Java: Add support for adding additional value steps.

2026-04-29 18:55:14 +02:00 · 2021-11-15 15:05:48 +01:00
parent 7c3b68b7f8
commit 2fe6880d70
3 changed files with 26 additions and 2 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/FlowSteps.qll
@@ -64,6 +64,20 @@ class AdditionalTaintStep extends Unit {
  abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
 }

+/**
+ * A unit class for adding additional value steps.
+ *
+ * Extend this class to add additional value-preserving steps that should apply
+ * to all data flow configurations.
+ */
+class AdditionalValueStep extends Unit {
+  /**
+   * Holds if the step from `node1` to `node2` is a value-preserving step and
+   * should apply to all data flow configurations.
+   */
+  abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
+}
+
 /**
 * A method or constructor that preserves taint.
 *
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
@@ -5,6 +5,7 @@ private import DataFlowDispatch
 private import semmle.code.java.controlflow.Guards
 private import semmle.code.java.dataflow.SSA
 private import ContainerFlow
+private import semmle.code.java.dataflow.FlowSteps
 private import semmle.code.java.dataflow.FlowSummary
 private import FlowSummaryImpl as FlowSummaryImpl
 import DataFlowNodes::Private
@@ -73,9 +74,14 @@ private predicate variableCaptureStep(Node node1, ExprNode node2) {
 * variable capture.
 */
 predicate jumpStep(Node node1, Node node2) {
-  staticFieldStep(node1, node2) or
-  variableCaptureStep(node1, node2) or
+  staticFieldStep(node1, node2)
+  or
+  variableCaptureStep(node1, node2)
+  or
  variableCaptureStep(node1.(PostUpdateNode).getPreUpdateNode(), node2)
+  or
+  any(AdditionalValueStep a).step(node1, node2) and
+  node1.getEnclosingCallable() != node2.getEnclosingCallable()
 }

 /**
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll
@@ -158,6 +158,10 @@ predicate simpleLocalFlowStep(Node node1, Node node2) {
  )
  or
  FlowSummaryImpl::Private::Steps::summaryLocalStep(node1, node2, true)
+  or
+  any(AdditionalValueStep a).step(node1, node2) and
+  pragma[only_bind_out](node1.getEnclosingCallable()) =
+    pragma[only_bind_out](node2.getEnclosingCallable())
 }

 private newtype TContent =