From 32471d326e167e99119ecc7914a4e92cb0e03fec Mon Sep 17 00:00:00 2001 From: Tony Torralba Date: Wed, 21 Dec 2022 16:31:20 +0100 Subject: [PATCH] Java: Remove omittable exists variables --- .../kotlin/default-parameter-mad-flow/test.ql | 2 +- java/ql/lib/definitions.qll | 8 +-- java/ql/lib/semmle/code/java/Member.qll | 2 +- .../code/java/dataflow/RangeAnalysis.qll | 4 +- java/ql/lib/semmle/code/java/dataflow/SSA.qll | 2 +- .../java/dataflow/internal/DataFlowImpl.qll | 64 +++++++++---------- .../java/dataflow/internal/DataFlowImpl2.qll | 64 +++++++++---------- .../java/dataflow/internal/DataFlowImpl3.qll | 64 +++++++++---------- .../java/dataflow/internal/DataFlowImpl4.qll | 64 +++++++++---------- .../java/dataflow/internal/DataFlowImpl5.qll | 64 +++++++++---------- .../java/dataflow/internal/DataFlowImpl6.qll | 64 +++++++++---------- .../internal/DataFlowImplConsistency.qll | 4 +- .../DataFlowImplForOnActivityResult.qll | 64 +++++++++---------- .../DataFlowImplForSerializability.qll | 64 +++++++++---------- .../dataflow/internal/FlowSummaryImpl.qll | 10 ++- .../rangeanalysis/SignAnalysisCommon.qll | 4 +- .../rangeanalysis/SignAnalysisSpecific.qll | 4 +- .../java/frameworks/spring/SpringBean.qll | 16 ++--- .../frameworks/spring/SpringLookupMethod.qll | 6 +- .../code/java/metrics/MetricRefType.qll | 4 +- .../semmle/code/java/regex/RegexTreeView.qll | 4 +- .../code/java/security/ExternalAPIs.qll | 4 +- .../code/java/security/FileReadWrite.qll | 4 +- .../code/java/security/FileWritable.qll | 4 +- .../security/SensitiveKeyboardCacheQuery.qll | 4 +- .../Declarations/MissingOverrideAnnotation.ql | 2 +- .../Advisory/Documentation/JavadocCommon.qll | 2 +- .../Performance/InefficientKeySetIterator.ql | 4 +- .../Comments/CommentedCode.qll | 2 +- .../NonConstantTimeCheckOnSignatureQuery.qll | 6 +- .../CWE/CWE-470/UnsafeReflectionLib.qll | 8 +-- .../Security/CWE/CWE-759/HashWithoutSalt.ql | 2 +- .../entrypoint-types/EntryPointTypesTest.ql | 2 +- .../dataflow/taintsources/local.ql | 2 +- .../dataflow/taintsources/remote.ql | 2 +- .../android/taint-database/flowSteps.ql | 4 +- .../android/taint-database/sinks.ql | 4 +- .../frameworks/guava/handwritten/flow.ql | 4 +- .../library-tests/frameworks/jms/FlowTest.ql | 4 +- .../library-tests/frameworks/ratpack/flow.ql | 2 +- .../security/CWE-074/JndiInjectionTest.ql | 4 +- .../security/CWE-074/XsltInjectionTest.ql | 4 +- .../security/CWE-079/semmle/tests/XSS.ql | 2 +- .../CWE-089/semmle/examples/springjdbc.ql | 4 +- .../security/CWE-094/GroovyInjectionTest.ql | 4 +- .../security/CWE-094/JexlInjectionTest.ql | 4 +- .../security/CWE-094/MvelInjectionTest.ql | 4 +- .../security/CWE-094/SpelInjectionTest.ql | 4 +- .../security/CWE-094/TemplateInjectionTest.ql | 4 +- .../StaticInitializationVectorTest.ql | 4 +- .../CWE-326/InsufficientKeySizeTest.ql | 4 +- .../CWE-347/MissingJWTSignatureCheckTest.ql | 4 +- .../security/CWE-522/InsecureBasicAuthTest.ql | 4 +- .../security/CWE-643/XPathInjectionTest.ql | 2 +- .../security/CWE-730/PolynomialReDoS.ql | 7 +- .../query-tests/security/CWE-730/ReDoS.ql | 4 +- .../security/CWE-730/RegexInjectionTest.ql | 4 +- .../CWE-749/UnsafeAndroidAccessTest.ql | 4 +- .../semmle/tests/ConditionalBypassTest.ql | 4 +- .../security/CWE-917/OgnlInjectionTest.ql | 4 +- .../CWE-927/ImplicitPendingIntentsTest.ql | 4 +- .../CWE-940/AndroidIntentRedirectionTest.ql | 4 +- .../CaptureTypeBasedSummaryModels.ql | 2 +- 63 files changed, 319 insertions(+), 418 deletions(-) diff --git a/java/ql/integration-tests/all-platforms/kotlin/default-parameter-mad-flow/test.ql b/java/ql/integration-tests/all-platforms/kotlin/default-parameter-mad-flow/test.ql index 702b137fad7..771d467a3ad 100644 --- a/java/ql/integration-tests/all-platforms/kotlin/default-parameter-mad-flow/test.ql +++ b/java/ql/integration-tests/all-platforms/kotlin/default-parameter-mad-flow/test.ql @@ -26,7 +26,7 @@ class InlineFlowTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "flow" and - exists(DataFlow::Node src, DataFlow::Node sink, Config c | c.hasFlow(src, sink) | + exists(DataFlow::Node sink, Config c | c.hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/lib/definitions.qll b/java/ql/lib/definitions.qll index e2349aa89a6..56f85afab66 100644 --- a/java/ql/lib/definitions.qll +++ b/java/ql/lib/definitions.qll @@ -127,9 +127,7 @@ private class LocationOverridingFieldAccess extends FieldAccess { */ private class LocationOverridingImportType extends ImportType { override predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) { - exists(int slSuper, int scSuper, int elSuper, int ecSuper | - super.hasLocationInfo(path, slSuper, scSuper, elSuper, ecSuper) - | + exists(int elSuper, int ecSuper | super.hasLocationInfo(path, _, _, elSuper, ecSuper) | el = elSuper and ec = ecSuper - 1 and sl = el and @@ -144,9 +142,7 @@ private class LocationOverridingImportType extends ImportType { */ private class LocationOverridingImportStaticTypeMember extends ImportStaticTypeMember { override predicate hasLocationInfo(string path, int sl, int sc, int el, int ec) { - exists(int slSuper, int scSuper, int elSuper, int ecSuper | - super.hasLocationInfo(path, slSuper, scSuper, elSuper, ecSuper) - | + exists(int elSuper, int ecSuper | super.hasLocationInfo(path, _, _, elSuper, ecSuper) | el = elSuper and ec = ecSuper - 1 and sl = el and diff --git a/java/ql/lib/semmle/code/java/Member.qll b/java/ql/lib/semmle/code/java/Member.qll index 62f9a22401d..e14b1d1c981 100644 --- a/java/ql/lib/semmle/code/java/Member.qll +++ b/java/ql/lib/semmle/code/java/Member.qll @@ -533,7 +533,7 @@ class Method extends Callable, @method { string getKotlinName() { ktFunctionOriginalNames(this, result) or - not exists(string n | ktFunctionOriginalNames(this, n)) and + not ktFunctionOriginalNames(this, _) and result = this.getName() } diff --git a/java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll b/java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll index a72b3c67b06..835c4a20ac3 100644 --- a/java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll +++ b/java/ql/lib/semmle/code/java/dataflow/RangeAnalysis.qll @@ -707,9 +707,7 @@ private predicate boundedPhiCand( SsaPhiNode phi, boolean upper, Bound b, int delta, boolean fromBackEdge, int origdelta, Reason reason ) { - exists(SsaVariable inp, SsaReadPositionPhiInputEdge edge | - boundedPhiInp(phi, inp, edge, b, delta, upper, fromBackEdge, origdelta, reason) - ) + boundedPhiInp(phi, _, _, b, delta, upper, fromBackEdge, origdelta, reason) } /** diff --git a/java/ql/lib/semmle/code/java/dataflow/SSA.qll b/java/ql/lib/semmle/code/java/dataflow/SSA.qll index 9273a34391f..3eba5b1a757 100644 --- a/java/ql/lib/semmle/code/java/dataflow/SSA.qll +++ b/java/ql/lib/semmle/code/java/dataflow/SSA.qll @@ -149,7 +149,7 @@ class SsaSourceField extends SsaSourceVariable { if f.isStatic() then result = f.getDeclaringType().getQualifiedName() else result = "this" ) or - exists(Field f, RefType t | this = TEnclosingField(_, f, t) | result = t.toString() + ".this") + exists(RefType t | this = TEnclosingField(_, _, t) | result = t.toString() + ".this") or exists(SsaSourceVariable q | this = TQualifiedField(_, q, _) | result = q.toString()) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll index 1228d00b6ba..7c9edcecfe1 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll @@ -876,9 +876,9 @@ private module Stage1 implements StageSig { pragma[nomagic] private predicate revFlowOut(ReturnPosition pos, Configuration config) { - exists(DataFlowCall call, NodeEx out | + exists(NodeEx out | revFlow(out, _, config) and - viableReturnPosOutNodeCandFwd1(call, pos, out, config) + viableReturnPosOutNodeCandFwd1(_, pos, out, config) ) } @@ -1731,8 +1731,8 @@ private module MkStage { ) or // flow through a callable - exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp | - revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and + exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp | + revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config) ) or @@ -1901,8 +1901,8 @@ private module MkStage { pragma[nomagic] predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) { - exists(RetNodeEx ret, ReturnPosition pos | - returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and + exists(ReturnPosition pos | + returnFlowsThrough(_, pos, _, _, p, ap, _, config) and parameterFlowsThroughRev(p, ap, pos, _, config) ) } @@ -1923,8 +1923,8 @@ private module MkStage { DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap, Configuration config ) { - exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp | - revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and + exists(ParamNodeEx p, Ap innerReturnAp | + revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config) ) } @@ -3749,8 +3749,8 @@ private predicate paramFlowsThrough( ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(PathNodeMid mid, RetNodeEx ret | - pathNode(mid, ret, state, cc, sc, ap, config, _) and + exists(RetNodeEx ret | + pathNode(_, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and apa = ap.getApprox() and parameterFlowThroughAllowed(sc.getParamNode(), kind) @@ -4212,17 +4212,15 @@ private module FlowExploration { ap = TRevPartialNil() and exists(config.explorationLimit()) or - exists(PartialPathNodeRev mid | - revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and - not clearsContentEx(node, ap.getHead()) and - ( - notExpectsContent(node) or - expectsContentEx(node, ap.getHead()) - ) and - not fullBarrier(node, config) and - not stateBarrier(node, state, config) and - distSink(node.getEnclosingCallable(), config) <= config.explorationLimit() - ) + revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and + not clearsContentEx(node, ap.getHead()) and + ( + notExpectsContent(node) or + expectsContentEx(node, ap.getHead()) + ) and + not fullBarrier(node, config) and + not stateBarrier(node, state, config) and + distSink(node.getEnclosingCallable(), config) <= config.explorationLimit() } pragma[nomagic] @@ -4230,19 +4228,17 @@ private module FlowExploration { NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config ) { - exists(PartialPathNodeFwd mid | - partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and - not fullBarrier(node, config) and - not stateBarrier(node, state, config) and - not clearsContentEx(node, ap.getHead().getContent()) and - ( - notExpectsContent(node) or - expectsContentEx(node, ap.getHead().getContent()) - ) and - if node.asNode() instanceof CastingNode - then compatibleTypes(node.getDataFlowType(), ap.getType()) - else any() - ) + partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and + not fullBarrier(node, config) and + not stateBarrier(node, state, config) and + not clearsContentEx(node, ap.getHead().getContent()) and + ( + notExpectsContent(node) or + expectsContentEx(node, ap.getHead().getContent()) + ) and + if node.asNode() instanceof CastingNode + then compatibleTypes(node.getDataFlowType(), ap.getType()) + else any() } /** diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll index 1228d00b6ba..7c9edcecfe1 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll @@ -876,9 +876,9 @@ private module Stage1 implements StageSig { pragma[nomagic] private predicate revFlowOut(ReturnPosition pos, Configuration config) { - exists(DataFlowCall call, NodeEx out | + exists(NodeEx out | revFlow(out, _, config) and - viableReturnPosOutNodeCandFwd1(call, pos, out, config) + viableReturnPosOutNodeCandFwd1(_, pos, out, config) ) } @@ -1731,8 +1731,8 @@ private module MkStage { ) or // flow through a callable - exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp | - revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and + exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp | + revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config) ) or @@ -1901,8 +1901,8 @@ private module MkStage { pragma[nomagic] predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) { - exists(RetNodeEx ret, ReturnPosition pos | - returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and + exists(ReturnPosition pos | + returnFlowsThrough(_, pos, _, _, p, ap, _, config) and parameterFlowsThroughRev(p, ap, pos, _, config) ) } @@ -1923,8 +1923,8 @@ private module MkStage { DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap, Configuration config ) { - exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp | - revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and + exists(ParamNodeEx p, Ap innerReturnAp | + revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config) ) } @@ -3749,8 +3749,8 @@ private predicate paramFlowsThrough( ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(PathNodeMid mid, RetNodeEx ret | - pathNode(mid, ret, state, cc, sc, ap, config, _) and + exists(RetNodeEx ret | + pathNode(_, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and apa = ap.getApprox() and parameterFlowThroughAllowed(sc.getParamNode(), kind) @@ -4212,17 +4212,15 @@ private module FlowExploration { ap = TRevPartialNil() and exists(config.explorationLimit()) or - exists(PartialPathNodeRev mid | - revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and - not clearsContentEx(node, ap.getHead()) and - ( - notExpectsContent(node) or - expectsContentEx(node, ap.getHead()) - ) and - not fullBarrier(node, config) and - not stateBarrier(node, state, config) and - distSink(node.getEnclosingCallable(), config) <= config.explorationLimit() - ) + revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and + not clearsContentEx(node, ap.getHead()) and + ( + notExpectsContent(node) or + expectsContentEx(node, ap.getHead()) + ) and + not fullBarrier(node, config) and + not stateBarrier(node, state, config) and + distSink(node.getEnclosingCallable(), config) <= config.explorationLimit() } pragma[nomagic] @@ -4230,19 +4228,17 @@ private module FlowExploration { NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config ) { - exists(PartialPathNodeFwd mid | - partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and - not fullBarrier(node, config) and - not stateBarrier(node, state, config) and - not clearsContentEx(node, ap.getHead().getContent()) and - ( - notExpectsContent(node) or - expectsContentEx(node, ap.getHead().getContent()) - ) and - if node.asNode() instanceof CastingNode - then compatibleTypes(node.getDataFlowType(), ap.getType()) - else any() - ) + partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and + not fullBarrier(node, config) and + not stateBarrier(node, state, config) and + not clearsContentEx(node, ap.getHead().getContent()) and + ( + notExpectsContent(node) or + expectsContentEx(node, ap.getHead().getContent()) + ) and + if node.asNode() instanceof CastingNode + then compatibleTypes(node.getDataFlowType(), ap.getType()) + else any() } /** diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll index 1228d00b6ba..7c9edcecfe1 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll @@ -876,9 +876,9 @@ private module Stage1 implements StageSig { pragma[nomagic] private predicate revFlowOut(ReturnPosition pos, Configuration config) { - exists(DataFlowCall call, NodeEx out | + exists(NodeEx out | revFlow(out, _, config) and - viableReturnPosOutNodeCandFwd1(call, pos, out, config) + viableReturnPosOutNodeCandFwd1(_, pos, out, config) ) } @@ -1731,8 +1731,8 @@ private module MkStage { ) or // flow through a callable - exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp | - revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and + exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp | + revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config) ) or @@ -1901,8 +1901,8 @@ private module MkStage { pragma[nomagic] predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) { - exists(RetNodeEx ret, ReturnPosition pos | - returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and + exists(ReturnPosition pos | + returnFlowsThrough(_, pos, _, _, p, ap, _, config) and parameterFlowsThroughRev(p, ap, pos, _, config) ) } @@ -1923,8 +1923,8 @@ private module MkStage { DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap, Configuration config ) { - exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp | - revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and + exists(ParamNodeEx p, Ap innerReturnAp | + revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config) ) } @@ -3749,8 +3749,8 @@ private predicate paramFlowsThrough( ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(PathNodeMid mid, RetNodeEx ret | - pathNode(mid, ret, state, cc, sc, ap, config, _) and + exists(RetNodeEx ret | + pathNode(_, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and apa = ap.getApprox() and parameterFlowThroughAllowed(sc.getParamNode(), kind) @@ -4212,17 +4212,15 @@ private module FlowExploration { ap = TRevPartialNil() and exists(config.explorationLimit()) or - exists(PartialPathNodeRev mid | - revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and - not clearsContentEx(node, ap.getHead()) and - ( - notExpectsContent(node) or - expectsContentEx(node, ap.getHead()) - ) and - not fullBarrier(node, config) and - not stateBarrier(node, state, config) and - distSink(node.getEnclosingCallable(), config) <= config.explorationLimit() - ) + revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and + not clearsContentEx(node, ap.getHead()) and + ( + notExpectsContent(node) or + expectsContentEx(node, ap.getHead()) + ) and + not fullBarrier(node, config) and + not stateBarrier(node, state, config) and + distSink(node.getEnclosingCallable(), config) <= config.explorationLimit() } pragma[nomagic] @@ -4230,19 +4228,17 @@ private module FlowExploration { NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config ) { - exists(PartialPathNodeFwd mid | - partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and - not fullBarrier(node, config) and - not stateBarrier(node, state, config) and - not clearsContentEx(node, ap.getHead().getContent()) and - ( - notExpectsContent(node) or - expectsContentEx(node, ap.getHead().getContent()) - ) and - if node.asNode() instanceof CastingNode - then compatibleTypes(node.getDataFlowType(), ap.getType()) - else any() - ) + partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and + not fullBarrier(node, config) and + not stateBarrier(node, state, config) and + not clearsContentEx(node, ap.getHead().getContent()) and + ( + notExpectsContent(node) or + expectsContentEx(node, ap.getHead().getContent()) + ) and + if node.asNode() instanceof CastingNode + then compatibleTypes(node.getDataFlowType(), ap.getType()) + else any() } /** diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll index 1228d00b6ba..7c9edcecfe1 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll @@ -876,9 +876,9 @@ private module Stage1 implements StageSig { pragma[nomagic] private predicate revFlowOut(ReturnPosition pos, Configuration config) { - exists(DataFlowCall call, NodeEx out | + exists(NodeEx out | revFlow(out, _, config) and - viableReturnPosOutNodeCandFwd1(call, pos, out, config) + viableReturnPosOutNodeCandFwd1(_, pos, out, config) ) } @@ -1731,8 +1731,8 @@ private module MkStage { ) or // flow through a callable - exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp | - revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and + exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp | + revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config) ) or @@ -1901,8 +1901,8 @@ private module MkStage { pragma[nomagic] predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) { - exists(RetNodeEx ret, ReturnPosition pos | - returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and + exists(ReturnPosition pos | + returnFlowsThrough(_, pos, _, _, p, ap, _, config) and parameterFlowsThroughRev(p, ap, pos, _, config) ) } @@ -1923,8 +1923,8 @@ private module MkStage { DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap, Configuration config ) { - exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp | - revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and + exists(ParamNodeEx p, Ap innerReturnAp | + revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config) ) } @@ -3749,8 +3749,8 @@ private predicate paramFlowsThrough( ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(PathNodeMid mid, RetNodeEx ret | - pathNode(mid, ret, state, cc, sc, ap, config, _) and + exists(RetNodeEx ret | + pathNode(_, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and apa = ap.getApprox() and parameterFlowThroughAllowed(sc.getParamNode(), kind) @@ -4212,17 +4212,15 @@ private module FlowExploration { ap = TRevPartialNil() and exists(config.explorationLimit()) or - exists(PartialPathNodeRev mid | - revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and - not clearsContentEx(node, ap.getHead()) and - ( - notExpectsContent(node) or - expectsContentEx(node, ap.getHead()) - ) and - not fullBarrier(node, config) and - not stateBarrier(node, state, config) and - distSink(node.getEnclosingCallable(), config) <= config.explorationLimit() - ) + revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and + not clearsContentEx(node, ap.getHead()) and + ( + notExpectsContent(node) or + expectsContentEx(node, ap.getHead()) + ) and + not fullBarrier(node, config) and + not stateBarrier(node, state, config) and + distSink(node.getEnclosingCallable(), config) <= config.explorationLimit() } pragma[nomagic] @@ -4230,19 +4228,17 @@ private module FlowExploration { NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config ) { - exists(PartialPathNodeFwd mid | - partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and - not fullBarrier(node, config) and - not stateBarrier(node, state, config) and - not clearsContentEx(node, ap.getHead().getContent()) and - ( - notExpectsContent(node) or - expectsContentEx(node, ap.getHead().getContent()) - ) and - if node.asNode() instanceof CastingNode - then compatibleTypes(node.getDataFlowType(), ap.getType()) - else any() - ) + partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and + not fullBarrier(node, config) and + not stateBarrier(node, state, config) and + not clearsContentEx(node, ap.getHead().getContent()) and + ( + notExpectsContent(node) or + expectsContentEx(node, ap.getHead().getContent()) + ) and + if node.asNode() instanceof CastingNode + then compatibleTypes(node.getDataFlowType(), ap.getType()) + else any() } /** diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll index 1228d00b6ba..7c9edcecfe1 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll @@ -876,9 +876,9 @@ private module Stage1 implements StageSig { pragma[nomagic] private predicate revFlowOut(ReturnPosition pos, Configuration config) { - exists(DataFlowCall call, NodeEx out | + exists(NodeEx out | revFlow(out, _, config) and - viableReturnPosOutNodeCandFwd1(call, pos, out, config) + viableReturnPosOutNodeCandFwd1(_, pos, out, config) ) } @@ -1731,8 +1731,8 @@ private module MkStage { ) or // flow through a callable - exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp | - revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and + exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp | + revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config) ) or @@ -1901,8 +1901,8 @@ private module MkStage { pragma[nomagic] predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) { - exists(RetNodeEx ret, ReturnPosition pos | - returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and + exists(ReturnPosition pos | + returnFlowsThrough(_, pos, _, _, p, ap, _, config) and parameterFlowsThroughRev(p, ap, pos, _, config) ) } @@ -1923,8 +1923,8 @@ private module MkStage { DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap, Configuration config ) { - exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp | - revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and + exists(ParamNodeEx p, Ap innerReturnAp | + revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config) ) } @@ -3749,8 +3749,8 @@ private predicate paramFlowsThrough( ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(PathNodeMid mid, RetNodeEx ret | - pathNode(mid, ret, state, cc, sc, ap, config, _) and + exists(RetNodeEx ret | + pathNode(_, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and apa = ap.getApprox() and parameterFlowThroughAllowed(sc.getParamNode(), kind) @@ -4212,17 +4212,15 @@ private module FlowExploration { ap = TRevPartialNil() and exists(config.explorationLimit()) or - exists(PartialPathNodeRev mid | - revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and - not clearsContentEx(node, ap.getHead()) and - ( - notExpectsContent(node) or - expectsContentEx(node, ap.getHead()) - ) and - not fullBarrier(node, config) and - not stateBarrier(node, state, config) and - distSink(node.getEnclosingCallable(), config) <= config.explorationLimit() - ) + revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and + not clearsContentEx(node, ap.getHead()) and + ( + notExpectsContent(node) or + expectsContentEx(node, ap.getHead()) + ) and + not fullBarrier(node, config) and + not stateBarrier(node, state, config) and + distSink(node.getEnclosingCallable(), config) <= config.explorationLimit() } pragma[nomagic] @@ -4230,19 +4228,17 @@ private module FlowExploration { NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config ) { - exists(PartialPathNodeFwd mid | - partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and - not fullBarrier(node, config) and - not stateBarrier(node, state, config) and - not clearsContentEx(node, ap.getHead().getContent()) and - ( - notExpectsContent(node) or - expectsContentEx(node, ap.getHead().getContent()) - ) and - if node.asNode() instanceof CastingNode - then compatibleTypes(node.getDataFlowType(), ap.getType()) - else any() - ) + partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and + not fullBarrier(node, config) and + not stateBarrier(node, state, config) and + not clearsContentEx(node, ap.getHead().getContent()) and + ( + notExpectsContent(node) or + expectsContentEx(node, ap.getHead().getContent()) + ) and + if node.asNode() instanceof CastingNode + then compatibleTypes(node.getDataFlowType(), ap.getType()) + else any() } /** diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll index 1228d00b6ba..7c9edcecfe1 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll @@ -876,9 +876,9 @@ private module Stage1 implements StageSig { pragma[nomagic] private predicate revFlowOut(ReturnPosition pos, Configuration config) { - exists(DataFlowCall call, NodeEx out | + exists(NodeEx out | revFlow(out, _, config) and - viableReturnPosOutNodeCandFwd1(call, pos, out, config) + viableReturnPosOutNodeCandFwd1(_, pos, out, config) ) } @@ -1731,8 +1731,8 @@ private module MkStage { ) or // flow through a callable - exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp | - revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and + exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp | + revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config) ) or @@ -1901,8 +1901,8 @@ private module MkStage { pragma[nomagic] predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) { - exists(RetNodeEx ret, ReturnPosition pos | - returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and + exists(ReturnPosition pos | + returnFlowsThrough(_, pos, _, _, p, ap, _, config) and parameterFlowsThroughRev(p, ap, pos, _, config) ) } @@ -1923,8 +1923,8 @@ private module MkStage { DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap, Configuration config ) { - exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp | - revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and + exists(ParamNodeEx p, Ap innerReturnAp | + revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config) ) } @@ -3749,8 +3749,8 @@ private predicate paramFlowsThrough( ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(PathNodeMid mid, RetNodeEx ret | - pathNode(mid, ret, state, cc, sc, ap, config, _) and + exists(RetNodeEx ret | + pathNode(_, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and apa = ap.getApprox() and parameterFlowThroughAllowed(sc.getParamNode(), kind) @@ -4212,17 +4212,15 @@ private module FlowExploration { ap = TRevPartialNil() and exists(config.explorationLimit()) or - exists(PartialPathNodeRev mid | - revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and - not clearsContentEx(node, ap.getHead()) and - ( - notExpectsContent(node) or - expectsContentEx(node, ap.getHead()) - ) and - not fullBarrier(node, config) and - not stateBarrier(node, state, config) and - distSink(node.getEnclosingCallable(), config) <= config.explorationLimit() - ) + revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and + not clearsContentEx(node, ap.getHead()) and + ( + notExpectsContent(node) or + expectsContentEx(node, ap.getHead()) + ) and + not fullBarrier(node, config) and + not stateBarrier(node, state, config) and + distSink(node.getEnclosingCallable(), config) <= config.explorationLimit() } pragma[nomagic] @@ -4230,19 +4228,17 @@ private module FlowExploration { NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config ) { - exists(PartialPathNodeFwd mid | - partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and - not fullBarrier(node, config) and - not stateBarrier(node, state, config) and - not clearsContentEx(node, ap.getHead().getContent()) and - ( - notExpectsContent(node) or - expectsContentEx(node, ap.getHead().getContent()) - ) and - if node.asNode() instanceof CastingNode - then compatibleTypes(node.getDataFlowType(), ap.getType()) - else any() - ) + partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and + not fullBarrier(node, config) and + not stateBarrier(node, state, config) and + not clearsContentEx(node, ap.getHead().getContent()) and + ( + notExpectsContent(node) or + expectsContentEx(node, ap.getHead().getContent()) + ) and + if node.asNode() instanceof CastingNode + then compatibleTypes(node.getDataFlowType(), ap.getType()) + else any() } /** diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll index e85e0cd92ec..533899e8a85 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll @@ -101,9 +101,7 @@ module Consistency { exists(int c | c = strictcount(Node n | - not exists(string filepath, int startline, int startcolumn, int endline, int endcolumn | - n.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) - ) and + not n.hasLocationInfo(_, _, _, _, _) and not any(ConsistencyConfiguration conf).missingLocationExclude(n) ) and msg = "Nodes without location: " + c diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForOnActivityResult.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForOnActivityResult.qll index 1228d00b6ba..7c9edcecfe1 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForOnActivityResult.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForOnActivityResult.qll @@ -876,9 +876,9 @@ private module Stage1 implements StageSig { pragma[nomagic] private predicate revFlowOut(ReturnPosition pos, Configuration config) { - exists(DataFlowCall call, NodeEx out | + exists(NodeEx out | revFlow(out, _, config) and - viableReturnPosOutNodeCandFwd1(call, pos, out, config) + viableReturnPosOutNodeCandFwd1(_, pos, out, config) ) } @@ -1731,8 +1731,8 @@ private module MkStage { ) or // flow through a callable - exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp | - revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and + exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp | + revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config) ) or @@ -1901,8 +1901,8 @@ private module MkStage { pragma[nomagic] predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) { - exists(RetNodeEx ret, ReturnPosition pos | - returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and + exists(ReturnPosition pos | + returnFlowsThrough(_, pos, _, _, p, ap, _, config) and parameterFlowsThroughRev(p, ap, pos, _, config) ) } @@ -1923,8 +1923,8 @@ private module MkStage { DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap, Configuration config ) { - exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp | - revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and + exists(ParamNodeEx p, Ap innerReturnAp | + revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config) ) } @@ -3749,8 +3749,8 @@ private predicate paramFlowsThrough( ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(PathNodeMid mid, RetNodeEx ret | - pathNode(mid, ret, state, cc, sc, ap, config, _) and + exists(RetNodeEx ret | + pathNode(_, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and apa = ap.getApprox() and parameterFlowThroughAllowed(sc.getParamNode(), kind) @@ -4212,17 +4212,15 @@ private module FlowExploration { ap = TRevPartialNil() and exists(config.explorationLimit()) or - exists(PartialPathNodeRev mid | - revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and - not