Java: Unbounded Allocation queries

[joefarebrother]

Adds queries java/unbounded-allocation and java/unbounded-allocation-deserialization for detecting when an amount of memory is allocated according to a user controlled size.

Motivated by CVE-2018-10237 (fix commit).

LGTM runs:
https://lgtm.com/query/3077750168237260658/
https://lgtm.com/query/1596185660935956903/

[Marcono1234]

What about covering the following constructors?

• HashSet(int), HashSet(int, float)
• LinkedHashSet(int), LinkedHashSet(int, float)
• ArrayDeque(int)
• HashMap(int), HashMap(int, float)
• Hashtable(int), Hashtable(int, float)`
• LinkedHashMap(int), LinkedHashMap(int, float), LinkedHashMap(int, float, boolean)
• Properties(int)
• StringBuilder(int)
• StringBuffer(int)

The following are rather unlikely but might be worth considering anyways:

• ArrayBlockingQueue(int), ArrayBlockingQueue(int, boolean), ArrayBlockingQueue(int, boolean, Collection) (?)
• ConcurrentHashMap(int), ConcurrentHashMap(int, float), ConcurrentHashMap(int, float, int)
• IdentityHashMap(int)
• WeakHashMap(int), WeakHashMap(int, float)

And maybe it would be worth considering these methods as well:

• StringBuilder.ensureCapacity(int), StringBuilder.setLength(int)
• StringBuffer.ensureCapacity(int), StringBuffer.setLength(int)
• ArrayList.ensureCapacity(int)
• Vector.ensureCapacity(int), Vector.setSize(int)
• Array.newInstance(Class, int), Array.newInstance(Class, int...)
• Arrays.copyOf(..., int), Arrays.copyOf(U[], int, Class)
• Buffers:
  • ByteBuffer.allocate(int), ByteBuffer.allocateDirect(int)
  • CharBuffer.allocate(int)
  • DoubleBuffer.allocate(int)
  • FloatBuffer.allocate(int)
  • IntBuffer.allocate(int)
  • LongBuffer.allocate(int)
  • ShortBuffer.allocate(int)

[Marcono1234]

This can cause false positives. The read(byte[], int, int) method returns the number of read bytes, so using this value for allocating memory is legit.

Edit: Created #4591 for this now.

[Marcono1234]

Should the class name match the file name?

[felicitymay]

Hi @joefarebrother - welcome back 👋🏻

I can see that you've already tidied up the help for this query quite a bit. I've included a few more suggestions and comments.

[felicitymay]

Are there any references that it would make sense to add here alongside the automated CWE reference? Possibly it's worth mentioning the CVE that inspired this?

[felicitymay]

This qhelp file is missing from https://github.com/github/semmle-code/actions/runs/342049752 because of the typo in the file name. This seems like something that should result in a check failure.

It looks as if the file should be: `UnboundedAllocationDeserialization.qhelp

[artem-smotrakov]

Hey @joefarebrother ! I just started working on a similar query and then noticed this pull request. It doesn't look active though. Are you planning to finish it? If no, and if you don't mind, I could take it over.

[aschackmull]

As I recall, an issue with this was that tracking taint through numbers is prone to a lot of false positive flow.

[artem-smotrakov]

As I recall, an issue with this was that tracking taint through numbers is prone to a lot of false positive flow.

Do we have examples of FPs?

[aschackmull]

Do we have examples of FPs?

No, not really. This is more of a general observation from personal experience.

[artem-smotrakov]

Do we have examples of FPs?

No, not really. This is more of a general observation from personal experience.

Okay, I'll try to run the query on a set of projects, maybe it'll show the FPs.