github · atorralba · Mar 1, 2023 · Feb 17, 2023 · Feb 17, 2023 · Feb 20, 2023
@@ -137,6 +137,8 @@ private class RecordConstructorFlow extends SummarizedCallable {
       preservesValue = true
     )
   }
+
+  override predicate hasProvenance(string provenance) { provenance = "manual" }
 }
 
 class RequiredSummaryComponentStack = Impl::Public::RequiredSummaryComponentStack;

@@ -248,7 +248,9 @@ module Public {
     /**
      * Holds if all the summaries that apply to `this` are auto generated and not manually created.
      */
-    final predicate isAutoGenerated() { this.hasProvenance("generated") and not this.isManual() }
+    final predicate isAutoGenerated() {
+      this.hasProvenance(["generated", "ai-generated"]) and not this.isManual()
+    }
 
     /**
      * Holds if there exists a manual summary that applies to `this`.
@@ -268,7 +270,7 @@ module Public {
     /**
      * Holds if the neutral is auto generated.
      */
-    predicate isAutoGenerated() { neutralElement(this, "generated") }
+    predicate isAutoGenerated() { neutralElement(this, ["generated", "ai-generated"]) }
 
     /**
      * Holds if there exists a manual neutral that applies to `this`.
@@ -1202,11 +1204,11 @@ module Private {
     }
 
     private string renderProvenance(SummarizedCallable c) {
-      if c.isAutoGenerated() then result = "generated" else result = "manual"
+      if c.isManual() then result = "manual" else c.hasProvenance(result)
     }
 
     private string renderProvenanceNeutral(NeutralCallable c) {
-      if c.isAutoGenerated() then result = "generated" else result = "manual"
+      if c.isManual() then result = "manual" else c.hasProvenance(result)
     }
 
     /**

@@ -86,6 +86,8 @@ module EntityFramework {
   abstract class EFSummarizedCallable extends SummarizedCallable {
     bindingset[this]
     EFSummarizedCallable() { any() }
+
+    override predicate hasProvenance(string provenance) { provenance = "manual" }
   }
 
   private class DbSetAddOrUpdateRequiredSummaryComponentStack extends RequiredSummaryComponentStack {

@@ -248,7 +248,9 @@ module Public {
     /**
      * Holds if all the summaries that apply to `this` are auto generated and not manually created.
      */
-    final predicate isAutoGenerated() { this.hasProvenance("generated") and not this.isManual() }
+    final predicate isAutoGenerated() {
+      this.hasProvenance(["generated", "ai-generated"]) and not this.isManual()
+    }
 
     /**
      * Holds if there exists a manual summary that applies to `this`.
@@ -268,7 +270,7 @@ module Public {
     /**
      * Holds if the neutral is auto generated.
      */
-    predicate isAutoGenerated() { neutralElement(this, "generated") }
+    predicate isAutoGenerated() { neutralElement(this, ["generated", "ai-generated"]) }
 
     /**
      * Holds if there exists a manual neutral that applies to `this`.
@@ -1202,11 +1204,11 @@ module Private {
     }
 
     private string renderProvenance(SummarizedCallable c) {
-      if c.isAutoGenerated() then result = "generated" else result = "manual"
+      if c.isManual() then result = "manual" else c.hasProvenance(result)
     }
 
     private string renderProvenanceNeutral(NeutralCallable c) {
-      if c.isAutoGenerated() then result = "generated" else result = "manual"
+      if c.isManual() then result = "manual" else c.hasProvenance(result)
     }
 
     /**

@@ -3,6 +3,8 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
+      - ["java.lang", "Module", True, "getResourceAsStream", "(String)", "", "Argument[0]", "read-file", "ai-generated"]
+# suggested label is not supported:      - ["java.lang", "ProcessBuilder", True, "ProcessBuilder", "(String[])", "", "Argument[0]", "command-injection", "ai-generated"]
       - ["java.lang", "String", False, "matches", "(String)", "", "Argument[0]", "regex-use[f-1]", "manual"]
       - ["java.lang", "String", False, "replaceAll", "(String,String)", "", "Argument[0]", "regex-use[-1]", "manual"]
       - ["java.lang", "String", False, "replaceFirst", "(String,String)", "", "Argument[0]", "regex-use[-1]", "manual"]