clearsContentEx(node, ap.getHead()) and - ( - notExpectsContent(node) or - expectsContentEx(node, ap.getHead()) - ) and - not fullBarrier(node, config) and - not stateBarrier(node, state, config) and - distSink(node.getEnclosingCallable(), config) <= config.explorationLimit() - ) + revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and + not clearsContentEx(node, ap.getHead()) and + ( + notExpectsContent(node) or + expectsContentEx(node, ap.getHead()) + ) and + not fullBarrier(node, config) and + not stateBarrier(node, state, config) and + distSink(node.getEnclosingCallable(), config) <= config.explorationLimit() } pragma[nomagic] @@ -4230,19 +4228,17 @@ private module FlowExploration { NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config ) { - exists(PartialPathNodeFwd mid | - partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and - not fullBarrier(node, config) and - not stateBarrier(node, state, config) and - not clearsContentEx(node, ap.getHead().getContent()) and - ( - notExpectsContent(node) or - expectsContentEx(node, ap.getHead().getContent()) - ) and - if node.asNode() instanceof CastingNode - then compatibleTypes(node.getDataFlowType(), ap.getType()) - else any() - ) + partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and + not fullBarrier(node, config) and + not stateBarrier(node, state, config) and + not clearsContentEx(node, ap.getHead().getContent()) and + ( + notExpectsContent(node) or + expectsContentEx(node, ap.getHead().getContent()) + ) and + if node.asNode() instanceof CastingNode + then compatibleTypes(node.getDataFlowType(), ap.getType()) + else any() } /** diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll index 1228d00b6ba..7c9edcecfe1 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll @@ -876,9 +876,9 @@ private module Stage1 implements StageSig { pragma[nomagic] private predicate revFlowOut(ReturnPosition pos, Configuration config) { - exists(DataFlowCall call, NodeEx out | + exists(NodeEx out | revFlow(out, _, config) and - viableReturnPosOutNodeCandFwd1(call, pos, out, config) + viableReturnPosOutNodeCandFwd1(_, pos, out, config) ) } @@ -1731,8 +1731,8 @@ private module MkStage { ) or // flow through a callable - exists(DataFlowCall call, ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp | - revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and + exists(DataFlowCall call, ParamNodeEx p, Ap innerReturnAp | + revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and flowThroughIntoCall(call, node, p, _, ap, innerReturnAp, config) ) or @@ -1901,8 +1901,8 @@ private module MkStage { pragma[nomagic] predicate parameterMayFlowThrough(ParamNodeEx p, Ap ap, Configuration config) { - exists(RetNodeEx ret, ReturnPosition pos | - returnFlowsThrough(ret, pos, _, _, p, ap, _, config) and + exists(ReturnPosition pos | + returnFlowsThrough(_, pos, _, _, p, ap, _, config) and parameterFlowsThroughRev(p, ap, pos, _, config) ) } @@ -1923,8 +1923,8 @@ private module MkStage { DataFlowCall call, ArgNodeEx arg, FlowState state, ReturnCtx returnCtx, ApOption returnAp, Ap ap, Configuration config ) { - exists(ParamNodeEx p, ReturnPosition pos, Ap innerReturnAp | - revFlowThrough(call, returnCtx, p, state, pos, returnAp, ap, innerReturnAp, config) and + exists(ParamNodeEx p, Ap innerReturnAp | + revFlowThrough(call, returnCtx, p, state, _, returnAp, ap, innerReturnAp, config) and flowThroughIntoCall(call, arg, p, _, ap, innerReturnAp, config) ) } @@ -3749,8 +3749,8 @@ private predicate paramFlowsThrough( ReturnKindExt kind, FlowState state, CallContextCall cc, SummaryCtxSome sc, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(PathNodeMid mid, RetNodeEx ret | - pathNode(mid, ret, state, cc, sc, ap, config, _) and + exists(RetNodeEx ret | + pathNode(_, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and apa = ap.getApprox() and parameterFlowThroughAllowed(sc.getParamNode(), kind) @@ -4212,17 +4212,15 @@ private module FlowExploration { ap = TRevPartialNil() and exists(config.explorationLimit()) or - exists(PartialPathNodeRev mid | - revPartialPathStep(mid, node, state, sc1, sc2, sc3, ap, config) and - not clearsContentEx(node, ap.getHead()) and - ( - notExpectsContent(node) or - expectsContentEx(node, ap.getHead()) - ) and - not fullBarrier(node, config) and - not stateBarrier(node, state, config) and - distSink(node.getEnclosingCallable(), config) <= config.explorationLimit() - ) + revPartialPathStep(_, node, state, sc1, sc2, sc3, ap, config) and + not clearsContentEx(node, ap.getHead()) and + ( + notExpectsContent(node) or + expectsContentEx(node, ap.getHead()) + ) and + not fullBarrier(node, config) and + not stateBarrier(node, state, config) and + distSink(node.getEnclosingCallable(), config) <= config.explorationLimit() } pragma[nomagic] @@ -4230,19 +4228,17 @@ private module FlowExploration { NodeEx node, FlowState state, CallContext cc, TSummaryCtx1 sc1, TSummaryCtx2 sc2, TSummaryCtx3 sc3, PartialAccessPath ap, Configuration config ) { - exists(PartialPathNodeFwd mid | - partialPathStep(mid, node, state, cc, sc1, sc2, sc3, ap, config) and - not fullBarrier(node, config) and - not stateBarrier(node, state, config) and - not clearsContentEx(node, ap.getHead().getContent()) and - ( - notExpectsContent(node) or - expectsContentEx(node, ap.getHead().getContent()) - ) and - if node.asNode() instanceof CastingNode - then compatibleTypes(node.getDataFlowType(), ap.getType()) - else any() - ) + partialPathStep(_, node, state, cc, sc1, sc2, sc3, ap, config) and + not fullBarrier(node, config) and + not stateBarrier(node, state, config) and + not clearsContentEx(node, ap.getHead().getContent()) and + ( + notExpectsContent(node) or + expectsContentEx(node, ap.getHead().getContent()) + ) and + if node.asNode() instanceof CastingNode + then compatibleTypes(node.getDataFlowType(), ap.getType()) + else any() } /** diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll b/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll index 5811809e538..d722aa68b70 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll @@ -580,10 +580,8 @@ module Private { head = TWithContentSummaryComponent(cont) ) or - exists(ContentSet cont | - head = TWithoutContentSummaryComponent(cont) and - result = getNodeType(summaryNodeInputState(c, s.tail())) - ) + head = TWithoutContentSummaryComponent(_) and + result = getNodeType(summaryNodeInputState(c, s.tail())) or exists(ReturnKind rk | head = TReturnSummaryComponent(rk) and @@ -658,8 +656,8 @@ module Private { /** Holds if summary node `ret` is a return node of kind `rk`. */ predicate summaryReturnNode(Node ret, ReturnKind rk) { - exists(SummarizedCallable callable, SummaryComponentStack s | - ret = summaryNodeOutputState(callable, s) and + exists(SummaryComponentStack s | + ret = summaryNodeOutputState(_, s) and s = TSingletonSummaryComponentStack(TReturnSummaryComponent(rk)) ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll b/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll index 5a3b4f63d9f..e44cd40d872 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll @@ -292,12 +292,12 @@ Sign exprSign(Expr e) { exists(SsaVariable v | getARead(v) = e | s = ssaSign(v, any(SsaReadPositionBlock bb | getAnExpression(bb) = e)) or - not exists(SsaReadPositionBlock bb | getAnExpression(bb) = e) and + not getAnExpression(_) = e and s = ssaDefSign(v) ) or exists(VarAccess access | access = e | - not exists(SsaVariable v | getARead(v) = access) and + not getARead(_) = access and ( s = fieldSign(getField(access.(FieldAccess))) or diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll b/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll index a83c0e6f124..b2b63ff3633 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisSpecific.qll @@ -257,9 +257,7 @@ private module Impl { } /** Holds if the variable underlying the implicit SSA variable `v` is not a field. */ - predicate nonFieldImplicitSsaDefinition(SsaImplicitInit v) { - exists(Parameter p | v.isParameterDefinition(p)) - } + predicate nonFieldImplicitSsaDefinition(SsaImplicitInit v) { v.isParameterDefinition(_) } /** Returned an expression that is assigned to `f`. */ Expr getAssignedValueToField(Field f) { diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringBean.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringBean.qll index 34f8df24192..bbb6adf72f3 100644 --- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringBean.qll +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringBean.qll @@ -151,11 +151,9 @@ class SpringBean extends SpringXmlElement { /** Gets the Java method that corresponds to the bean's `destroy-method`. */ Method getDestroyMethod() { - exists(RefType superType | - this.getClass().hasMethod(result, superType) and - result.getName() = this.getDestroyMethodName() and - result.getNumberOfParameters() = 0 - ) + this.getClass().hasMethod(result, _) and + result.getName() = this.getDestroyMethodName() and + result.getNumberOfParameters() = 0 } /** Holds if the bean has a `factory-bean` attribute. */ @@ -216,11 +214,9 @@ class SpringBean extends SpringXmlElement { /** Gets the Java method that the `init-method` corresponds to. */ Method getInitMethod() { - exists(RefType superType | - this.getClass().hasMethod(result, superType) and - result.getName() = this.getInitMethodName() and - result.getNumberOfParameters() = 0 - ) + this.getClass().hasMethod(result, _) and + result.getName() = this.getInitMethodName() and + result.getNumberOfParameters() = 0 } /** Gets the name of the bean's parent bean. */ diff --git a/java/ql/lib/semmle/code/java/frameworks/spring/SpringLookupMethod.qll b/java/ql/lib/semmle/code/java/frameworks/spring/SpringLookupMethod.qll index 9dba22a3cb7..4b17c23612a 100644 --- a/java/ql/lib/semmle/code/java/frameworks/spring/SpringLookupMethod.qll +++ b/java/ql/lib/semmle/code/java/frameworks/spring/SpringLookupMethod.qll @@ -22,10 +22,8 @@ class SpringLookupMethod extends SpringXmlElement { * To find the Java method in a child bean, see `getMethod(SpringBean)`. */ Method getMethod() { - exists(RefType superType | - this.getEnclosingBean().getClass().hasMethod(result, superType) and - result.getName() = this.getMethodName() - ) + this.getEnclosingBean().getClass().hasMethod(result, _) and + result.getName() = this.getMethodName() } /** diff --git a/java/ql/lib/semmle/code/java/metrics/MetricRefType.qll b/java/ql/lib/semmle/code/java/metrics/MetricRefType.qll index b0f7e399fa9..17271394b2e 100644 --- a/java/ql/lib/semmle/code/java/metrics/MetricRefType.qll +++ b/java/ql/lib/semmle/code/java/metrics/MetricRefType.qll @@ -86,10 +86,10 @@ class MetricRefType extends RefType, MetricElement { } /** Any method declared in this type that accesses a field declared in this type. */ - Method getAccessingMethod() { exists(Field f | this.accessesLocalField(result, f)) } + Method getAccessingMethod() { this.accessesLocalField(result, _) } /** Any field declared in this type that is accessed by a method declared in this type. */ - Field getAccessedField() { exists(Method m | this.accessesLocalField(m, result)) } + Field getAccessedField() { this.accessesLocalField(_, result) } /** * Gets the Henderson-Sellers lack of cohesion metric. diff --git a/java/ql/lib/semmle/code/java/regex/RegexTreeView.qll b/java/ql/lib/semmle/code/java/regex/RegexTreeView.qll index cb770ffe48a..87e179c3d14 100644 --- a/java/ql/lib/semmle/code/java/regex/RegexTreeView.qll +++ b/java/ql/lib/semmle/code/java/regex/RegexTreeView.qll @@ -209,8 +209,8 @@ module Impl implements RegexTreeViewSig { * such as compile-time concatenation, or multi-line string literals. */ - exists(int re_start, int re_end, int src_start, int src_end | - re.getLocation().hasLocationInfo(filepath, startline, re_start, endline, re_end) and + exists(int re_start, int src_start, int src_end | + re.getLocation().hasLocationInfo(filepath, startline, re_start, endline, _) and re.sourceCharacter(start, src_start, _) and re.sourceCharacter(end - 1, _, src_end) and startcolumn = re_start + src_start and diff --git a/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll b/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll index ccd4e5a757a..ef23d28a076 100644 --- a/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll +++ b/java/ql/lib/semmle/code/java/security/ExternalAPIs.qll @@ -79,8 +79,8 @@ class ExternalApiDataNode extends DataFlow::Node { m.fromSource() ) and // Not already modeled as a taint step (we need both of these to handle `AdditionalTaintStep` subclasses as well) - not exists(DataFlow::Node next | TaintTracking::localTaintStep(this, next)) and - not exists(DataFlow::Node next | TaintTracking::defaultAdditionalTaintStep(this, next)) and + not TaintTracking::localTaintStep(this, _) and + not TaintTracking::defaultAdditionalTaintStep(this, _) and // Not a call to a known safe external API not call.getCallee() instanceof SafeExternalApiMethod } diff --git a/java/ql/lib/semmle/code/java/security/FileReadWrite.qll b/java/ql/lib/semmle/code/java/security/FileReadWrite.qll index 84be71d6a04..dce63384b0c 100644 --- a/java/ql/lib/semmle/code/java/security/FileReadWrite.qll +++ b/java/ql/lib/semmle/code/java/security/FileReadWrite.qll @@ -37,9 +37,9 @@ private predicate fileRead(VarAccess fileAccess, Expr fileReadingExpr) { directFileRead(fileAccess, fileReadingExpr) or // The `fileAccess` is used in a call which directly or indirectly accesses the file. - exists(Call call, int parameterPos, VarAccess nestedFileAccess, Expr nestedFileReadingExpr | + exists(Call call, int parameterPos, VarAccess nestedFileAccess | call = fileReadingExpr and - fileRead(nestedFileAccess, nestedFileReadingExpr) and + fileRead(nestedFileAccess, _) and call.getCallee().getParameter(parameterPos) = nestedFileAccess.getVariable() and fileAccess = call.getArgument(parameterPos) ) diff --git a/java/ql/lib/semmle/code/java/security/FileWritable.qll b/java/ql/lib/semmle/code/java/security/FileWritable.qll index cc570b4f345..8d67047ad49 100644 --- a/java/ql/lib/semmle/code/java/security/FileWritable.qll +++ b/java/ql/lib/semmle/code/java/security/FileWritable.qll @@ -118,9 +118,9 @@ private predicate fileSetWorldWritable(VarAccess fileAccess, Expr setWorldWritab ) or // Calls to something that indirectly sets the file permissions. - exists(Call call, int parameterPos, VarAccess nestedFileAccess, Expr nestedSetWorldWritable | + exists(Call call, int parameterPos, VarAccess nestedFileAccess | call = setWorldWritable and - fileSetWorldWritable(nestedFileAccess, nestedSetWorldWritable) and + fileSetWorldWritable(nestedFileAccess, _) and call.getCallee().getParameter(parameterPos) = nestedFileAccess.getVariable() and fileAccess = call.getArgument(parameterPos) ) diff --git a/java/ql/lib/semmle/code/java/security/SensitiveKeyboardCacheQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveKeyboardCacheQuery.qll index e7b5112a44a..5a78932a7cd 100644 --- a/java/ql/lib/semmle/code/java/security/SensitiveKeyboardCacheQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SensitiveKeyboardCacheQuery.qll @@ -130,8 +130,8 @@ AndroidEditableXmlElement getASensitiveCachedInput() { result.getId().regexpMatch(getInputSensitiveInfoRegex()) and ( not inputTypeNotCached(result.getInputType()) and - not exists(GoodInputTypeConf conf, DataFlow::Node src, DataFlow::Node sink | - conf.hasFlow(src, sink) and + not exists(GoodInputTypeConf conf, DataFlow::Node sink | + conf.hasFlowTo(sink) and sink.asExpr() = setInputTypeForId(result.getId()) ) ) diff --git a/java/ql/src/Advisory/Declarations/MissingOverrideAnnotation.ql b/java/ql/src/Advisory/Declarations/MissingOverrideAnnotation.ql index dc73fb8fcdb..0fd91f67178 100644 --- a/java/ql/src/Advisory/Declarations/MissingOverrideAnnotation.ql +++ b/java/ql/src/Advisory/Declarations/MissingOverrideAnnotation.ql @@ -12,7 +12,7 @@ import java class OverridingMethod extends Method { - OverridingMethod() { exists(Method m | this.overrides(m)) } + OverridingMethod() { this.overrides(_) } predicate isOverrideAnnotated() { this.getAnAnnotation() instanceof OverrideAnnotation } } diff --git a/java/ql/src/Advisory/Documentation/JavadocCommon.qll b/java/ql/src/Advisory/Documentation/JavadocCommon.qll index 5c38e4e55ec..39bc47c7f00 100644 --- a/java/ql/src/Advisory/Documentation/JavadocCommon.qll +++ b/java/ql/src/Advisory/Documentation/JavadocCommon.qll @@ -41,7 +41,7 @@ class DocuCallable extends Callable { this.fromSource() and this.isPublic() and // Ignore overriding methods (only require Javadoc on the root method). - not exists(Method root | this.