Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug][Java]MIssing node in the path given by sink.reachableByFlows(source) #4837

Open
michwqy opened this issue Aug 11, 2024 · 0 comments
Open

[Bug][Java]MIssing node in the path given by sink.reachableByFlows(source) #4837

michwqy opened this issue Aug 11, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@michwqy
Copy link

michwqy commented Aug 11, 2024

Describe the bug
I found the some node was missing in the path given by sink.reachableByFlows(source). I'm not sure if this is Joern's bug or I didn't use the correct method.

To Reproduce
Java code like

   protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        String username = request.getParameter("username");
        String password = request.getParameter("password");

        String url = "jdbc:mysql://localhost:3306/test";
        String user = "root";
        String password = "password";
        Connection connection = DriverManager.getConnection(url, user, password);

        String sql = "SELECT * FROM users WHERE username = ?";
        PreparedStatement pstatement = connection.prepareStatement(sql);
        pstatement.setString(1, username);
        pstatement.executeQuery();
    }

I set the HttpServletRequest request as source and pstatement in pstatement.executeQuery() as sink.

({
def source = cpg.method.where(_.name("(doGet|doPost|doDelete|doPut)")).parameter.where(_.typeFullName("(javax|jakarta).servlet.http.HttpServletRequest"))

def sink = cpg.call.methodFullName(
  "java.sql.PreparedStatement.(executeQuery|addBatch|execute|executeLargeUpdate|executeUpdate):.*"
).argument.argumentIndex(0)

sink.reachableByFlows(source)
}).l

Expected behavior
Joern should give the path like

parameter: request
identifier: request
call: getParameter
identifier: username
identifier: username 
idetifier: pstatement
call: setString
idetifier: pstatement

Actual behavior
But the call setString was missing in the path given by joern, and the call getParameter was found.

Path(
    elements = List(
      MethodParameterIn(
        closureBindingId = None,
        code = "HttpServletRequest request",
        columnNumber = Some(value = 27),
        dynamicTypeHintFullName = IndexedSeq(),
        evaluationStrategy = "BY_SHARING",
        index = 1,
        isVariadic = false,
        lineNumber = Some(value = 28),
        name = "request",
        order = 1,
        possibleTypes = IndexedSeq(),
        typeFullName = "javax.servlet.http.HttpServletRequest"
      ),
      Identifier(
        argumentIndex = 0,
        argumentName = None,
        code = "request",
        columnNumber = Some(value = 27),
        dynamicTypeHintFullName = IndexedSeq(),
        lineNumber = Some(value = 29),
        name = "request",
        order = 1,
        possibleTypes = IndexedSeq(),
        typeFullName = "javax.servlet.http.HttpServletRequest"
      ),
      Call(
        argumentIndex = 2,
        argumentName = None,
        code = "getParameter(\"username\")",
        columnNumber = Some(value = 27),
        dispatchType = "DYNAMIC_DISPATCH",
        dynamicTypeHintFullName = IndexedSeq(),
        lineNumber = Some(value = 29),
        methodFullName = "javax.servlet.http.HttpServletRequest.getParameter:<unresolvedSignature>(1)",
        name = "getParameter",
        order = 2,
        possibleTypes = IndexedSeq(),
        signature = "<unresolvedSignature>(1)",
        typeFullName = "java.lang.String"
      ),
      Identifier(
        argumentIndex = 1,
        argumentName = None,
        code = "username",
        columnNumber = Some(value = 16),
        dynamicTypeHintFullName = IndexedSeq(),
        lineNumber = Some(value = 29),
        name = "username",
        order = 1,
        possibleTypes = IndexedSeq(),
        typeFullName = "java.lang.String"
      ),
      Identifier(
        argumentIndex = 2,
        argumentName = None,
        code = "username",
        columnNumber = Some(value = 33),
        dynamicTypeHintFullName = IndexedSeq(),
        lineNumber = Some(value = 40),
        name = "username",
        order = 3,
        possibleTypes = IndexedSeq(),
        typeFullName = "java.lang.String"
      ),
      Identifier(
        argumentIndex = 0,
        argumentName = None,
        code = "pstatement",
        columnNumber = Some(value = 9),
        dynamicTypeHintFullName = IndexedSeq(),
        lineNumber = Some(value = 40),
        name = "pstatement",
        order = 1,
        possibleTypes = IndexedSeq(),
        typeFullName = "java.sql.PreparedStatement"
      ),
      Identifier(
        argumentIndex = 0,
        argumentName = None,
        code = "pstatement",
        columnNumber = Some(value = 9),
        dynamicTypeHintFullName = IndexedSeq(),
        lineNumber = Some(value = 41),
        name = "pstatement",
        order = 1,
        possibleTypes = IndexedSeq(),
        typeFullName = "java.sql.PreparedStatement"
      )
    )

Desktop

  • OS: macOS 13
  • Joern Version: 4.0.33
  • Java version: 17.0.11
@michwqy michwqy added the bug Something isn't working label Aug 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@michwqy