hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: Improve sink model generation precision by excluding variable capture.

Browse Source
This commit is contained in:
Anders Schack-Mulligen
2022-11-09 15:32:30 +01:00
parent 07f50e275d
commit 151f12ef5e
4 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
java/ql/src/utils/model-generator/internal/CaptureModels.qll
View File

@@ -272,6 +272,8 @@ private class PropagateToSinkConfiguration extends TaintTracking::Configuration
override predicate isSink(DataFlow::Node sink) { ExternalFlow::sinkNode(sink, _) }
override predicate isSanitizer(DataFlow::Node node) { sinkModelSanitizer(node) }
override DataFlow::FlowFeature getAFeature() {
result instanceof DataFlow::FeatureHasSourceCallContext
}

9
java/ql/src/utils/model-generator/internal/CaptureModelsSpecific.qll
View File

@@ -7,6 +7,7 @@ private import semmle.code.java.dataflow.internal.DataFlowNodes
private import semmle.code.java.dataflow.internal.DataFlowPrivate
private import semmle.code.java.dataflow.internal.ContainerFlow as ContainerFlow
private import semmle.code.java.dataflow.DataFlow as Df
private import semmle.code.java.dataflow.SSA as Ssa
private import semmle.code.java.dataflow.TaintTracking as Tt
import semmle.code.java.dataflow.ExternalFlow as ExternalFlow
import semmle.code.java.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
@@ -224,6 +225,14 @@ predicate isOwnInstanceAccessNode(ReturnNode node) {
node.asExpr().(J::ThisAccess).isOwnInstanceAccess()
}
predicate sinkModelSanitizer(DataFlow::Node node) {
// exclude variable capture jump steps
exists(Ssa::SsaImplicitInit closure |
closure.captures(_) and
node.asExpr() = closure.getAFirstUse()
)
}
/**
* Holds if `source` is an api entrypoint relevant for creating sink models.
*/