(Method).overrides(root)) and + not this.(Method).overrides(_) and // Ignore getters and setters. not this instanceof SetterMethod and not this instanceof GetterMethod and diff --git a/java/ql/src/Performance/InefficientKeySetIterator.ql b/java/ql/src/Performance/InefficientKeySetIterator.ql index 73408d6466d..2b7f1e24896 100644 --- a/java/ql/src/Performance/InefficientKeySetIterator.ql +++ b/java/ql/src/Performance/InefficientKeySetIterator.ql @@ -42,9 +42,9 @@ predicate isKeyNext(Expr e, KeySetIterator it) { class Key extends LocalVariableDecl { Key() { - exists(LocalVariableDeclExpr lvde, KeySetIterator it | + exists(LocalVariableDeclExpr lvde | lvde.getVariable() = this and - isKeyNext(lvde.getInit(), it) + isKeyNext(lvde.getInit(), _) ) } diff --git a/java/ql/src/Violations of Best Practice/Comments/CommentedCode.qll b/java/ql/src/Violations of Best Practice/Comments/CommentedCode.qll index 87451b3c808..04ff9502543 100644 --- a/java/ql/src/Violations of Best Practice/Comments/CommentedCode.qll +++ b/java/ql/src/Violations of Best Practice/Comments/CommentedCode.qll @@ -67,7 +67,7 @@ private predicate javadocLines(Javadoc j, File f, int start, int end) { } private class JavadocFirst extends Javadoc { - JavadocFirst() { not exists(Javadoc prev | this = getNextComment(prev)) } + JavadocFirst() { not this = getNextComment(_) } } /** diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll b/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll index c90d16a6681..b155940f6bb 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCheckOnSignatureQuery.qll @@ -177,10 +177,8 @@ class CryptoOperationSource extends DataFlow::Node { /** Holds if remote user input was used in the cryptographic operation. */ predicate includesUserInput() { - exists( - DataFlow2::PathNode source, DataFlow2::PathNode sink, UserInputInCryptoOperationConfig config - | - config.hasFlowPath(source, sink) + exists(DataFlow2::PathNode sink, UserInputInCryptoOperationConfig config | + config.hasFlowPath(_, sink) | sink.getNode().asExpr() = call.getQualifier() ) diff --git a/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflectionLib.qll b/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflectionLib.qll index a111c918555..b9d84160936 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflectionLib.qll +++ b/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflectionLib.qll @@ -31,9 +31,7 @@ class UnsafeReflectionSink extends DataFlow::ExprNode { * and its name contains "resolve", "load", etc. */ predicate looksLikeResolveClassStep(DataFlow::Node fromNode, DataFlow::Node toNode) { - exists(MethodAccess ma, Method m, int i, Expr arg | - m = ma.getMethod() and arg = ma.getArgument(i) - | + exists(MethodAccess ma, Method m, Expr arg | m = ma.getMethod() and arg = ma.getAnArgument() | m.getReturnType() instanceof TypeClass and m.getName().toLowerCase() = ["resolve", "load", "class", "type"] and arg.getType() instanceof TypeString and @@ -48,9 +46,7 @@ predicate looksLikeResolveClassStep(DataFlow::Node fromNode, DataFlow::Node toNo * and its name contains "instantiate" or similar terms. */ predicate looksLikeInstantiateClassStep(DataFlow::Node fromNode, DataFlow::Node toNode) { - exists(MethodAccess ma, Method m, int i, Expr arg | - m = ma.getMethod() and arg = ma.getArgument(i) - | + exists(MethodAccess ma, Method m, Expr arg | m = ma.getMethod() and arg = ma.getAnArgument() | m.getReturnType() instanceof TypeObject and m.getName().toLowerCase() = ["instantiate", "instance", "create", "make", "getbean"] and arg.getType() instanceof TypeClass and diff --git a/java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql b/java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql index bea7faff694..b28ebee2936 100644 --- a/java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql +++ b/java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql @@ -158,7 +158,7 @@ class HashWithoutSaltConfiguration extends TaintTracking::Configuration { ma.getArgument(0) = node.asExpr() ) // System.arraycopy(password.getBytes(), ...) or - exists(AddExpr e | hasAddExprAncestor(e, node.asExpr())) // password+salt + hasAddExprAncestor(_, node.asExpr()) // password+salt or exists(ConditionalExpr ce | ce.getAChildExpr() = node.asExpr()) // useSalt?password+":"+salt:password or diff --git a/java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.ql b/java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.ql index 933da4c9f31..7f3afb75a2e 100644 --- a/java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.ql +++ b/java/ql/test/library-tests/dataflow/entrypoint-types/EntryPointTypesTest.ql @@ -25,7 +25,7 @@ class HasFlowTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasTaintFlow" and - exists(DataFlow::Node src, DataFlow::Node sink, TaintFlowConf conf | conf.hasFlow(src, sink) | + exists(DataFlow::Node sink, TaintFlowConf conf | conf.hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/library-tests/dataflow/taintsources/local.ql b/java/ql/test/library-tests/dataflow/taintsources/local.ql index 62ad797be67..37dc93f03ad 100644 --- a/java/ql/test/library-tests/dataflow/taintsources/local.ql +++ b/java/ql/test/library-tests/dataflow/taintsources/local.ql @@ -33,7 +33,7 @@ class LocalFlowTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasLocalValueFlow" and - exists(DataFlow::Node src, DataFlow::Node sink | any(LocalValueConf c).hasFlow(src, sink) | + exists(DataFlow::Node sink | any(LocalValueConf c).hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/library-tests/dataflow/taintsources/remote.ql b/java/ql/test/library-tests/dataflow/taintsources/remote.ql index df5ba85227e..d8a3be41537 100644 --- a/java/ql/test/library-tests/dataflow/taintsources/remote.ql +++ b/java/ql/test/library-tests/dataflow/taintsources/remote.ql @@ -29,7 +29,7 @@ class RemoteFlowTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasRemoteValueFlow" and - exists(DataFlow::Node src, DataFlow::Node sink | any(RemoteValueConf c).hasFlow(src, sink) | + exists(DataFlow::Node sink | any(RemoteValueConf c).hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/library-tests/frameworks/android/taint-database/flowSteps.ql b/java/ql/test/library-tests/frameworks/android/taint-database/flowSteps.ql index fda36e5ff75..f94074649ec 100644 --- a/java/ql/test/library-tests/frameworks/android/taint-database/flowSteps.ql +++ b/java/ql/test/library-tests/frameworks/android/taint-database/flowSteps.ql @@ -22,8 +22,8 @@ class FlowStepTest extends InlineExpectationsTest { override predicate hasActualResult(Location l, string element, string tag, string value) { tag = "taintReachesReturn" and value = "" and - exists(Conf conf, DataFlow::Node source, DataFlow::Node sink | - conf.hasFlow(source, sink) and + exists(Conf conf, DataFlow::Node source | + conf.hasFlow(source, _) and l = source.getLocation() and element = source.toString() ) diff --git a/java/ql/test/library-tests/frameworks/android/taint-database/sinks.ql b/java/ql/test/library-tests/frameworks/android/taint-database/sinks.ql index c6cb03dcd7b..fd1dbad3b02 100644 --- a/java/ql/test/library-tests/frameworks/android/taint-database/sinks.ql +++ b/java/ql/test/library-tests/frameworks/android/taint-database/sinks.ql @@ -22,8 +22,8 @@ class SinkTest extends InlineExpectationsTest { override predicate hasActualResult(Location l, string element, string tag, string value) { tag = "taintReachesSink" and value = "" and - exists(Conf conf, DataFlow::Node source, DataFlow::Node sink | - conf.hasFlow(source, sink) and + exists(Conf conf, DataFlow::Node source | + conf.hasFlow(source, _) and l = source.getLocation() and element = source.toString() ) diff --git a/java/ql/test/library-tests/frameworks/guava/handwritten/flow.ql b/java/ql/test/library-tests/frameworks/guava/handwritten/flow.ql index 82e43c8e33d..956de3612db 100644 --- a/java/ql/test/library-tests/frameworks/guava/handwritten/flow.ql +++ b/java/ql/test/library-tests/frameworks/guava/handwritten/flow.ql @@ -46,9 +46,7 @@ class HasFlowTest extends InlineExpectationsTest { ) or tag = "numValueFlow" and - exists(DataFlow::Node