Java: Add support for commons-lang's StrBuilder class #5172
Conversation
smowton
force-pushed
the
smowton/feature/commons-strbuilder
branch
2 times, most recently
from
d38302e to
6a1ad0b
Compare
There was a problem hiding this comment.
StrBuilder is deprecated in the latest versions and has been moved to Apache Commons Text as TextStringBuilder. Would it make sense trying to cover that class as well?
| /** | ||
| * A method declared on `org.apache.commons.lang3.text.StrBuilder`. | ||
| */ | ||
| abstract class ApacheStrBuilderMethod extends Callable { |
There was a problem hiding this comment.
| abstract class ApacheStrBuilderMethod extends Callable { | |
| abstract class ApacheStrBuilderMethod extends Method { |
Might be good to extend Method to be consistent with the class name.
There was a problem hiding this comment.
When in doubt, don't use abstract classes. Indeed, I don't see any particular reason why we would want to use this feature here.
| } | ||
|
|
||
| /** | ||
| * An Apache Commons-Lang StrBuilder methods that add taint to the StrBuilder. |
There was a problem hiding this comment.
| * An Apache Commons-Lang StrBuilder methods that add taint to the StrBuilder. | |
| * An Apache Commons Lang StrBuilder method that adds taint to the StrBuilder. |
Here and for the other documentation comments: "Apache Commons Lang" should probably have no hyphen between "Commons" and "Lang".
| } | ||
|
|
||
| /** | ||
| * An Apache Commons-Lang StrBuilder methods that return taint from the StrBuilder. |
There was a problem hiding this comment.
| * An Apache Commons-Lang StrBuilder methods that return taint from the StrBuilder. | |
| * An Apache Commons Lang StrBuilder method that returns taint from the StrBuilder. |
| } | ||
|
|
||
| /** | ||
| * An Apache Commons-Lang StrBuilder methods that write taint from the StrBuilder to some parameter. |
There was a problem hiding this comment.
| * An Apache Commons-Lang StrBuilder methods that write taint from the StrBuilder to some parameter. | |
| * An Apache Commons Lang StrBuilder method that writes taint from the StrBuilder to some parameter. |
smowton
force-pushed
the
smowton/feature/commons-strbuilder
branch
from
6a1ad0b to
27cf907
Compare
|
@aschackmull @Marcono1234 changes applied |
|
Also added support for the commons-text version and for TextStringBuilder, a renamed version that also lives in common-text. |
| @@ -0,0 +1,2 @@ | |||
| lgtm,codescanning | |||
| * Added support for the Apache Commons Lang StringUtils library. | |||
There was a problem hiding this comment.
Might be good mentioning the classes covered by this pull request, but probably after #5126 has been merged. Otherwise this will cause a merge conflict.
…ent methods for the time being, which will be added in a forthcoming PR.
These are identical to the current deprecated StrBuilder in commons-lang3.
smowton
force-pushed
the
smowton/feature/commons-strbuilder
branch
from
89b6dde to
c700d00
Compare
| } | ||
|
|
||
| /** | ||
| * An Apache Commons Lang StrBuilder method that adds taint to the StrBuilder. |
There was a problem hiding this comment.
| * An Apache Commons Lang StrBuilder method that adds taint to the StrBuilder. | |
| * An Apache Commons Lang `StrBuilder` method that adds taint to the `StrBuilder`. |
| } | ||
|
|
||
| /** | ||
| * An Apache Commons Lang StrBuilder method that returns taint from the StrBuilder. |
There was a problem hiding this comment.
| * An Apache Commons Lang StrBuilder method that returns taint from the StrBuilder. | |
| * An Apache Commons Lang `StrBuilder` method that returns taint from the `StrBuilder`. |
| } | ||
|
|
||
| /** | ||
| * An Apache Commons Lang StrBuilder method that writes taint from the StrBuilder to some parameter. |
There was a problem hiding this comment.
| * An Apache Commons Lang StrBuilder method that writes taint from the StrBuilder to some parameter. | |
| * An Apache Commons Lang `StrBuilder` method that writes taint from the `StrBuilder` to some parameter. |
|
|
||
| override predicate transfersTaint(int fromArg, int toArg) { | ||
| fromArg = -1 and | ||
| ( |
There was a problem hiding this comment.
This parenthesis is superfluous.
|
|
||
| StrBuilder sb1 = new StrBuilder(); sb1.append(taint().toCharArray()); sink(sb1.toString()); // $hasTaintFlow=y | ||
| StrBuilder sb2 = new StrBuilder(); sb2.append(taint().toCharArray(), 0, 0); sink(sb2.toString()); // $hasTaintFlow=y | ||
| StrBuilder sb3 = new StrBuilder(); sb3.append(CharBuffer.wrap(taint().toCharArray())); sink(sb3.toString()); // BAD (but not detected because we don't model CharBuffer yet) |
There was a problem hiding this comment.
I believe the inline test expectations library allow you to specify this as specifically being a false negative (it's not much different from this, but does lead to a suitable "Fixed" message in the .actual output in case this is handled in the future instead of complaining about an unexpected result).
…ING test annotations
|
@aschackmull done |
This excludes its fluent methods for the time being, which will be added in an upcoming PR.
Based on #5126, review only latest commit.