diff --git a/java/ql/src/semmle/code/java/JDK.qll b/java/ql/src/semmle/code/java/JDK.qll index d9a1a15e5d3d..3b71396c9207 100644 --- a/java/ql/src/semmle/code/java/JDK.qll +++ b/java/ql/src/semmle/code/java/JDK.qll @@ -211,6 +211,21 @@ class MethodSystemGetProperty extends Method { } } +/** + * An access to a method named `getProperty` on class `java.lang.System`. + */ +class MethodAccessSystemGetProperty extends MethodAccess { + MethodAccessSystemGetProperty() { getMethod() instanceof MethodSystemGetProperty } + + /** + * Holds if this call has a compile-time constant first argument with the value `propertyName`. + * For example: `System.getProperty("user.dir")`. + */ + predicate hasCompileTimeConstantGetPropertyName(string propertyName) { + this.getArgument(0).(CompileTimeConstantExpr).getStringValue() = propertyName + } +} + /** * Any method named `exit` on class `java.lang.Runtime` or `java.lang.System`. */ diff --git a/java/ql/test/library-tests/JDK/PrintAst.expected b/java/ql/test/library-tests/JDK/PrintAst.expected index ff260ac6c38a..74967e122e30 100644 --- a/java/ql/test/library-tests/JDK/PrintAst.expected +++ b/java/ql/test/library-tests/JDK/PrintAst.expected @@ -60,3 +60,38 @@ jdk/A.java: # 28| 0: [ArrayTypeAccess] ...[] # 28| 0: [TypeAccess] String # 28| 5: [BlockStmt] stmt +jdk/SystemGetPropertyCall.java: +# 0| [CompilationUnit] SystemGetPropertyCall +# 3| 1: [Class] SystemGetPropertyCall +# 4| 3: [FieldDeclaration] String USER_DIR_PROPERTY, ...; +# 4| -1: [TypeAccess] String +# 4| 0: [StringLiteral] "user.dir" +# 6| 4: [Method] a +# 6| 3: [TypeAccess] void +# 6| 5: [BlockStmt] stmt +# 7| 0: [ExprStmt] stmt +# 7| 0: [MethodAccess] getProperty(...) +# 7| -1: [TypeAccess] System +# 7| 0: [StringLiteral] "user.dir" +# 10| 5: [Method] b +# 10| 3: [TypeAccess] void +# 10| 5: [BlockStmt] stmt +# 11| 0: [ExprStmt] stmt +# 11| 0: [MethodAccess] getProperty(...) +# 11| -1: [TypeAccess] System +# 11| 0: [StringLiteral] "user.dir" +# 11| 1: [StringLiteral] "HOME" +# 14| 6: [Method] c +# 14| 3: [TypeAccess] void +# 14| 5: [BlockStmt] stmt +# 15| 0: [ExprStmt] stmt +# 15| 0: [MethodAccess] getProperty(...) +# 15| -1: [TypeAccess] System +# 15| 0: [VarAccess] USER_DIR_PROPERTY +# 18| 7: [Method] d +# 18| 3: [TypeAccess] void +# 18| 5: [BlockStmt] stmt +# 19| 0: [ExprStmt] stmt +# 19| 0: [MethodAccess] getProperty(...) +# 19| -1: [TypeAccess] System +# 19| 0: [StringLiteral] "random.property" diff --git a/java/ql/test/library-tests/JDK/SystemGetPropertyCall.expected b/java/ql/test/library-tests/JDK/SystemGetPropertyCall.expected new file mode 100644 index 000000000000..e96a74fe1a6a --- /dev/null +++ b/java/ql/test/library-tests/JDK/SystemGetPropertyCall.expected @@ -0,0 +1,3 @@ +| jdk/SystemGetPropertyCall.java:7:9:7:38 | getProperty(...) | +| jdk/SystemGetPropertyCall.java:11:9:11:46 | getProperty(...) | +| jdk/SystemGetPropertyCall.java:15:9:15:45 | getProperty(...) | diff --git a/java/ql/test/library-tests/JDK/SystemGetPropertyCall.ql b/java/ql/test/library-tests/JDK/SystemGetPropertyCall.ql new file mode 100644 index 000000000000..4ccacefa2c27 --- /dev/null +++ b/java/ql/test/library-tests/JDK/SystemGetPropertyCall.ql @@ -0,0 +1,5 @@ +import java + +from MethodAccessSystemGetProperty ma +where ma.hasCompileTimeConstantGetPropertyName("user.dir") +select ma diff --git a/java/ql/test/library-tests/JDK/jdk/SystemGetPropertyCall.java b/java/ql/test/library-tests/JDK/jdk/SystemGetPropertyCall.java new file mode 100644 index 000000000000..750f1e8b83c0 --- /dev/null +++ b/java/ql/test/library-tests/JDK/jdk/SystemGetPropertyCall.java @@ -0,0 +1,21 @@ +package jdk; + +public class SystemGetPropertyCall { + private static final String USER_DIR_PROPERTY = "user.dir"; + + void a() { + System.getProperty("user.dir"); + } + + void b() { + System.getProperty("user.dir", "HOME"); + } + + void c() { + System.getProperty(USER_DIR_PROPERTY); + } + + void d() { + System.getProperty("random.property"); + } +}