joern icon indicating copy to clipboard operation
joern copied to clipboard
verified publisher icon joernio

[Java] The reachableByFlows function is unable to function properly when encountering a sink point with a void return type.

Open wooyune1 opened this issue 1 year ago • 1 comments

Describe the bug When a sink point is a function that doesn't provide any return information, it's not feasible to derive the path leading to the vulnerability.

To Reproduce When the sink has a return value

public class A {
    public static void main(String[] args) {
        String s = source();
        sink(s);
    }
    public static String source() {
        return "abc";
    }
    public static String sink(String s) {
        String temp = s;
        return s;
    }
}

When the sink doesn't have a return value

public class A {
    public static void main(String[] args) {
        String s = source();
        sink(s);
    }
    public static String source() {
        return "abc";
    }
    public static void sink(String s) {
        String temp = s;
    }
}

My code

  def main(args: Array[String]): Unit = {
    implicit val dataFlowContext: EngineContext = EngineContext()
    val config = Config()
      .withInputPath("src/test/resources/")
    //            .withOutputPath("cpg/")
    implicit val cpg: Cpg = new JavaSrc2Cpg().createCpg(config).get

    runDataFlowLayer(cpg)

    val source = cpg.call.name("source")
    val sink = cpg.call.name("sink")

    val paths = sink.reachableByFlows(source)
    paths.p.foreach ((path) => {
      println(path)
    })

  }

  def runDataFlowLayer(cpg: Cpg): Unit = {
    val context = new LayerCreatorContext(cpg)

    new Base().run(context)
    new TypeRelations().run(context)
    new ControlFlow().run(context)
    new CallGraph().run(context)

    val options = new OssDataFlowOptions(4000)
    new dataflows.OssDataFlow(options).run(context)
  }

Expected behavior I expected that both Java code snippets would be able to find a path from source to sink, but in reality, only the one where the sink function has a return value can successfully identify such a path.

Screenshots The path found by the code for the sink function with a return value. image

Desktop (please complete the following information):

  • Joern Version : v2.0.311
  • Java version : 17

wooyune1 avatar Apr 02 '24 06:04 wooyune1

In dataflow queries, calls stand for the value returned by these calls. If you are interested in something other than that return value, you must adjust the sink of query. E.g. use def sink = cpg.method.name("sink").parameter

maltek avatar Apr 02 '24 10:04 maltek