hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

C#: Remove omittable exists variables

Browse Source
This commit is contained in:
Tony Torralba
2022-12-21 16:29:02 +01:00
parent 3fcc99e5cb
commit 2ca0df0369
31 changed files with 303 additions and 378 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
csharp/ql/lib/experimental/code/csharp/Cryptography/NonCryptographicHashes.qll
View File

@@ -76,8 +76,8 @@ private predicate maybeUsedInElfHashFunction(Variable v, Operation xor, Operatio
* where the parameter `param` is likely the message to hash
*/
predicate isCallableAPotentialNonCryptographicHashFunction(Callable callable, Parameter param) {
exists(Variable v, Expr op1, Expr op2, LoopStmt loop |
maybeANonCryptographicHash(callable, v, op1, op2, loop) and
exists(Expr op1, Expr op2 |
maybeANonCryptographicHash(callable, _, op1, op2, _) and
callable.getAParameter() = param and
exists(ParameterNode p, ExprNode n |
p.getParameter() = param and

35
csharp/ql/lib/semmle/code/csharp/Conversion.qll
View File

@@ -277,9 +277,7 @@ private module Identity {
UnboundGenericType ugt, IdentityConvertibleGenericType fromType,
IdentityConvertibleGenericType toType
) {
exists(TypeArgument fromTypeArgument, TypeArgument toTypeArgument |
convIdentitySingle0(ugt, toType, fromTypeArgument, toTypeArgument)
|
exists(TypeArgument fromTypeArgument | convIdentitySingle0(ugt, toType, fromTypeArgument, _) |
fromTypeArgument = getTypeArgumentRanked(ugt, fromType, 0)
)
}
@@ -312,13 +310,10 @@ private module Identity {
UnboundGenericType ugt, IdentityConvertibleGenericType fromType,
IdentityConvertibleGenericType toType
) {
exists(
Type fromTypeArgument0, Type toTypeArgument0, Type fromTypeArgument1, Type toTypeArgument1
exists(Type fromTypeArgument0, Type toTypeArgument1 |
convIdentityMultiple01Aux0(ugt, toType, fromTypeArgument0, _, toTypeArgument1)
|
convIdentityMultiple01Aux0(ugt, toType, fromTypeArgument0, toTypeArgument0, toTypeArgument1)
|
convIdentityMultiple01Aux1(ugt, fromType, fromTypeArgument0, fromTypeArgument1,
toTypeArgument1)
convIdentityMultiple01Aux1(ugt, fromType, fromTypeArgument0, _, toTypeArgument1)
)
}
@@ -336,8 +331,8 @@ private module Identity {
UnboundGenericType ugt, IdentityConvertibleGenericType fromType,
IdentityConvertibleGenericType toType, int i
) {
exists(TypeArgument fromTypeArgument, TypeArgument toTypeArgument |
convIdentityMultiple2Aux(ugt, toType, i, fromTypeArgument, toTypeArgument)
exists(TypeArgument fromTypeArgument |
convIdentityMultiple2Aux(ugt, toType, i, fromTypeArgument, _)
|
fromTypeArgument = getTypeArgumentRanked(ugt, fromType, i)
)
@@ -938,9 +933,7 @@ private module Variance {
UnboundGenericType ugt, VarianceConvertibleGenericType fromType,
VarianceConvertibleGenericType toType
) {
exists(TypeArgument fromTypeArgument, TypeArgument toTypeArgument |
convVarianceSingle0(ugt, toType, fromTypeArgument, toTypeArgument)
|
exists(TypeArgument fromTypeArgument | convVarianceSingle0(ugt, toType, fromTypeArgument, _) |
fromTypeArgument = getTypeArgumentRanked(ugt, fromType, 0, _)
)
}
@@ -973,14 +966,10 @@ private module Variance {
UnboundGenericType ugt, VarianceConvertibleGenericType fromType,
VarianceConvertibleGenericType toType
) {
exists(
TypeArgument fromTypeArgument0, TypeArgument toTypeArgument0, TypeArgument fromTypeArgument1,
TypeArgument toTypeArgument1
exists(TypeArgument fromTypeArgument0, TypeArgument toTypeArgument1 |
convVarianceMultiple01Aux0(ugt, toType, fromTypeArgument0, _, toTypeArgument1)
|
convVarianceMultiple01Aux0(ugt, toType, fromTypeArgument0, toTypeArgument0, toTypeArgument1)
|
convVarianceMultiple01Aux1(ugt, fromType, fromTypeArgument0, fromTypeArgument1,
toTypeArgument1)
convVarianceMultiple01Aux1(ugt, fromType, fromTypeArgument0, _, toTypeArgument1)
)
}
@@ -998,8 +987,8 @@ private module Variance {
UnboundGenericType ugt, VarianceConvertibleGenericType fromType,
VarianceConvertibleGenericType toType, int i
) {
exists(TypeArgument fromTypeArgument, TypeArgument toTypeArgument |
convVarianceMultiple2Aux(ugt, toType, i, fromTypeArgument, toTypeArgument)
exists(TypeArgument fromTypeArgument |
convVarianceMultiple2Aux(ugt, toType, i, fromTypeArgument, _)
|
fromTypeArgument = getTypeArgumentRanked(ugt, fromType, i, _)
)

4
csharp/ql/lib/semmle/code/csharp/Unification.qll
View File

@@ -434,8 +434,8 @@ module Gvn {
pragma[nomagic]
private predicate unifiable(ConstructedGvnType t1, ConstructedGvnType t2, boolean subsumes) {
exists(CompoundTypeKind k, GvnTypeArgument arg1, GvnTypeArgument arg2 |
unifiableSingle0(k, t2, arg1, arg2, subsumes) and
exists(CompoundTypeKind k, GvnTypeArgument arg1 |
unifiableSingle0(k, t2, arg1, _, subsumes) and
arg1 = getTypeArgument(k, t1, 0)
)
or

4
csharp/ql/lib/semmle/code/csharp/commons/StructuralComparison.qll
View File

@@ -181,8 +181,8 @@ private module Cached {
result = TConstantGvn(cfe.(Expr).getValue())
or
not exists(cfe.(Expr).getValue()) and
exists(GvnKind kind, int index |
result = toGvn(cfe, kind, index - 1) and
exists(int index |
result = toGvn(cfe, _, index - 1) and
index = getNumberOfActualChildren(cfe)
)
}

