Merge pull request #7349 from aschackmull/dataflow/state

Dataflow: Add support for flow state
2026-04-30 11:15:13 +02:00 · 2022-01-14 09:12:38 +01:00
parent 4ffd8c62ac f7cf327e71
commit 0b24af901d
54 changed files with 29226 additions and 15939 deletions
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
--- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll
@@ -3,6 +3,17 @@ private import DataFlowImplSpecific::Public
 import Cached

 module DataFlowImplCommonPublic {
+  /** A state value to track during data flow. */
+  class FlowState = string;
+
+  /**
+   * The default state, which is used when the state is unspecified for a source
+   * or a sink.
+   */
+  class FlowStateEmpty extends FlowState {
+    FlowStateEmpty() { this = "" }
+  }
+
  private newtype TFlowFeature =
    TFeatureHasSourceCallContext() or
    TFeatureHasSinkCallContext() or
--- a/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll
@@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration {
   * The smaller this predicate is, the faster `hasFlow()` will converge.
   */
  // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSource(DataFlow::Node source);
+  override predicate isSource(DataFlow::Node source) { none() }

  /**
   * Holds if `sink` is a relevant taint sink.
@@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration {
   * The smaller this predicate is, the faster `hasFlow()` will converge.
   */
  // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSink(DataFlow::Node sink);
+  override predicate isSink(DataFlow::Node sink) { none() }

  /** Holds if the node `node` is a taint sanitizer. */
  predicate isSanitizer(DataFlow::Node node) { none() }
--- a/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll
@@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration {
   * The smaller this predicate is, the faster `hasFlow()` will converge.
   */
  // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSource(DataFlow::Node source);
+  override predicate isSource(DataFlow::Node source) { none() }

  /**
   * Holds if `sink` is a relevant taint sink.
@@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration {
   * The smaller this predicate is, the faster `hasFlow()` will converge.
   */
  // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSink(DataFlow::Node sink);
+  override predicate isSink(DataFlow::Node sink) { none() }

  /** Holds if the node `node` is a taint sanitizer. */
  predicate isSanitizer(DataFlow::Node node) { none() }
--- a/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll
@@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration {
   * The smaller this predicate is, the faster `hasFlow()` will converge.
   */
  // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSource(DataFlow::Node source);
+  override predicate isSource(DataFlow::Node source) { none() }

  /**
   * Holds if `sink` is a relevant taint sink.
@@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration {
   * The smaller this predicate is, the faster `hasFlow()` will converge.
   */
  // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSink(DataFlow::Node sink);
+  override predicate isSink(DataFlow::Node sink) { none() }

  /** Holds if the node `node` is a taint sanitizer. */
  predicate isSanitizer(DataFlow::Node node) { none() }
--- a/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll
+++ b/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll
@@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration {
   * The smaller this predicate is, the faster `hasFlow()` will converge.
   */
  // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSource(DataFlow::Node source);
+  override predicate isSource(DataFlow::Node source) { none() }

  /**
   * Holds if `sink` is a relevant taint sink.
@@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration {
   * The smaller this predicate is, the faster `hasFlow()` will converge.
   */
  // overridden to provide taint-tracking specific qldoc
-  abstract override predicate isSink(DataFlow::Node sink);
+  override predicate isSink(DataFlow::Node sink) { none() }

  /** Holds if the node `node` is a taint sanitizer. */
  predicate isSanitizer(DataFlow::Node node) { none() }