getAnArgument().toString() = "String.class"
    )
    ) and
    excludeCls(c2.getDeclaringType())
    select c1, src, c1, "call to $@ from $@", c2, c2.getName(), src, src.getQualifiedName()