8
csharp/ql/lib/semmle/code/csharp/controlflow/internal/PreSsa.qll
View File

@@ -115,11 +115,9 @@ module PreSsa {
if def.getTargetAccess().isRefArgument() then certain = false else certain = true
)
or
exists(Callable c |
implicitEntryDef(c, bb, v) and
i = -1 and
certain = true
)
implicitEntryDef(_, bb, v) and
i = -1 and
certain = true
}
predicate variableRead(BasicBlock bb, int i, SourceVariable v, boolean certain) {

64
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
View File

@@ -876,9 +876,9 @@ private module Stage1 implements StageSig {
pragma[nomagic]
private predicate revFlowOut(ReturnPosition pos, Configuration config) {
exists(DataFlowCall call, NodeEx out |
exists(NodeEx out |
revFlow(out, _, config) and
viableReturnPosOutNodeCandFwd1(call, pos, out, config)
viableReturnPosOutNodeCandFwd1(_, pos, out, config)
)
}
@@ -1731,8 +1731,8 @@ private module MkStage<StageSig PrevStage> {
)
or
// flow through a callable
exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
)
or
@@ -1901,8 +1901,8 @@ private module MkStage<StageSig PrevStage> {
pragma[nomagic]
predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
exists(RetNodeEx ret, ReturnPosition pos |
returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and
exists(ReturnPosition pos |
returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
parameterFlowsThroughRev(p, ap, pos, _, config)
)
}
@@ -1923,8 +1923,8 @@ private module MkStage<StageSig PrevStage> {
DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
Ap ap, Configuration config
) {
exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
exists(ParamNodeEx p, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
)
}
@@ -3749,8 +3749,8 @@ private predicate paramFlowsThrough(
ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
AccessPathApprox apa, Configuration config
) {
exists(PathNodeMid mid, RetNodeEx ret |
pathNode(mid, ret, state, cc, sc, ap, config, _) and
exists(RetNodeEx ret |
pathNode(_, ret, state, cc, sc, ap, config, _) and
kind = ret.getKind() and
apa = ap.getApprox() and
parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4212,17 +4212,15 @@ private module FlowExploration {
ap = TRevPartialNil() and
exists(config.explorationLimit())
or
exists(PartialPathNodeRev mid |
revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
not clearsContentEx(node, ap.getHead()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead())
) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
)
revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
not clearsContentEx(node, ap.getHead()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead())
) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
}
pragma[nomagic]
@@ -4230,19 +4228,17 @@ private module FlowExploration {
NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
) {
exists(PartialPathNodeFwd mid |
partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
not clearsContentEx(node, ap.getHead().getContent()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead().getContent())
) and
if node.asNode() instanceof CastingNode
then compatibleTypes(node.getDataFlowType(), ap.getType())
else any()
)
partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
not clearsContentEx(node, ap.getHead().getContent()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead().getContent())
) and
if node.asNode() instanceof CastingNode
then compatibleTypes(node.getDataFlowType(), ap.getType())
else any()
}
/**

64
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
View File

@@ -876,9 +876,9 @@ private module Stage1 implements StageSig {
pragma[nomagic]
private predicate revFlowOut(ReturnPosition pos, Configuration config) {
exists(DataFlowCall call, NodeEx out |
exists(NodeEx out |
revFlow(out, _, config) and
viableReturnPosOutNodeCandFwd1(call, pos, out, config)
viableReturnPosOutNodeCandFwd1(_, pos, out, config)
)
}
@@ -1731,8 +1731,8 @@ private module MkStage<StageSig PrevStage> {
)
or
// flow through a callable
exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
)
or
@@ -1901,8 +1901,8 @@ private module MkStage<StageSig PrevStage> {
pragma[nomagic]
predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
exists(RetNodeEx ret, ReturnPosition pos |
returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and
exists(ReturnPosition pos |
returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
parameterFlowsThroughRev(p, ap, pos, _, config)
)
}
@@ -1923,8 +1923,8 @@ private module MkStage<StageSig PrevStage> {
DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
Ap ap, Configuration config
) {
exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
exists(ParamNodeEx p, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
)
}
@@ -3749,8 +3749,8 @@ private predicate paramFlowsThrough(
ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
AccessPathApprox apa, Configuration config
) {
exists(PathNodeMid mid, RetNodeEx ret |
pathNode(mid, ret, state, cc, sc, ap, config, _) and
exists(RetNodeEx ret |
pathNode(_, ret, state, cc, sc, ap, config, _) and
kind = ret.getKind() and
apa = ap.getApprox() and
parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4212,17 +4212,15 @@ private module FlowExploration {
ap = TRevPartialNil() and
exists(config.explorationLimit())
or
exists(PartialPathNodeRev mid |
revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
not clearsContentEx(node, ap.getHead()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead())
) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
)
revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
not clearsContentEx(node, ap.getHead()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead())
) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
}
pragma[nomagic]
@@ -4230,19 +4228,17 @@ private module FlowExploration {
NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
) {
exists(PartialPathNodeFwd mid |
partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
not clearsContentEx(node, ap.getHead().getContent()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead().getContent())
) and
if node.asNode() instanceof CastingNode
then compatibleTypes(node.getDataFlowType(), ap.getType())
else any()
)
partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
not clearsContentEx(node, ap.getHead().getContent()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead().getContent())
) and
if node.asNode() instanceof CastingNode
then compatibleTypes(node.getDataFlowType(), ap.getType())
else any()
}
/**

