Improve switched-arguments.ql

Marcono1234 · Marcono1234 · commit 53e4da87d4ee · 2024-12-31T23:02:56.000+01:00
diff --git a/codeql-custom-queries-java/queries/likely-bugs/switched-arguments-precise.ql b/codeql-custom-queries-java/queries/likely-bugs/switched-arguments-precise.ql
@@ -0,0 +1,171 @@
+/**
+ * Finds cases of switched arguments based on argument and parameter names.
+ *
+ * For example:
+ * ```java
+ * void addUser(String firstName, String lastName) {
+ *     ...
+ * }
+ *
+ * ...
+ *
+ * String firstName = ...;
+ * String lastName = ...;
+ * // Provides arguments in wrong order
+ * addUser(lastName, firstName);
+ * ```
+ *
+ * @id TODO
+ * @kind problem
+ * @precision medium
+ */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+
+predicate isAssignable(Parameter param, Variable argVar) {
+  exists(Type paramType, Type argType | paramType = param.getType() and argType = argVar.getType() |
+    paramType = argType or
+    paramType = argType.(RefType).getAnAncestor() or
+    paramType.(BoxedType).getPrimitiveType() = argType or
+    paramType = argType.(BoxedType).getPrimitiveType() or
+    // Note: This might be too lenient
+    paramType.getErasure() = argType.getErasure()
+  )
+}
+
+// CodeQL seems to generate param names in the form p0, p1, ... for external classes
+predicate areParamNamesKnown(Callable c) {
+  c.fromSource()
+  or
+  // Or there is a param name which is not `p<N>`
+  exists(string paramName | paramName = c.getAParameter().getName() |
+    not paramName.regexpMatch("p\\d+")
+  )
+}
+
+bindingset[s, prefix]
+predicate startsWith(string s, string prefix) { s.indexOf(prefix) = 0 }
+
+bindingset[s, suffix]
+predicate endsWith(string s, string suffix) { s.indexOf(suffix) = s.length() - suffix.length() }
+
+predicate matchesParamName(Parameter param, Variable argVar) {
+  exists(string paramName, string varName |
+    // Compare case insensitively
+    paramName = param.getName().toLowerCase() and
+    varName = argVar.getName().toLowerCase()
+  |
+    paramName = varName or
+    startsWith(varName, paramName) or
+    endsWith(varName, paramName)
+  )
+}
+
+class ComparableCompareToMethod extends Method {
+  ComparableCompareToMethod() {
+    getDeclaringType().hasQualifiedName("java.lang", "Comparable") and
+    hasName("compareTo")
+  }
+}
+
+class ComparatorCompareMethod extends Method {
+  ComparatorCompareMethod() {
+    getDeclaringType().hasQualifiedName("java.util", "Comparator") and hasName("compare")
+  }
+}
+
+predicate isEnclosedByComparison(Call call, Variable var1, Variable var2) {
+  exists(Expr condition |
+    exists(IfStmt ifStmt |
+      condition = ifStmt.getCondition() and
+      call.getEnclosingStmt().getEnclosingStmt*() = [ifStmt.getThen(), ifStmt.getElse()]
+    )
+    or
+    exists(ConditionalExpr e |
+      condition = e.getCondition() and call.(MethodAccess).getParent*() = e.getABranchExpr()
+    )
+  |
+    // Comparison expr
+    exists(ComparisonExpr c | c.getParent*() = condition |
+      c.getAnOperand() = var1.getAnAccess() and c.getAnOperand() = var2.getAnAccess()
+    )
+    or
+    // Or `Comparable#compareTo` or `Comparator#compare` call
+    exists(RValue varReadA, RValue varReadB |
+      varReadA = var1.getAnAccess() and varReadB = var2.getAnAccess()
+      or
+      varReadA = var2.getAnAccess() and varReadB = var1.getAnAccess()
+    |
+      exists(MethodAccess compareToCall |
+        compareToCall.getParent*() = condition and
+        compareToCall.getMethod().getSourceDeclaration().getASourceOverriddenMethod*() instanceof
+          ComparableCompareToMethod
+      |
+        compareToCall.getQualifier() = varReadA and
+        compareToCall.getArgument(0) = varReadB
+      )
+      or
+      exists(MethodAccess compareCall |
+        compareCall.getParent*() = condition and
+        compareCall.getMethod().getSourceDeclaration().getASourceOverriddenMethod*() instanceof
+          ComparatorCompareMethod
+      |
+        compareCall.getArgument(0) = varReadA and
+        compareCall.getArgument(1) = varReadB
+      )
+    )
+  )
+}
+
+from
+  Call call, Callable callee, int param1Index, Parameter param1, int param2Index, Parameter param2,
+  RValue arg1, Variable var1, RValue arg2, Variable var2
+where
+  call.getCallee() = callee and
+  areParamNamesKnown(callee) and
+  // Enforce ordering, to avoid reporing switched arguments twice
+  param1Index < param2Index and
+  // Ignore if argument is part of varargs argument
+  (
+    call.getNumArgument() <= callee.getNumberOfParameters() or
+    param2Index < callee.getNumberOfParameters() - 1
+  ) and
+  param1 = callee.getParameter(param1Index) and
+  param2 = callee.getParameter(param2Index) and
+  arg1 = call.getArgument(param1Index) and
+  arg1.getVariable() = var1 and
+  arg2 = call.getArgument(param2Index) and
+  arg2.getVariable() = var2 and
+  var1 != var2 and
+  // And param names indicate that args are switched
+  matchesParamName(param1, var2) and
+  not matchesParamName(param1, var1) and
+  matchesParamName(param2, var1) and
+  not matchesParamName(param2, var2) and
+  // And args can really be switched
+  isAssignable(param1, var2) and
+  isAssignable(param2, var1) and
+  // And does not call the same enclosing method or own constructor, in that case the arguments might be intentionally switched
+  not (
+    callee = call.getEnclosingCallable()
+    or
+    arg1.(FieldRead).isOwnFieldAccess() and
+    arg2.(FieldRead).isOwnFieldAccess() and
+    callee.(Constructor).getDeclaringType() = call.getEnclosingCallable().getDeclaringType()
+  ) and
+  // Ignore if args are being compared, and are intentionally switched based on the result
+  not isEnclosedByComparison(call, var1, var2) and
+  // Ignore if part of a test assertion which might have intentionally switched args
+  not (
+    call.getEnclosingCallable().getDeclaringType() instanceof TestClass and
+    exists(MethodAccess assertionCall | assertionCall.getMethod().getName().matches("assert%") |
+      // Directly used as arg (possibly nested inside other expressions, e.g. comparison expr)
+      call.(MethodAccess).getParent*() = assertionCall.getAnArgument()
+      or
+      // Or with dataflow
+      DataFlow::localExprFlow(call, assertionCall.getAnArgument())
+    )
+  )
+select arg1, "'" + param1.getName() + "' arg might be switched with $@ (index " + param2Index + ")",
+  arg2, "'" + param2.getName() + "' arg"
diff --git a/codeql-custom-queries-java/queries/likely-bugs/switched-arguments.ql b/codeql-custom-queries-java/queries/likely-bugs/switched-arguments.ql
@@ -1,40 +1,84 @@
 /**
  * Finds cases of switched arguments based on argument and parameter names.
+ *
+ * For example:
+ * ```java
+ * void addUser(String firstName, String lastName) {
+ *     ...
+ * }
+ *
+ * ...
+ *
+ * String firstName = ...;
+ * String lastName = ...;
+ * // Provides arguments in wrong order
+ * addUser(lastName, firstName);
+ * ```
+ *
+ * @id TODO
+ * @kind problem
+ * @precision low
  */
 