@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.apache.hadoop.hive.metastore.api", "DefaultConstraintsRequest", True, "DefaultConstraintsRequest", "(String,String,String)", "", "Argument[1]", "sql", "ai-generated"]
+
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.apache.hadoop.hive.metastore", "ObjectStore", True, "updatePartitionColumnStatistics", "(ColumnStatistics,List,String,long)", "", "Argument[0]", "sql", "ai-generated"]
+      - ["org.apache.hadoop.hive.metastore", "ObjectStore", True, "updatePartitionColumnStatistics", "(ColumnStatistics,List)", "", "Argument[0]", "sql", "ai-generated"]
+
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data:
+      - ["org.apache.hive.hcatalog.templeton", "HcatDelegator", True, "addOneColumn", "(String,String,String,ColumnDesc)", "", "Argument[3]", "sql", "ai-generated"]
+
@@ -67,9 +67,10 @@
  *    "taint" indicates a default additional taint step and "value" indicates a
  *    globally applicable value-preserving step.
  * 9. The `provenance` column is a tag to indicate the origin of the summary.
- *    There are two supported values: "generated" and "manual". "generated" means that
- *    the model has been emitted by the model generator tool and "manual" means
- *    that the model has been written by hand.
+ *    The supported values are: "manual", "generated" and "ai-generated". "manual"
+ *    means that the model has been written by hand, "generated" means that
+ *    the model has been emitted by the model generator tool and
+ *    "ai-generated" means that the model has been AI generated (ATM project).
  */
 
 import java
@@ -308,7 +309,7 @@ module ModelValidation {
       not ext.regexpMatch("|Annotated") and
       result = "Unrecognized extra API graph element \"" + ext + "\" in " + pred + " model."
       or
-      not provenance = ["manual", "generated"] and
+      not provenance = ["manual", "generated", "ai-generated"] and
       result = "Unrecognized provenance description \"" + provenance + "\" in " + pred + " model."
     )
   }

@@ -248,7 +248,9 @@ module Public {
     /**
      * Holds if all the summaries that apply to `this` are auto generated and not manually created.
      */
-    final predicate isAutoGenerated() { this.hasProvenance("generated") and not this.isManual() }
+    final predicate isAutoGenerated() {
+      this.hasProvenance(["generated", "ai-generated"]) and not this.isManual()
+    }
 
     /**
      * Holds if there exists a manual summary that applies to `this`.
@@ -268,7 +270,7 @@ module Public {
     /**
      * Holds if the neutral is auto generated.
      */
-    predicate isAutoGenerated() { neutralElement(this, "generated") }
+    predicate isAutoGenerated() { neutralElement(this, ["generated", "ai-generated"]) }
 
     /**
      * Holds if there exists a manual neutral that applies to `this`.
@@ -1202,11 +1204,11 @@ module Private {
     }
 
     private string renderProvenance(SummarizedCallable c) {
-      if c.isAutoGenerated() then result = "generated" else result = "manual"
+      if c.isManual() then result = "manual" else c.hasProvenance(result)
     }
 
     private string renderProvenanceNeutral(NeutralCallable c) {
-      if c.isAutoGenerated() then result = "generated" else result = "manual"
+      if c.isManual() then result = "manual" else c.hasProvenance(result)
     }
 
     /**

@@ -28,7 +28,7 @@ private int getNumMadModeledApis(string package, string provenance) {
         or
         sc.isManual() and
         (
-          if sc.hasProvenance("generated")
+          if sc.hasProvenance(["generated", "ai-generated"])
           then
             // "both"
             provenance = "both"