64
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
View File

@@ -876,9 +876,9 @@ private module Stage1 implements StageSig {
pragma[nomagic]
private predicate revFlowOut(ReturnPosition pos, Configuration config) {
exists(DataFlowCall call, NodeEx out |
exists(NodeEx out |
revFlow(out, _, config) and
viableReturnPosOutNodeCandFwd1(call, pos, out, config)
viableReturnPosOutNodeCandFwd1(_, pos, out, config)
)
}
@@ -1731,8 +1731,8 @@ private module MkStage<StageSig PrevStage> {
)
or
// flow through a callable
exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
)
or
@@ -1901,8 +1901,8 @@ private module MkStage<StageSig PrevStage> {
pragma[nomagic]
predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
exists(RetNodeEx ret, ReturnPosition pos |
returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and
exists(ReturnPosition pos |
returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
parameterFlowsThroughRev(p, ap, pos, _, config)
)
}
@@ -1923,8 +1923,8 @@ private module MkStage<StageSig PrevStage> {
DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
Ap ap, Configuration config
) {
exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
exists(ParamNodeEx p, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
)
}
@@ -3749,8 +3749,8 @@ private predicate paramFlowsThrough(
ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
AccessPathApprox apa, Configuration config
) {
exists(PathNodeMid mid, RetNodeEx ret |
pathNode(mid, ret, state, cc, sc, ap, config, _) and
exists(RetNodeEx ret |
pathNode(_, ret, state, cc, sc, ap, config, _) and
kind = ret.getKind() and
apa = ap.getApprox() and
parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4212,17 +4212,15 @@ private module FlowExploration {
ap = TRevPartialNil() and
exists(config.explorationLimit())
or
exists(PartialPathNodeRev mid |
revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
not clearsContentEx(node, ap.getHead()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead())
) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
)
revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
not clearsContentEx(node, ap.getHead()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead())
) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
}
pragma[nomagic]
@@ -4230,19 +4228,17 @@ private module FlowExploration {
NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
) {
exists(PartialPathNodeFwd mid |
partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
not clearsContentEx(node, ap.getHead().getContent()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead().getContent())
) and
if node.asNode() instanceof CastingNode
then compatibleTypes(node.getDataFlowType(), ap.getType())
else any()
)
partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
not clearsContentEx(node, ap.getHead().getContent()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead().getContent())
) and
if node.asNode() instanceof CastingNode
then compatibleTypes(node.getDataFlowType(), ap.getType())
else any()
}
/**

64
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
View File

@@ -876,9 +876,9 @@ private module Stage1 implements StageSig {
pragma[nomagic]
private predicate revFlowOut(ReturnPosition pos, Configuration config) {
exists(DataFlowCall call, NodeEx out |
exists(NodeEx out |
revFlow(out, _, config) and
viableReturnPosOutNodeCandFwd1(call, pos, out, config)
viableReturnPosOutNodeCandFwd1(_, pos, out, config)
)
}
@@ -1731,8 +1731,8 @@ private module MkStage<StageSig PrevStage> {
)
or
// flow through a callable
exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
)
or
@@ -1901,8 +1901,8 @@ private module MkStage<StageSig PrevStage> {
pragma[nomagic]
predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
exists(RetNodeEx ret, ReturnPosition pos |
returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and
exists(ReturnPosition pos |
returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
parameterFlowsThroughRev(p, ap, pos, _, config)
)
}
@@ -1923,8 +1923,8 @@ private module MkStage<StageSig PrevStage> {
DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
Ap ap, Configuration config
) {
exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
exists(ParamNodeEx p, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
)
}
@@ -3749,8 +3749,8 @@ private predicate paramFlowsThrough(
ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
AccessPathApprox apa, Configuration config
) {
exists(PathNodeMid mid, RetNodeEx ret |
pathNode(mid, ret, state, cc, sc, ap, config, _) and
exists(RetNodeEx ret |
pathNode(_, ret, state, cc, sc, ap, config, _) and
kind = ret.getKind() and
apa = ap.getApprox() and
parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4212,17 +4212,15 @@ private module FlowExploration {
ap = TRevPartialNil() and
exists(config.explorationLimit())
or
exists(PartialPathNodeRev mid |
revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
not clearsContentEx(node, ap.getHead()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead())
) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
)
revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
not clearsContentEx(node, ap.getHead()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead())
) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
}
pragma[nomagic]
@@ -4230,19 +4228,17 @@ private module FlowExploration {
NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
) {
exists(PartialPathNodeFwd mid |
partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
not clearsContentEx(node, ap.getHead().getContent()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead().getContent())
) and
if node.asNode() instanceof CastingNode
then compatibleTypes(node.getDataFlowType(), ap.getType())
else any()
)
partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
not clearsContentEx(node, ap.getHead().getContent()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead().getContent())
) and
if node.asNode() instanceof CastingNode
then compatibleTypes(node.getDataFlowType(), ap.getType())
else any()
}
/**

64
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
View File

@@ -876,9 +876,9 @@ private module Stage1 implements StageSig {
pragma[nomagic]
private predicate revFlowOut(ReturnPosition pos, Configuration config) {
exists(DataFlowCall call, NodeEx out |
exists(NodeEx out |
revFlow(out, _, config) and
viableReturnPosOutNodeCandFwd1(call, pos, out, config)
viableReturnPosOutNodeCandFwd1(_, pos, out, config)
)
}
@@ -1731,8 +1731,8 @@ private module MkStage<StageSig PrevStage> {
)
or
// flow through a callable
exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
)
or
@@ -1901,8 +1901,8 @@ private module MkStage<StageSig PrevStage> {
pragma[nomagic]
predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
exists(RetNodeEx ret, ReturnPosition pos |
returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and
exists(ReturnPosition pos |
returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
parameterFlowsThroughRev(p, ap, pos, _, config)
)
}
@@ -1923,8 +1923,8 @@ private module MkStage<StageSig PrevStage> {
DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
Ap ap, Configuration config
) {
exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
exists(ParamNodeEx p, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
)
}
@@ -3749,8 +3749,8 @@ private predicate paramFlowsThrough(
ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
AccessPathApprox apa, Configuration config
) {
exists(PathNodeMid mid, RetNodeEx ret |
pathNode(mid, ret, state, cc, sc, ap, config, _) and
exists(RetNodeEx ret |
pathNode(_, ret, state, cc, sc, ap, config, _) and
kind = ret.getKind() and
apa = ap.getApprox() and
parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4212,17 +4212,15 @@ private module FlowExploration {
ap = TRevPartialNil() and
exists(config.explorationLimit())
or
exists(PartialPathNodeRev mid |
revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
not clearsContentEx(node, ap.getHead()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead())
) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
)
revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
not clearsContentEx(node, ap.getHead()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead())
) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
}
pragma[nomagic]
@@ -4230,19 +4228,17 @@ private module FlowExploration {
NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
) {
exists(PartialPathNodeFwd mid |
partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
not clearsContentEx(node, ap.getHead().getContent()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead().getContent())
) and
if node.asNode() instanceof CastingNode
then compatibleTypes(node.getDataFlowType(), ap.getType())
else any()
)
partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
not clearsContentEx(node, ap.getHead().getContent()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead().getContent())
) and
if node.asNode() instanceof CastingNode
then compatibleTypes(node.getDataFlowType(), ap.getType())
else any()
}
/**

4
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll
View File

@@ -101,9 +101,7 @@ module Consistency {
exists(int c |
c =
strictcount(Node n |
not exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
) and
not n.hasLocationInfo(_, _, _, _, _) and
not any(ConsistencyConfiguration conf).missingLocationExclude(n)
) and
msg = "Nodes without location: " + c