+// Note: This query has rather low precision; a more precise variant is `switched-arguments-precise.ql`
+// (but that might have more false negatives)
 import java
 import semmle.code.java.dataflow.DataFlow
 
-// TODO: This does not cover primitives conversion and might be wrong for generics
+// TODO: Might be wrong for generics
 predicate isAssignable(Type paramType, Type argType) {
-    paramType = argType
-    or exists (RefType ancestor | ancestor = argType.(RefType).getAnAncestor() | paramType.(RefType) = ancestor)
+  paramType = argType or
+  paramType = argType.(RefType).getAnAncestor() or
+  paramType.(BoxedType).getPrimitiveType() = argType or
+  paramType = argType.(BoxedType).getPrimitiveType()
 }
 
-predicate flowVarToArg(RValue varReadExpr, Expr arg) {
-    DataFlow::localFlow(DataFlow::exprNode(varReadExpr), DataFlow::exprNode(arg))
+// CodeQL seems to generate param names in the form p0, p1, ... for external classes
+predicate areParamNamesKnown(Callable c) {
+  c.fromSource()
+  or
+  // Or there is a param name which is not `p<N>`
+  exists(string paramName | paramName = c.getAParameter().getName() |
+    not paramName.regexpMatch("p\\d+")
+  )
 }
 
-predicate isMatchingArg(MethodAccess call, Variable var) {
-    exists(int paramIndex, Parameter p, RValue varReadExpr | p = call.getMethod().getParameter(paramIndex) |
-        varReadExpr.getVariable() = var
-        and p.getName() = var.getName()
-        and isAssignable(p.getType(), var.getType())
-        and flowVarToArg(varReadExpr, call.getArgument(paramIndex))
-    )
+bindingset[s, suffix]
+predicate endsWithIgnoreCase(string s, string suffix) {
+  s.toLowerCase().indexOf(suffix.toLowerCase()) = s.length() - suffix.length()
 }
 
-from MethodAccess call, Method method, int paramIndex, Parameter otherParam, Variable var, RValue varReadExpr
+from
+  Call call, Callable callee, int paramIndex, Parameter otherParam, int otherParamIndex,
+  string otherParamName, Variable var, RValue callArg
 where
-    call.getMethod() = method
-    and flowVarToArg(varReadExpr, call.getArgument(paramIndex))
-    // Find a parameter with the same name as the argument,
-    // but at a different index
-    and otherParam = method.getAParameter()
-    and otherParam != method.getParameter(paramIndex)
-    and var = varReadExpr.getVariable()
-    and otherParam.getName() = var.getName()
-    and isAssignable(otherParam.getType(), var.getType())
-    // Var might be used as multiple args, verify that it is not matching
-    and not isMatchingArg(call, var)
-select call, varReadExpr, otherParam
+  call.getCallee() = callee and
+  areParamNamesKnown(callee) and
+  callArg = call.getArgument(paramIndex) and
+  // Ignore if argument is part of varargs argument
+  (
+    call.getNumArgument() <= callee.getNumberOfParameters() or
+    paramIndex < callee.getNumberOfParameters() - 1
+  ) and
+  // Find a parameter with the same name as the argument, but at a different index
+  otherParam = callee.getParameter(otherParamIndex) and
+  otherParamIndex != paramIndex and
+  var = callArg.getVariable() and
+  otherParamName = otherParam.getName() and
+  otherParamName = var.getName() and
+  isAssignable(otherParam.getType(), var.getType()) and
+  // Var might be used as multiple args, verify that it is not also used for the expected parameter
+  not var.getAnAccess() = call.getArgument(otherParamIndex) and
+  // And the other param does not have a variable with matching name as argument
+  not exists(string otherArgVarName |
+    otherArgVarName = call.getArgument(otherParamIndex).(RValue).getVariable().getName()
+  |
+    otherArgVarName = otherParamName or
+    otherArgVarName.indexOf(otherParamName) = 0 or
+    endsWithIgnoreCase(otherArgVarName, otherParamName)
+  ) and
+  // And does not call the same enclosing method, in that case the arguments might be intentionally switched
+  not callee = call.getEnclosingCallable()
+select callArg,
+  "Argument might be used at wrong position; should probably be for $@ at index " + otherParamIndex,
+  otherParam, "this parameter"
