Merge pull request #15023 from igfoo/igfoo/df-wrapper

Kotlin: Fix dataflow with Array.set wrappers
github · Dec 6, 2023 · c1cc441 · c1cc441
2 parents faa63dd + fc11a87
commit c1cc441
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 1 deletion.
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/ContainerFlow.qll b/java/ql/lib/semmle/code/java/dataflow/internal/ContainerFlow.qll
@@ -452,7 +452,7 @@ predicate arrayStoreStep(Node node1, Node node2) {
   )
   or
   exists(Expr arr, Call call |
-    arr = node2.asExpr() and
+    arr = node2.(PostUpdateNode).getPreUpdateNode().asExpr() and
     call.getArgument(1) = node1.asExpr() and
     call.getQualifier() = arr and
     arr.getType() instanceof ArrayType and

diff --git a/java/ql/test-kotlin1/library-tests/dataflow/foreach/C2.kt b/java/ql/test-kotlin1/library-tests/dataflow/foreach/C2.kt
@@ -27,4 +27,14 @@ class C2 {
         sink(l1.get(0))
         sink(l2.get(0))
     }
+
+    fun setWrapper(l: Array<String>, v: String) {
+        l.set(0, v)
+    }
+    fun test3() {
+        val l = arrayOf("")
+        setWrapper(l, taint("a"))
+        sink(l[0])
+        sink(l.get(0))
+    }
 }
diff --git a/java/ql/test-kotlin1/library-tests/dataflow/foreach/test.expected b/java/ql/test-kotlin1/library-tests/dataflow/foreach/test.expected
@@ -11,3 +11,5 @@
 | C2.kt:23:24:23:24 | "a" | C2.kt:27:14:27:22 | get(...) |
 | C2.kt:24:26:24:26 | "a" | C2.kt:26:14:26:18 | ...[...] |
 | C2.kt:24:26:24:26 | "a" | C2.kt:28:14:28:22 | get(...) |
+| C2.kt:36:30:36:30 | "a" | C2.kt:37:14:37:17 | ...[...] |
+| C2.kt:36:30:36:30 | "a" | C2.kt:38:14:38:21 | get(...) |