64
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplForContentDataFlow.qll
View File

@@ -876,9 +876,9 @@ private module Stage1 implements StageSig {
pragma[nomagic]
private predicate revFlowOut(ReturnPosition pos, Configuration config) {
exists(DataFlowCall call, NodeEx out |
exists(NodeEx out |
revFlow(out, _, config) and
viableReturnPosOutNodeCandFwd1(call, pos, out, config)
viableReturnPosOutNodeCandFwd1(_, pos, out, config)
)
}
@@ -1731,8 +1731,8 @@ private module MkStage<StageSig PrevStage> {
)
or
// flow through a callable
exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config)
)
or
@@ -1901,8 +1901,8 @@ private module MkStage<StageSig PrevStage> {
pragma[nomagic]
predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) {
exists(RetNodeEx ret, ReturnPosition pos |
returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and
exists(ReturnPosition pos |
returnFlowsThrough(_, pos, _, _, p, ap, _, config) and
parameterFlowsThroughRev(p, ap, pos, _, config)
)
}
@@ -1923,8 +1923,8 @@ private module MkStage<StageSig PrevStage> {
DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp,
Ap ap, Configuration config
) {
exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and
exists(ParamNodeEx p, Ap innerReturnAp |
revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and
flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config)
)
}
@@ -3749,8 +3749,8 @@ private predicate paramFlowsThrough(
ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap,
AccessPathApprox apa, Configuration config
) {
exists(PathNodeMid mid, RetNodeEx ret |
pathNode(mid, ret, state, cc, sc, ap, config, _) and
exists(RetNodeEx ret |
pathNode(_, ret, state, cc, sc, ap, config, _) and
kind = ret.getKind() and
apa = ap.getApprox() and
parameterFlowThroughAllowed(sc.getParamNode(), kind)
@@ -4212,17 +4212,15 @@ private module FlowExploration {
ap = TRevPartialNil() and
exists(config.explorationLimit())
or
exists(PartialPathNodeRev mid |
revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and
not clearsContentEx(node, ap.getHead()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead())
) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
)
revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and
not clearsContentEx(node, ap.getHead()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead())
) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
distSink(node.getEnclosingCallable(), config) <= config.explorationLimit()
}
pragma[nomagic]
@@ -4230,19 +4228,17 @@ private module FlowExploration {
NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2,
TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config
) {
exists(PartialPathNodeFwd mid |
partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
not clearsContentEx(node, ap.getHead().getContent()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead().getContent())
) and
if node.asNode() instanceof CastingNode
then compatibleTypes(node.getDataFlowType(), ap.getType())
else any()
)
partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and
not fullBarrier(node, config) and
not stateBarrier(node, state, config) and
not clearsContentEx(node, ap.getHead().getContent()) and
(
notExpectsContent(node) or
expectsContentEx(node, ap.getHead().getContent())
) and
if node.asNode() instanceof CastingNode
then compatibleTypes(node.getDataFlowType(), ap.getType())
else any()
}
/**

16
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
View File

@@ -159,18 +159,16 @@ private module ThisFlow {
*/
pragma[nomagic]
predicate hasNodePath(ControlFlowReachabilityConfiguration conf, ExprNode n1, Node n2) {
exists(Expr e1, ControlFlow::Node cfn1, Expr e2, ControlFlow::Node cfn2 |
conf.hasExprPath(e1, cfn1, e2, cfn2)
|
exists(ControlFlow::Node cfn1, ControlFlow::Node cfn2 | conf.hasExprPath(_, cfn1, _, cfn2) |
cfn1 = n1.getControlFlowNode() and
cfn2 = n2.(ExprNode).getControlFlowNode()
)
or
exists(
Expr e, ControlFlow::Node cfn, AssignableDefinition def, ControlFlow::Node cfnDef,
ControlFlow::Node cfn, AssignableDefinition def, ControlFlow::Node cfnDef,
Ssa::ExplicitDefinition ssaDef
|
conf.hasDefPath(e, cfn, def, cfnDef)
conf.hasDefPath(_, cfn, def, cfnDef)
|
cfn = n1.getControlFlowNode() and
ssaDef.getADefinition() = def and
@@ -538,9 +536,7 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
)
or
// Flow into phi (read)/uncertain SSA definition node from read
exists(SsaImpl::DefinitionExt def, Node read |
LocalFlow::localFlowSsaInputFromRead(read, def, nodeTo)
|
exists(Node read | LocalFlow::localFlowSsaInputFromRead(read, _, nodeTo) |
nodeFrom = read and
not FlowSummaryImpl::Private::Steps::prohibitsUseUseFlow(nodeFrom, _)
or
@@ -883,9 +879,7 @@ private module Cached {
)
or
// Flow into phi (read)/uncertain SSA definition node from read
exists(SsaImpl::DefinitionExt def, Node read |
LocalFlow::localFlowSsaInputFromRead(read, def, nodeTo)
|
exists(Node read | LocalFlow::localFlowSsaInputFromRead(read, _, nodeTo) |
nodeFrom = read
or
nodeFrom.(PostUpdateNode).getPreUpdateNode() = read

10
csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll
View File

@@ -580,10 +580,8 @@ module Private {
head = TWithContentSummaryComponent(cont)
)
or
exists(ContentSet cont |
head = TWithoutContentSummaryComponent(cont) and
result = getNodeType(summaryNodeInputState(c, s.tail()))
)
head = TWithoutContentSummaryComponent(_) and
result = getNodeType(summaryNodeInputState(c, s.tail()))
or
exists(ReturnKind rk |
head = TReturnSummaryComponent(rk) and
@@ -658,8 +656,8 @@ module Private {
/** Holds if summary node `ret` is a return node of kind `rk`. */
predicate summaryReturnNode(Node ret, ReturnKind rk) {
exists(SummarizedCallable callable, SummaryComponentStack s |
ret = summaryNodeOutputState(callable, s) and
exists(SummaryComponentStack s |
ret = summaryNodeOutputState(_, s) and
s = TSingletonSummaryComponentStack(TReturnSummaryComponent(rk))
)
}

4
csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll
View File

@@ -209,9 +209,9 @@ private string getContentSpecificCsv(Content c) {
string getComponentSpecificCsv(SummaryComponent sc) {
exists(Content c | sc = TContentSummaryComponent(c) and result = getContentSpecificCsv(c))
or
exists(Content c | sc = TWithoutContentSummaryComponent(c) and result = "WithoutElement")
sc = TWithoutContentSummaryComponent(_) and result = "WithoutElement"
or
exists(Content c | sc = TWithContentSummaryComponent(c) and result = "WithElement")
sc = TWithContentSummaryComponent(_) and result = "WithElement"
or
exists(ReturnKind rk |
sc = TReturnSummaryComponent(rk) and

8
csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll
View File

@@ -776,11 +776,11 @@ private module CapturedVariableImpl {
Callable c, CapturedWrittenLocalScopeVariable v,
CapturedWrittenLocalScopeVariableDefinition vdef
) {
exists(ControlFlow::BasicBlock bb, int i, CapturedWrittenLocalScopeSourceVariable sv |
exists(ControlFlow::BasicBlock bb, CapturedWrittenLocalScopeSourceVariable sv |
vdef.getTarget() = v and
vdef.getEnclosingCallable() = c and
sv.getAssignable() = v and
bb.getNode(i) = vdef.getAControlFlowNode() and
bb.getNode(_) = vdef.getAControlFlowNode() and
c != v.getCallable()
)
}
@@ -1307,9 +1307,9 @@ private module Cached {
predicate isCapturedVariableDefinitionFlowOut(
Ssa::ExplicitDefinition def, Ssa::ImplicitCallDefinition cdef, boolean additionalCalls
) {
exists(Ssa::Definition def0, ControlFlow::BasicBlock bb, int i |
exists(Ssa::Definition def0 |
def = def0.getAnUltimateDefinition() and
capturedReadOut(bb, i, def0.getSourceVariable(), cdef.getSourceVariable(), cdef.getCall(),
capturedReadOut(_, _, def0.getSourceVariable(), cdef.getSourceVariable(), cdef.getCall(),
additionalCalls)
)
}

4
csharp/ql/lib/semmle/code/csharp/dataflow/internal/Steps.qll
View File

@@ -52,8 +52,8 @@ module Steps {
private predicate isEffectivelyInternalOrPrivate(Modifiable m) { not m.isEffectivelyPublic() }
private predicate flowIn(Parameter p, Expr pred, AssignableRead succ) {
exists(AssignableDefinitions::ImplicitParameterDefinition def, Call c | succ = getARead(def) |
pred = getArgumentForOverriderParameter(c, p) and
exists(AssignableDefinitions::ImplicitParameterDefinition def | succ = getARead(def) |
pred = getArgumentForOverriderParameter(_, p) and
p.getUnboundDeclaration() = def.getParameter()
)
}

4
csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll
View File

@@ -292,12 +292,12 @@ Sign exprSign(Expr e) {
exists(SsaVariable v | getARead(v) = e |
s = ssaSign(v, any(SsaReadPositionBlock bb | getAnExpression(bb) = e))
or
not exists(SsaReadPositionBlock bb | getAnExpression(bb) = e) and
not getAnExpression(_) = e and
s = ssaDefSign(v)
)
or
exists(VarAccess access | access = e |
not exists(SsaVariable v | getARead(v) = access) and
not getARead(_) = access and
(
s = fieldSign(getField(access.(FieldAccess)))
or

4
csharp/ql/lib/semmle/code/csharp/metrics/Coupling.qll
View File

@@ -180,13 +180,13 @@ predicate accessesLocalFieldOrProperty(Method m, Declaration f) {
/** whether t has a method m that accesses some local field, */
predicate hasAccessingMethod(ValueOrRefType t, Method m) {
exists(Declaration f | accessesLocalFieldOrProperty(m, f)) and
accessesLocalFieldOrProperty(m, _) and
m.getDeclaringType() = t
}
/** returns any field or property that is accessed by a local method */
predicate hasAccessedFieldOrProperty(ValueOrRefType t, Declaration f) {
exists(Method m | accessesLocalFieldOrProperty(m, f)) and
accessesLocalFieldOrProperty(_, f) and
f.getDeclaringType() = t
}

104
csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll
View File

@@ -223,8 +223,8 @@ abstract private class BinaryFormatterSink extends InstanceMethodSink { }
private class BinaryFormatterDeserializeMethodSink extends BinaryFormatterSink {
BinaryFormatterDeserializeMethodSink() {
exists(MethodCall mc, Method m |
isBinaryFormatterCall(mc, m) and
exists(MethodCall mc |
isBinaryFormatterCall(mc, _) and
this.asExpr() = mc.getArgument(0)
)
}
@@ -241,8 +241,8 @@ abstract private class SoapFormatterSink extends InstanceMethodSink { }
private class SoapFormatterDeserializeMethodSink extends SoapFormatterSink {
SoapFormatterDeserializeMethodSink() {
exists(MethodCall mc, Method m |
isSoapFormatterCall(mc, m) and
exists(MethodCall mc |
isSoapFormatterCall(mc, _) and
this.asExpr() = mc.getArgument(0)
)
}
@@ -259,8 +259,8 @@ abstract private class ObjectStateFormatterSink extends InstanceMethodSink { }
private class ObjectStateFormatterDeserializeMethodSink extends ObjectStateFormatterSink {
ObjectStateFormatterDeserializeMethodSink() {
exists(MethodCall mc, Method m |
isObjectStateFormatterCall(mc, m) and
exists(MethodCall mc |
isObjectStateFormatterCall(mc, _) and
this.asExpr() = mc.getArgument(0)
)
}
@@ -283,8 +283,8 @@ abstract private class NetDataContractSerializerSink extends InstanceMethodSink
private class NetDataContractSerializerDeserializeMethodSink extends NetDataContractSerializerSink {
NetDataContractSerializerDeserializeMethodSink() {
exists(MethodCall mc, Method m |
isNetDataContractSerializerCall(mc, m) and
exists(MethodCall mc |
isNetDataContractSerializerCall(mc, _) and
this.asExpr() = mc.getArgument(0)
)
}
@@ -301,8 +301,8 @@ abstract private class DataContractJsonSerializerSink extends InstanceMethodSink
private class DataContractJsonSerializerDeserializeMethodSink extends DataContractJsonSerializerSink {
DataContractJsonSerializerDeserializeMethodSink() {
exists(MethodCall mc, Method m |
isDataContractJsonSerializerCall(mc, m) and
exists(MethodCall mc |
isDataContractJsonSerializerCall(mc, _) and
this.asExpr() = mc.getArgument(0)
)
}
@@ -326,8 +326,8 @@ private class DataContractJsonSafeConstructorTrackingConfiguration extends SafeC
}
override predicate isSink(DataFlow::Node sink) {
exists(MethodCall mc, Method m |
isDataContractJsonSerializerCall(mc, m) and
exists(MethodCall mc |
isDataContractJsonSerializerCall(mc, _) and
mc.getQualifier() = sink.asExpr()
)
}
@@ -350,8 +350,8 @@ abstract private class JavaScriptSerializerSink extends InstanceMethodSink { }
private class JavaScriptSerializerDeserializeMethodSink extends JavaScriptSerializerSink {
JavaScriptSerializerDeserializeMethodSink() {
exists(MethodCall mc, Method m |
isJavaScriptSerializerCall(mc, m) and
exists(MethodCall mc |
isJavaScriptSerializerCall(mc, _) and
this.asExpr() = mc.getArgument(0)
)
}
@@ -374,8 +374,8 @@ private class JavaScriptSerializerSafeConstructorTrackingConfiguration extends S
}
override predicate isSink(DataFlow::Node sink) {
exists(MethodCall mc, Method m |
isJavaScriptSerializerCall(mc, m) and
exists(MethodCall mc |
isJavaScriptSerializerCall(mc, _) and
mc.getQualifier() = sink.asExpr()
)
}
@@ -393,8 +393,8 @@ abstract private class XmlObjectSerializerSink extends InstanceMethodSink { }
private class XmlObjectSerializerDeserializeMethodSink extends XmlObjectSerializerSink {
XmlObjectSerializerDeserializeMethodSink() {
exists(MethodCall mc, Method m |
isXmlObjectSerializerCall(mc, m) and
exists(MethodCall mc |
isXmlObjectSerializerCall(mc, _) and
this.asExpr() = mc.getArgument(0)
)
}
@@ -420,8 +420,8 @@ private class XmlObjectSerializerDerivedConstructorTrackingConfiguration extends
}
override predicate isSink(DataFlow::Node sink) {
exists(MethodCall mc, Method m |
isXmlObjectSerializerCall(mc, m) and
exists(MethodCall mc |
isXmlObjectSerializerCall(mc, _) and
mc.getQualifier() = sink.asExpr()
)
}
@@ -438,8 +438,8 @@ abstract private class XmlSerializerSink extends InstanceMethodSink { }
private class XmlSerializerDeserializeMethodSink extends XmlSerializerSink {
XmlSerializerDeserializeMethodSink() {
exists(MethodCall mc, Method m |
isXmlSerializerCall(mc, m) and
exists(MethodCall mc |
isXmlSerializerCall(mc, _) and
this.asExpr() = mc.getArgument(0)
)
}
@@ -463,8 +463,8 @@ private class XmlSerializerSafeConstructorTrackingConfiguration extends SafeCons
}
override predicate isSink(DataFlow::Node sink) {
exists(MethodCall mc, Method m |
isXmlSerializerCall(mc, m) and
exists(MethodCall mc |
isXmlSerializerCall(mc, _) and
mc.getQualifier() = sink.asExpr()
)
}
@@ -485,8 +485,8 @@ abstract private class DataContractSerializerSink extends InstanceMethodSink { }
private class DataContractSerializerDeserializeMethodSink extends DataContractSerializerSink {
DataContractSerializerDeserializeMethodSink() {
exists(MethodCall mc, Method m |
isDataContractSerializerCall(mc, m) and
exists(MethodCall mc |
isDataContractSerializerCall(mc, _) and
this.asExpr() = mc.getArgument(0)
)
}
@@ -510,8 +510,8 @@ private class DataContractSerializerSafeConstructorTrackingConfiguration extends
}
override predicate isSink(DataFlow::Node sink) {
exists(MethodCall mc, Method m |
isDataContractSerializerCall(mc, m) and
exists(MethodCall mc |
isDataContractSerializerCall(mc, _) and
mc.getQualifier() = sink.asExpr()
)
}
@@ -528,8 +528,8 @@ abstract private class XmlMessageFormatterSink extends InstanceMethodSink { }
private class XmlMessageFormatterDeserializeMethodSink extends XmlMessageFormatterSink {
XmlMessageFormatterDeserializeMethodSink() {
exists(MethodCall mc, Method m |
isXmlMessageFormatterCall(mc, m) and
exists(MethodCall mc |
isXmlMessageFormatterCall(mc, _) and
this.asExpr() = mc.getArgument(0)
)
}
@@ -553,8 +553,8 @@ private class XmlMessageFormatterSafeConstructorTrackingConfiguration extends Sa
}
override predicate isSink(DataFlow::Node sink) {
exists(MethodCall mc, Method m |
isXmlMessageFormatterCall(mc, m) and
exists(MethodCall mc |
isXmlMessageFormatterCall(mc, _) and
mc.getQualifier() = sink.asExpr()
)
}
@@ -571,8 +571,8 @@ abstract private class LosFormatterSink extends InstanceMethodSink { }
private class LosFormatterDeserializeMethodSink extends LosFormatterSink {
LosFormatterDeserializeMethodSink() {
exists(MethodCall mc, Method m |
isLosFormatterCall(mc, m) and
exists(MethodCall mc |
isLosFormatterCall(mc, _) and
this.asExpr() = mc.getArgument(0)
)
}
@@ -589,8 +589,8 @@ abstract private class FastJsonSink extends ConstructorOrStaticMethodSink { }
private class FastJsonDeserializeMethodSink extends FastJsonSink {
FastJsonDeserializeMethodSink() {
exists(MethodCall mc, Method m |
isFastJsonCall(mc, m) and
exists(MethodCall mc |
isFastJsonCall(mc, _) and
this.asExpr() = mc.getArgument(0)
)
}
@@ -607,8 +607,8 @@ abstract private class ActivitySink extends InstanceMethodSink { }
private class ActivityDeserializeMethodSink extends ActivitySink {
ActivityDeserializeMethodSink() {
exists(MethodCall mc, Method m |
isActivityCall(mc, m) and
exists(MethodCall mc |
isActivityCall(mc, _) and
this.asExpr() = mc.getArgument(0)
)
}
@@ -625,8 +625,8 @@ abstract private class ResourceReaderSink extends ConstructorOrStaticMethodSink
private class ResourceReaderDeserializeMethodSink extends ResourceReaderSink {
ResourceReaderDeserializeMethodSink() {
exists(Call mc, Constructor m |
isResourceReaderCall(mc, m) and
exists(Call mc |
isResourceReaderCall(mc, _) and
this.asExpr() = mc.getArgument(0)
)
}
@@ -643,8 +643,8 @@ abstract private class BinaryMessageFormatterSink extends InstanceMethodSink { }
private class BinaryMessageFormatterDeserializeMethodSink extends BinaryMessageFormatterSink {
BinaryMessageFormatterDeserializeMethodSink() {
exists(MethodCall mc, Method m |
isBinaryMessageFormatterCall(mc, m) and
exists(MethodCall mc |
isBinaryMessageFormatterCall(mc, _) and
this.asExpr() = mc.getArgument(0)
)
}
@@ -667,8 +667,8 @@ abstract private class XamlReaderSink extends ConstructorOrStaticMethodSink { }
private class XamlReaderDeserializeMethodSink extends XamlReaderSink {
XamlReaderDeserializeMethodSink() {
exists(MethodCall mc, Method m |
isXamlReaderCall(mc, m) and
exists(MethodCall mc |
isXamlReaderCall(mc, _) and
this.asExpr() = mc.getArgument(0)
)
}
@@ -689,8 +689,8 @@ abstract private class ProxyObjectSink extends InstanceMethodSink { }
private class ProxyObjectDeserializeMethodSink extends ProxyObjectSink {
ProxyObjectDeserializeMethodSink() {
exists(MethodCall mc, Method m |
isProxyObjectCall(mc, m) and
exists(MethodCall mc |
isProxyObjectCall(mc, _) and
this.asExpr() = mc.getArgument(0)
)
}
@@ -707,8 +707,8 @@ abstract private class SweetJaysonSink extends ConstructorOrStaticMethodSink { }
private class SweetJaysonDeserializeMethodSink extends SweetJaysonSink {
SweetJaysonDeserializeMethodSink() {
exists(MethodCall mc, Method m |
isSweetJaysonCall(mc, m) and
exists(MethodCall mc |
isSweetJaysonCall(mc, _) and
this.asExpr() = mc.getArgument(0)
)
}
@@ -825,8 +825,8 @@ abstract private class FsPicklerWeakTypeSink extends ConstructorOrStaticMethodSi
private class FsPicklerDeserializeWeakTypeMethodSink extends FsPicklerWeakTypeSink {
FsPicklerDeserializeWeakTypeMethodSink() {
exists(MethodCall mc, Method m |
isWeakTypeFsPicklerCall(mc, m) and
exists(MethodCall mc |
isWeakTypeFsPicklerCall(mc, _) and
this.asExpr() = mc.getArgument(0)
)
}
@@ -851,8 +851,8 @@ abstract private class FsPicklerStrongTypeSink extends InstanceMethodSink { }
private class FsPicklerDeserializeStrongTypeMethodSink extends FsPicklerStrongTypeSink {
FsPicklerDeserializeStrongTypeMethodSink() {
exists(MethodCall mc, Method m |
isStrongTypeFsPicklerCall(mc, m) and
exists(MethodCall mc |
isStrongTypeFsPicklerCall(mc, _) and
this.asExpr() = mc.getArgument(0)
)
}

4
csharp/ql/src/Documentation/XmldocMissingException.ql
View File

@@ -17,9 +17,9 @@ where
declarationHasXmlComment(m) and
m = throw.getEnclosingCallable() and
throwType = throw.getExpr().getType() and
not exists(ExceptionXmlComment comment, int offset, string exceptionName, RefType throwBaseType |
not exists(ExceptionXmlComment comment, string exceptionName, RefType throwBaseType |
comment = getADeclarationXmlComment(m) and
exceptionName = comment.getCref(offset) and
exceptionName = comment.getCref(_) and
throwType.getABaseType*() = throwBaseType and
(
throwBaseType.hasName(exceptionName)

2
csharp/ql/src/Likely Bugs/Dynamic/BadDynamicCall.ql
View File

@@ -76,7 +76,7 @@ class BadDynamicOperatorCall extends BadDynamicCall, DynamicOperatorCall {
exists(int i |
pt = possibleBadTypeForRelevantSource(v, i, pts) and
not pt.containsTypeParameters() and
not exists(Operator o, Type paramType | paramType = getADynamicParameterType(o, i) |
not exists(Type paramType | paramType = getADynamicParameterType(_, i) |
pt.isImplicitlyConvertibleTo(paramType)
or
// If either the argument type or the parameter type contains type parameters,

8
csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql
View File

@@ -24,19 +24,19 @@ where
// intersect with strong types, but user controlled or weak types deserialization usages
(
exists(
DataFlow::Node weakTypeCreation, DataFlow::Node weakTypeUsage,
DataFlow::Node weakTypeUsage,
WeakTypeCreationToUsageTrackingConfig weakTypeDeserializerTracking, MethodCall mc
|
weakTypeDeserializerTracking.hasFlow(weakTypeCreation, weakTypeUsage) and
weakTypeDeserializerTracking.hasFlowTo(weakTypeUsage) and
mc.getQualifier() = weakTypeUsage.asExpr() and
mc.getAnArgument() = deserializeCallArg.getNode().asExpr()
)
or
exists(
TaintToObjectTypeTrackingConfig userControlledTypeTracking, DataFlow::Node taintedTypeUsage,
DataFlow::Node userInput2, MethodCall mc
MethodCall mc
|
userControlledTypeTracking.hasFlow(userInput2, taintedTypeUsage) and
userControlledTypeTracking.hasFlowTo(taintedTypeUsage) and
mc.getQualifier() = taintedTypeUsage.asExpr() and
mc.getAnArgument() = deserializeCallArg.getNode().asExpr()
)

20
csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
View File

@@ -35,12 +35,7 @@ where
iResponse.getAppendMethod() = mc.getTarget() and
isCookieWithSensitiveName(mc.getArgument(0)) and
// there is no callback `OnAppendCookie` that sets `HttpOnly` to true
not exists(
OnAppendCookieHttpOnlyTrackingConfig config, DataFlow::Node source,
DataFlow::Node sink
|
config.hasFlow(source, sink)
) and
not exists(OnAppendCookieHttpOnlyTrackingConfig config | config.hasFlowTo(_)) and
// Passed as third argument to `IResponseCookies.Append`
exists(
CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation,
@@ -74,11 +69,7 @@ where
// default is not configured or is not set to `Always`
not getAValueForCookiePolicyProp("HttpOnly").getValue() = "1" and
// there is no callback `OnAppendCookie` that sets `HttpOnly` to true
not exists(
OnAppendCookieHttpOnlyTrackingConfig config, DataFlow::Node source, DataFlow::Node sink
|
config.hasFlow(source, sink)
) and
not exists(OnAppendCookieHttpOnlyTrackingConfig config | config.hasFlowTo(_)) and
iResponse.getAppendMethod() = mc.getTarget() and
isCookieWithSensitiveName(mc.getArgument(0)) and
(
@@ -87,11 +78,8 @@ where
oc = c and
oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
not isPropertySet(oc, "HttpOnly") and
exists(
CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation,
DataFlow::Node append
|
cookieTracking.hasFlow(creation, append) and
exists(CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation |
cookieTracking.hasFlow(creation, _) and
creation.asExpr() = oc
)
)

