Created
October 8, 2024 10:00
-
-
Save testanull/b7c4dca00e287e5008943ece22ee3aa4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * @kind path-problem | |
| */ | |
| import java | |
| class CustomSetterMethod extends Method { | |
| CustomSetterMethod() { | |
| getName().matches("set%") and | |
| not getName().length() = 3 and | |
| getNumberOfParameters() = 1 and | |
| hasModifier("public") and | |
| // getParameter(0).getType().getName() = "String" and | |
| not isStatic() and | |
| // and not getDeclaringType().getQualifiedName().matches("%cold%") | |
| exists(MethodAccess mc | mc.getEnclosingCallable() = this) | |
| } | |
| } | |
| query predicate edges(Callable a, Callable b) { | |
| a.calls(b) and | |
| not b.getName() = "_cast" | |
| } | |
| Callable getCallee(Callable n, int i) { | |
| i = 0 and result = n | |
| or | |
| exists(Callable c2 | | |
| n.calls(c2) and | |
| i > 0 and | |
| i < 7 and | |
| result = getCallee(c2, i - 1) | |
| ) | |
| } | |
| predicate checkCls(RefType r) { | |
| r.getName().matches("ProcessBuilder") or | |
| // r.getName().matches("FileInputStream") or | |
| r.getName().matches("FileOutputStream") or | |
| r.getName().matches("Runtime") | |
| } | |
| predicate checkMethod(Callable m) { | |
| // m.getName().matches("getConstructor") or | |
| // or | |
| // m.getName().matches("write") or | |
| m.getName().matches("eval%") | |
| or | |
| // m.getName().matches("start") or | |
| m.getName().matches("exec") or | |
| m.getName() = "ObjectInputStream" or | |
| // m.getName().matches("doPrivileged") | |
| // m.getName().matches("lookup") or | |
| (m.getName().matches("setProperty") and m.getDeclaringType().getName() = "System") | |
| } | |
| class DeserSource extends Method { | |
| DeserSource(){( | |
| getName() = "readObject" | |
| or getName() = "toString" | |
| or (getName() = "get" and getNumberOfParameters() = 1 | |
| and (getDeclaringType().getASupertype+().getName().matches("Map%")) ) | |
| ) and (getDeclaringType().getASupertype+().getName() = "Serializable") | |
| } | |
| } | |
| predicate excludeCls(RefType r) { not r.hasName("MethodHandles") } | |
| from DeserSource src, Call ma, Callable c1, Callable c2, int i | |
| where | |
| c1 = getCallee(src, i) and | |
| // c1.calls(c2) and | |
| ma.getCallee() = c2 and | |
| ma.getCaller() = c1 and | |
| // ctor.getDeclaringType().getName() = "JdbcRowSetImpl" and | |
| // and c2.getName().matches("exec%") | |
| ( | |
| checkCls(c2.getDeclaringType()) or | |
| checkMethod(c2) or | |
| ( | |
| c2.getName().matches("getConstructor") and | |
| ma.getNumArgument() = 1 | |
| and ma.getAnArgument().toString() = "String.class" | |
| ) | |
| ) and | |
| excludeCls(c2.getDeclaringType()) | |
| select c1, src, c1, "call to $@ from $@", c2, c2.getName(), src, src.getQualifiedName() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment