Add models of the jakarta/javax.json package#6183
Conversation
Marcono1234
left a comment
There was a problem hiding this comment.
Would it make sense to cover jakarta.json.* as well now that the Eclipse Foundation has took over the project? See https://eclipse-ee4j.github.io/jsonp/
I have left some review comments regarding methods which might only exist for Jakarta JSON-P; feel free to ignore them if you don't want to cover JSON-P.
Though note that some of the comments might also apply to Java EE, but not to Java EE 7 documented on https://docs.oracle.com but to the newer versions, see https://javadoc.io/doc/javax.json/javax.json-api/latest/overview-summary.html
Should the class Json be modelled as well? It has multiple factory methods.
| "javax.json;JsonArray;false;getJsonString;;;Argument[-1];ReturnValue;taint", | ||
| "javax.json;JsonArray;false;getString;;;Argument[-1];ReturnValue;taint", | ||
| "javax.json;JsonArray;false;getString;;;Argument[1];ReturnValue;value", | ||
| "javax.json;JsonArray;false;getValuesAs;;;Argument[-1];ReturnValue;taint", |
There was a problem hiding this comment.
Shouldn't that be value flow since getValueAs(Class) seems to return a view (without modifying the entries in any way)? (or is value flow only when it is the exact same reference?)
Though the overload getValueAs(Function) would only be taint flow then I guess.
There was a problem hiding this comment.
It should be the exact same reference indeed
| "javax.json;JsonReaderFactory;false;createReader;;;Argument[0];ReturnValue;taint", | ||
| "javax.json;JsonString;false;getChars;;;Argument[-1];ReturnValue;taint", | ||
| "javax.json;JsonString;false;getString;;;Argument[-1];ReturnValue;taint", | ||
| "javax.json;JsonValue;false;toString;;;Argument[-1];ReturnValue;taint", |
There was a problem hiding this comment.
Shouldn't this cover subtypes as well? (hopefully my understanding of the CSV model is correct)
| "javax.json;JsonValue;false;toString;;;Argument[-1];ReturnValue;taint", | |
| "javax.json;JsonValue;true;toString;;;Argument[-1];ReturnValue;taint", |
| "javax.json;JsonReaderFactory;false;createReader;;;Argument[0];ReturnValue;taint", | ||
| "javax.json;JsonString;false;getChars;;;Argument[-1];ReturnValue;taint", | ||
| "javax.json;JsonString;false;getString;;;Argument[-1];ReturnValue;taint", | ||
| "javax.json;JsonValue;false;toString;;;Argument[-1];ReturnValue;taint", |
There was a problem hiding this comment.
Should that also cover the following?
| "javax.json;JsonReaderFactory;false;createReader;;;Argument[0];ReturnValue;taint", | ||
| "javax.json;JsonString;false;getChars;;;Argument[-1];ReturnValue;taint", | ||
| "javax.json;JsonString;false;getString;;;Argument[-1];ReturnValue;taint", | ||
| "javax.json;JsonValue;false;toString;;;Argument[-1];ReturnValue;taint", |
There was a problem hiding this comment.
Should JsonStructure.getValue(String) be covered as well?
| "javax.json;JsonArray;false;getString;;;Argument[1];ReturnValue;value", | ||
| "javax.json;JsonArray;false;getValuesAs;;;Argument[-1];ReturnValue;taint", | ||
| "javax.json;JsonArrayBuilder;false;add;;;Argument[-1];ReturnValue;value", | ||
| "javax.json;JsonArrayBuilder;false;add;;;Argument[0];Argument[-1];taint", |
There was a problem hiding this comment.
This might result in false positives since there are also overloads in the form add(index, ...) (which are in turn also not covered)
| "javax.json;JsonArray;false;getValuesAs;;;Argument[-1];ReturnValue;taint", | ||
| "javax.json;JsonArrayBuilder;false;add;;;Argument[-1];ReturnValue;value", | ||
| "javax.json;JsonArrayBuilder;false;add;;;Argument[0];Argument[-1];taint", | ||
| "javax.json;JsonArrayBuilder;false;addNull;;;Argument[-1];ReturnValue;value", |
There was a problem hiding this comment.
Jakarta JSON-P also has the following methods JsonArrayBuilder methods:
addAllremove(...)set(...)setNull(int)
| "javax.json;JsonArrayBuilder;false;add;;;Argument[0];Argument[-1];taint", | ||
| "javax.json;JsonArrayBuilder;false;addNull;;;Argument[-1];ReturnValue;value", | ||
| "javax.json;JsonArrayBuilder;false;build;;;Argument[-1];ReturnValue;taint", | ||
| "javax.json;JsonNumber;false;bigDecimalValue;;;Argument[-1];ReturnValue;taint", |
There was a problem hiding this comment.
Isn't at least bigDecimalValue() value flow since there is (most likely) no precision loss?
(Or maybe I am misunderstanding the meaning of value)
Edit: Nevermind, see #6183 (comment)
| "javax.json;JsonNumber;false;intValue;;;Argument[-1];ReturnValue;taint", | ||
| "javax.json;JsonNumber;false;intValueExact;;;Argument[-1];ReturnValue;taint", | ||
| "javax.json;JsonNumber;false;longValue;;;Argument[-1];ReturnValue;taint", | ||
| "javax.json;JsonNumber;false;longValueExact;;;Argument[-1];ReturnValue;taint", |
There was a problem hiding this comment.
There is also numberValue(); that one might be value flow?
| "javax.json;JsonObjectBuilder;false;add;;;Argument[-1];ReturnValue;value", | ||
| "javax.json;JsonObjectBuilder;false;add;;;Argument[1];Argument[-1];taint", | ||
| "javax.json;JsonObjectBuilder;false;addNull;;;Argument[-1];ReturnValue;value", | ||
| "javax.json;JsonObjectBuilder;false;build;;;Argument[-1];ReturnValue;taint", |
There was a problem hiding this comment.
@smowton I think you missed JsonObjectBuilder.remove
| "javax.json;JsonObjectBuilder;false;build;;;Argument[-1];ReturnValue;taint", | ||
| "javax.json;JsonReader;false;read;;;Argument[-1];ReturnValue;taint", | ||
| "javax.json;JsonReader;false;readArray;;;Argument[-1];ReturnValue;taint", | ||
| "javax.json;JsonReader;false;readObject;;;Argument[-1];ReturnValue;taint", |
|
Thanks @Marcono1234, I've improved this to cover the jakarta version of the package and to incorporate the missing functions you mention. I'll edit the top comment with notes on taint strategy here and the uncovered subpackages |
Marcono1234
left a comment
There was a problem hiding this comment.
Thanks a lot for the changes. Usage of a set literal expression for supporting the different package names is a pretty neat idea!
Since you have covered some additional classes as well, would it make sense to cover JsonPointer, JsonMergePatch and JsonPatchBuilder from the same package as well?
| "Json;false;createDiff;;;Argument[0..1];ReturnValue;taint", | ||
| "Json;false;createMergeDiff;;;Argument[0..1];ReturnValue;taint", |
There was a problem hiding this comment.
Not completely sure whether argument 0 (source) is actually affecting taint. Did not have a look at the implementation or the RFC, but if I understand it correctly source can only affect whether JSON values are added or removed, but not which values they will have.
E.g.:
- source has
"a": 1, target does not have it →ais removed - source does not have
a, target has"a": 1→"a": 1is added
In both cases source does not taint the patch.
But might be good to verify this, also for JSON arrays.
There was a problem hiding this comment.
I figured the diff must represent the removal of the key somehow, and <script>alert('Oh no')</script> is a valid key, so we might be interested in this as a taint propagator
| "Json;false;createObjectBuilder;(Map);;MapValue of Argument[0];ReturnValue;taint", | ||
| "Json;false;createPatch;;;Argument[0];ReturnValue;taint", | ||
| "Json;false;createReader;;;Argument[0];ReturnValue;taint", | ||
| "Json;false;createWriter;;;Argument[0];ReturnValue;taint", |
There was a problem hiding this comment.
In case you decide to add JsonPatchBuilder it would be good to add Json.createPatchBuilder(JsonArray) as well.
| "Json;false;createObjectBuilder;(Map);;MapValue of Argument[0];ReturnValue;taint", | ||
| "Json;false;createPatch;;;Argument[0];ReturnValue;taint", | ||
| "Json;false;createReader;;;Argument[0];ReturnValue;taint", | ||
| "Json;false;createWriter;;;Argument[0];ReturnValue;taint", |
There was a problem hiding this comment.
Would probably be good to cover the createValue(...) methods as well.
| @@ -0,0 +1,110 @@ | |||
| /** | |||
| * Provides models for the `javax.json` package. | |||
There was a problem hiding this comment.
Maybe also have to adjust this:
| * Provides models for the `javax.json` package. | |
| * Provides models for the `javax.json` and `jakarta.json` packages. |
javaGenerated file changes for java
- Java extensions,"``javax.*``, ``jakarta.*``",22,294,18,,,,,1,1,2
+ Java extensions,"``javax.*``, ``jakarta.*``",22,536,18,,,,,1,1,2
- Totals,,84,2013,287,13,6,6,98,33,1,66
+ Totals,,84,2255,287,13,6,6,98,33,1,66
+ jakarta.json,,,121,,,,,,,,,,,,,,,98,23
+ javax.json,,,121,,,,,,,,,,,,,,,98,23 |
|
@Marcono1234 all changes applied |
Marcono1234
left a comment
There was a problem hiding this comment.
Thanks a lot for considering the feedback!
Do you think it would be worth considering methods for de- and encoding a JSON pointer string as well?
| ".json;JsonPatchBuilder;false;replace;;;Argument[-1];ReturnValue;value", | ||
| ".json;JsonPatchBuilder;false;test;;;Argument[0..1];ReturnValue;taint", | ||
| ".json;JsonPatchBuilder;false;test;;;Argument[-1];ReturnValue;value", | ||
| ".json;JsonPointer;false;add;;;Argument[-1];ReturnValue;taint", |
There was a problem hiding this comment.
Is add really transferring taint from the receiver JsonPointer?
If so should that then in the same way apply to the other methods (getValue, remove, replace)?
There was a problem hiding this comment.
add: yes, because the pointer could contain an injection string, which would be incorporated into the result as a new key. getValue, remove, replace: no, they do not incorporate text from the pointer into the result (replace requires that the key is already present)
There was a problem hiding this comment.
Thanks for the clarification! Makes sense.
|
Done |
javaGenerated file changes for java
- Java extensions,"``javax.*``, ``jakarta.*``",22,294,18,,,,,1,1,2
+ Java extensions,"``javax.*``, ``jakarta.*``",22,540,18,,,,,1,1,2
- Totals,,84,2013,287,13,6,6,98,33,1,66
+ Totals,,84,2259,287,13,6,6,98,33,1,66
+ jakarta.json,,,123,,,,,,,,,,,,,,,100,23
+ javax.json,,,123,,,,,,,,,,,,,,,100,23 |
Notes:
streamsubpackage alone for now to come back to once we have lambda flowElement,MapValueetc here on the understanding that the purpose of the package is to build an object then serialise or the inverse, rather than to use these as general-purpose data structures where flows involving access paths are more plausible.JsonArrayexposes a full immutableListinterface; some reads through that interface against a deserialised object may not convey taint as a result.