26
csharp/ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.ql
View File

@@ -29,22 +29,15 @@ where
getAValueForCookiePolicyProp("Secure").getValue() = "1"
) and
// there is no callback `OnAppendCookie` that sets `Secure` to true
not exists(
OnAppendCookieSecureTrackingConfig config, DataFlow::Node source, DataFlow::Node sink
|
config.hasFlow(source, sink)
) and
not exists(OnAppendCookieSecureTrackingConfig config | config.hasFlowTo(_)) and
(
// `Secure` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
exists(ObjectCreation oc |
oc = c and
oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
not isPropertySet(oc, "Secure") and
exists(
CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation,
DataFlow::Node append
|
cookieTracking.hasFlow(creation, append) and
exists(CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation |
cookieTracking.hasFlow(creation, _) and
creation.asExpr() = oc
)
)
@@ -86,17 +79,10 @@ where
or
oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
// there is no callback `OnAppendCookie` that sets `Secure` to true
not exists(
OnAppendCookieSecureTrackingConfig config, DataFlow::Node source, DataFlow::Node sink
|
config.hasFlow(source, sink)
) and
not exists(OnAppendCookieSecureTrackingConfig config | config.hasFlowTo(_)) and
// the cookie option is passed to `Append`
exists(
CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation,
DataFlow::Node append
|
cookieTracking.hasFlow(creation, append) and
exists(CookieOptionsTrackingConfiguration cookieTracking, DataFlow::Node creation |
cookieTracking.hasFlow(creation, _) and
creation.asExpr() = oc
)
)

8
csharp/ql/src/experimental/dataflow/flowsources/AuthCookie.qll
View File

@@ -9,8 +9,8 @@ import semmle.code.csharp.frameworks.microsoft.AspNetCore
* Holds if the expression is a variable with a sensitive name.
*/
predicate isCookieWithSensitiveName(Expr cookieExpr) {
exists(AuthCookieNameConfiguration dataflow, DataFlow::Node source, DataFlow::Node sink |
dataflow.hasFlow(source, sink) and
exists(AuthCookieNameConfiguration dataflow, DataFlow::Node sink |
dataflow.hasFlowTo(sink) and
sink.asExpr() = cookieExpr
)
}
@@ -61,14 +61,14 @@ class CookieOptionsTrackingConfiguration extends DataFlow::Configuration {
* Looks for property value of `CookiePolicyOptions` passed to `app.UseCookiePolicy` in `Startup.Configure`.
*/
Expr getAValueForCookiePolicyProp(string prop) {
exists(Method m, MethodCall mc, ObjectCreation oc, Assignment a, Expr val |
exists(Method m, MethodCall mc, ObjectCreation oc, Expr val |
m.getName() = "Configure" and
m.getDeclaringType().getName() = "Startup" and
m.getBody().getAChild+() = mc and
mc.getTarget() =
any(MicrosoftAspNetCoreBuilderCookiePolicyAppBuilderExtensions e).getUseCookiePolicyMethod() and
oc.getType() instanceof MicrosoftAspNetCoreBuilderCookiePolicyOptions and
getAValueForProp(oc, a, prop) = val and
getAValueForProp(oc, _, prop) = val and
result = val
)
}

2
csharp/ql/src/experimental/ir/implementation/raw/Operand.qll
View File

@@ -45,7 +45,7 @@ class Operand extends TStageOperand {
this = reusedPhiOperand(use, def, predecessorBlock, _)
)
or
exists(Instruction use | this = chiOperand(use, _))
this = chiOperand(_, _)
}
/** Gets a textual representation of this element. */

2
csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Operand.qll
View File

@@ -45,7 +45,7 @@ class Operand extends TStageOperand {
this = reusedPhiOperand(use, def, predecessorBlock, _)
)
or
exists(Instruction use | this = chiOperand(use, _))
this = chiOperand(_, _)
}
/** Gets a textual representation of this element. */

6
csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll
View File

@@ -329,12 +329,12 @@ private module Cached {
cached
Instruction getChiInstructionTotalOperand(ChiInstruction chiInstr) {
exists(
Alias::VirtualVariable vvar, OldInstruction oldInstr, Alias::MemoryLocation defLocation,
OldBlock defBlock, int defRank, int defOffset, OldBlock useBlock, int useRank
Alias::VirtualVariable vvar, OldInstruction oldInstr, OldBlock defBlock, int defRank,
int defOffset, OldBlock useBlock, int useRank
|
chiInstr = getChi(oldInstr) and
vvar = Alias::getResultMemoryLocation(oldInstr).getVirtualVariable() and
hasDefinitionAtRank(vvar, defLocation, defBlock, defRank, defOffset) and
hasDefinitionAtRank(vvar, _, defBlock, defRank, defOffset) and
hasUseAtRank(vvar, useBlock, useRank, oldInstr) and
definitionReachesUse(vvar, defBlock, defRank, useBlock, useRank) and
result = getDefinitionOrChiInstruction(defBlock, defOffset, vvar, _)

2
csharp/ql/src/experimental/ir/internal/IRCSharpLanguage.qll
View File

@@ -121,7 +121,7 @@ string getIdentityString(Function func) { result = func.getLabel() }
predicate hasCaseEdge(string minValue, string maxValue) {
// TODO: Need to handle pattern matching
exists(CSharp::CaseStmt cst | hasCaseEdge(cst, minValue, maxValue))
hasCaseEdge(_, minValue, maxValue)
}
predicate hasPositionalArgIndex(int argIndex) {

4
csharp/ql/src/experimental/ir/rangeanalysis/RangeAnalysis.qll
View File

@@ -543,9 +543,7 @@ private predicate boundedPhiCand(
PhiInstruction phi, boolean upper, Bound b, int delta, boolean fromBackEdge, int origdelta,
Reason reason
) {
exists(PhiInputOperand op |
boundedPhiInp(phi, op, b, delta, upper, fromBackEdge, origdelta, reason)
)
boundedPhiInp(phi, _, b, delta, upper, fromBackEdge, origdelta, reason)
}
/**