@@ -10,5 +10,5 @@ import semmle.code.java.dataflow.ExternalFlow
 from string package, string type, string name, string signature, string provenance
 where
   neutralModel(package, type, name, signature, provenance) and
-  provenance != "generated"
+  provenance != ["generated", "ai-generated"]
 select package, type, name, signature, provenance order by package, type, name, signature
@@ -12,6 +12,6 @@ from
   string input, string kind, string provenance
 where
   sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance) and
-  provenance != "generated"
+  provenance != ["generated", "ai-generated"]
 select package, type, subtypes, name, signature, ext, input, kind, provenance order by
     package, type, name, signature, input, kind
@@ -12,6 +12,6 @@ from
   string output, string kind, string provenance
 where
   sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance) and
-  provenance != "generated"
+  provenance != ["generated", "ai-generated"]
 select package, type, subtypes, name, signature, ext, output, kind, provenance order by
     package, type, name, signature, output, kind
@@ -12,6 +12,6 @@ from
   string input, string output, string kind, string provenance
 where
   summaryModel(package, type, subtypes, name, signature, ext, input, output, kind, provenance) and
-  provenance != "generated"
+  provenance != ["generated", "ai-generated"]
 select package, type, subtypes, name, signature, ext, input, output, kind, provenance order by
     package, type, name, signature, input, output, kind
@@ -14,6 +14,7 @@ edges
 | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:12:99:33 | new URI(...) |
 | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:100:12:100:45 | new URI(...) |
 | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:101:12:101:54 | new URI(...) |
+| Test.java:105:14:105:34 | getHostName(...) : String | Test.java:107:46:107:46 | t |
 nodes
 | Test.java:19:18:19:38 | getHostName(...) : String | semmle.label | getHostName(...) : String |
 | Test.java:24:20:24:23 | temp | semmle.label | temp |
@@ -34,6 +35,8 @@ nodes
 | Test.java:99:12:99:33 | new URI(...) | semmle.label | new URI(...) |
 | Test.java:100:12:100:45 | new URI(...) | semmle.label | new URI(...) |
 | Test.java:101:12:101:54 | new URI(...) | semmle.label | new URI(...) |
+| Test.java:105:14:105:34 | getHostName(...) : String | semmle.label | getHostName(...) : String |
+| Test.java:107:46:107:46 | t | semmle.label | t |
 subpaths
 #select
 | Test.java:24:11:24:24 | new File(...) | Test.java:19:18:19:38 | getHostName(...) : String | Test.java:24:20:24:23 | temp | This path depends on a $@. | Test.java:19:18:19:38 | getHostName(...) | user-provided value |
@@ -47,3 +50,4 @@ subpaths
 | Test.java:99:3:99:34 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:99:12:99:33 | new URI(...) | This path depends on a $@. | Test.java:95:14:95:34 | getHostName(...) | user-provided value |
 | Test.java:100:3:100:46 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:100:12:100:45 | new URI(...) | This path depends on a $@. | Test.java:95:14:95:34 | getHostName(...) | user-provided value |
 | Test.java:101:3:101:55 | new File(...) | Test.java:95:14:95:34 | getHostName(...) : String | Test.java:101:12:101:54 | new URI(...) | This path depends on a $@. | Test.java:95:14:95:34 | getHostName(...) | user-provided value |
+| Test.java:107:46:107:46 | t | Test.java:105:14:105:34 | getHostName(...) : String | Test.java:107:46:107:46 | t | This path depends on a $@. | Test.java:105:14:105:34 | getHostName(...) | user-provided value |
@@ -100,4 +100,10 @@ void doGet5(InetAddress address)
 		new File(new URI(null, null, t, null, null));
 		new File(new URI(null, null, null, 0, t, null, null));
 	}
+
+	void doGet6(InetAddress address) throws IOException {
+		String t = address.getHostName();
+		// BAD: accessing local resource with user input
+		getClass().getModule().getResourceAsStream(t);
+	}
 }
@@ -0,0 +1,29 @@
+import org.apache.hadoop.hive.metastore.api.ColumnStatistics;
+import org.apache.hadoop.hive.metastore.api.DefaultConstraintsRequest;
+import org.apache.hadoop.hive.metastore.ObjectStore;
+import org.apache.hive.hcatalog.templeton.ColumnDesc;
+import org.apache.hive.hcatalog.templeton.HcatDelegator;
+import java.util.List;
+
+public class Hive {
+
+    public static Object source() {
+        return null;
+    }
+
+    public void test(ObjectStore objStore, HcatDelegator hcatDel) throws Exception {
+        {
+            String taint = (String) source();
+            new DefaultConstraintsRequest("", taint, ""); // $ sqlInjection
+        }
+        {
+            ColumnStatistics taint = (ColumnStatistics) source();
+            //objStore.updatePartitionColumnStatistics(taint, (List<String>) null, (String) null, 0L); // $ sqlInjection
+            objStore.updatePartitionColumnStatistics(taint, (List<String>) null); // $ sqlInjection
+        }
+        {
+            ColumnDesc taint = (ColumnDesc) source();
+            hcatDel.addOneColumn(null, null, null, taint); // $ sqlInjection
+        }
+    }
+}
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/springframework-5.3.8
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/springframework-5.3.8:${testdir}/../../../../../stubs/apache-hive
-Original file line number
+Diff line change
@@ Expand Up @@
           preservesValue = true
         )
       }
+      override predicate hasProvenance(string provenance) { provenance = "manual" }
     }
     class RequiredSummaryComponentStack = Impl::Public::RequiredSummaryComponentStack;
@@ Expand Down @@
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/springframework-5.3.8
		//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/springframework-5.3.8:${testdir}/../../../../../stubs/apache-hive