src, DataFlow::Node sink, ValueFlowConf vconf, int num | - vconf.hasFlow(src, sink) - | + exists(DataFlow::Node sink, ValueFlowConf vconf, int num | vconf.hasFlowTo(sink) | value = num.toString() and sink.getLocation() = location and element = sink.toString() and diff --git a/java/ql/test/library-tests/frameworks/jms/FlowTest.ql b/java/ql/test/library-tests/frameworks/jms/FlowTest.ql index 51d73d1181e..386d22e4951 100644 --- a/java/ql/test/library-tests/frameworks/jms/FlowTest.ql +++ b/java/ql/test/library-tests/frameworks/jms/FlowTest.ql @@ -21,9 +21,7 @@ class JmsFlowTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "tainted" and - exists(DataFlow::PathNode source, DataFlow::PathNode sink, TestConfig conf | - conf.hasFlowPath(source, sink) - | + exists(DataFlow::PathNode sink, TestConfig conf | conf.hasFlowPath(_, sink) | location = sink.getNode().getLocation() and element = sink.getNode().toString() and value = "" ) } diff --git a/java/ql/test/library-tests/frameworks/ratpack/flow.ql b/java/ql/test/library-tests/frameworks/ratpack/flow.ql index a7f6f9aa460..d499d727d98 100644 --- a/java/ql/test/library-tests/frameworks/ratpack/flow.ql +++ b/java/ql/test/library-tests/frameworks/ratpack/flow.ql @@ -24,7 +24,7 @@ class HasFlowTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasTaintFlow" and - exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) | + exists(DataFlow::Node sink, Conf conf | conf.hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.ql b/java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.ql index f34729c0b17..fcad7bff3a4 100644 --- a/java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.ql +++ b/java/ql/test/query-tests/security/CWE-074/JndiInjectionTest.ql @@ -9,9 +9,7 @@ class HasJndiInjectionTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasJndiInjection" and - exists(DataFlow::Node src, DataFlow::Node sink, JndiInjectionFlowConfig conf | - conf.hasFlow(src, sink) - | + exists(DataFlow::Node sink, JndiInjectionFlowConfig conf | conf.hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/query-tests/security/CWE-074/XsltInjectionTest.ql b/java/ql/test/query-tests/security/CWE-074/XsltInjectionTest.ql index c2f02865b2e..c914638a129 100644 --- a/java/ql/test/query-tests/security/CWE-074/XsltInjectionTest.ql +++ b/java/ql/test/query-tests/security/CWE-074/XsltInjectionTest.ql @@ -11,9 +11,7 @@ class HasXsltInjectionTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasXsltInjection" and - exists(DataFlow::Node src, DataFlow::Node sink, XsltInjectionFlowConfig conf | - conf.hasFlow(src, sink) - | + exists(DataFlow::Node sink, XsltInjectionFlowConfig conf | conf.hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.ql b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.ql index afb0f7ae3e1..aecf0807e58 100644 --- a/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.ql +++ b/java/ql/test/query-tests/security/CWE-079/semmle/tests/XSS.ql @@ -24,7 +24,7 @@ class XssTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "xss" and - exists(DataFlow::Node src, DataFlow::Node sink, XssConfig conf | conf.hasFlow(src, sink) | + exists(DataFlow::Node sink, XssConfig conf | conf.hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/springjdbc.ql b/java/ql/test/query-tests/security/CWE-089/semmle/examples/springjdbc.ql index 565271c769c..62e9895fbe9 100644 --- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/springjdbc.ql +++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/springjdbc.ql @@ -30,9 +30,7 @@ class HasFlowTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "sqlInjection" and - exists(DataFlow::Node src, DataFlow::Node sink, QueryInjectionFlowConfig conf | - conf.hasFlow(src, sink) - | + exists(DataFlow::Node sink, QueryInjectionFlowConfig conf | conf.hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/query-tests/security/CWE-094/GroovyInjectionTest.ql b/java/ql/test/query-tests/security/CWE-094/GroovyInjectionTest.ql index 77bdc72a509..4abcbf497a1 100644 --- a/java/ql/test/query-tests/security/CWE-094/GroovyInjectionTest.ql +++ b/java/ql/test/query-tests/security/CWE-094/GroovyInjectionTest.ql @@ -11,9 +11,7 @@ class HasGroovyInjectionTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasGroovyInjection" and - exists(DataFlow::Node src, DataFlow::Node sink, GroovyInjectionConfig conf | - conf.hasFlow(src, sink) - | + exists(DataFlow::Node sink, GroovyInjectionConfig conf | conf.hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/query-tests/security/CWE-094/JexlInjectionTest.ql b/java/ql/test/query-tests/security/CWE-094/JexlInjectionTest.ql index b9cb3fc03df..fa69c303211 100644 --- a/java/ql/test/query-tests/security/CWE-094/JexlInjectionTest.ql +++ b/java/ql/test/query-tests/security/CWE-094/JexlInjectionTest.ql @@ -9,9 +9,7 @@ class JexlInjectionTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasJexlInjection" and - exists(DataFlow::Node src, DataFlow::Node sink, JexlInjectionConfig conf | - conf.hasFlow(src, sink) - | + exists(DataFlow::Node sink, JexlInjectionConfig conf | conf.hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/query-tests/security/CWE-094/MvelInjectionTest.ql b/java/ql/test/query-tests/security/CWE-094/MvelInjectionTest.ql index 71146acfcf9..1a228f99e89 100644 --- a/java/ql/test/query-tests/security/CWE-094/MvelInjectionTest.ql +++ b/java/ql/test/query-tests/security/CWE-094/MvelInjectionTest.ql @@ -11,9 +11,7 @@ class HasMvelInjectionTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasMvelInjection" and - exists(DataFlow::Node src, DataFlow::Node sink, MvelInjectionFlowConfig conf | - conf.hasFlow(src, sink) - | + exists(DataFlow::Node sink, MvelInjectionFlowConfig conf | conf.hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.ql b/java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.ql index 1da99aa3de8..cf89a1673ba 100644 --- a/java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.ql +++ b/java/ql/test/query-tests/security/CWE-094/SpelInjectionTest.ql @@ -11,9 +11,7 @@ class HasSpelInjectionTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasSpelInjection" and - exists(DataFlow::Node src, DataFlow::Node sink, SpelInjectionConfig conf | - conf.hasFlow(src, sink) - | + exists(DataFlow::Node sink, SpelInjectionConfig conf | conf.hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.ql b/java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.ql index b8bb1080f3f..b509cb46b03 100644 --- a/java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.ql +++ b/java/ql/test/query-tests/security/CWE-094/TemplateInjectionTest.ql @@ -9,9 +9,7 @@ class TemplateInjectionTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasTemplateInjection" and - exists(DataFlow::Node src, DataFlow::Node sink, TemplateInjectionFlowConfig conf | - conf.hasFlow(src, sink) - | + exists(DataFlow::Node sink, TemplateInjectionFlowConfig conf | conf.hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/query-tests/security/CWE-1204/StaticInitializationVectorTest.ql b/java/ql/test/query-tests/security/CWE-1204/StaticInitializationVectorTest.ql index f737847fb5e..653a3cefa7a 100644 --- a/java/ql/test/query-tests/security/CWE-1204/StaticInitializationVectorTest.ql +++ b/java/ql/test/query-tests/security/CWE-1204/StaticInitializationVectorTest.ql @@ -9,9 +9,7 @@ class StaticInitializationVectorTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "staticInitializationVector" and - exists(DataFlow::Node src, DataFlow::Node sink, StaticInitializationVectorConfig conf | - conf.hasFlow(src, sink) - | + exists(DataFlow::Node sink, StaticInitializationVectorConfig conf | conf.hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.ql b/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.ql index 59b8a39ed0d..12f667a67f3 100644 --- a/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.ql +++ b/java/ql/test/query-tests/security/CWE-326/InsufficientKeySizeTest.ql @@ -9,9 +9,7 @@ class InsufficientKeySizeTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasInsufficientKeySize" and - exists(DataFlow::PathNode source, DataFlow::PathNode sink | - exists(KeySizeConfiguration cfg | cfg.hasFlowPath(source, sink)) - | + exists(DataFlow::PathNode sink | exists(KeySizeConfiguration cfg | cfg.hasFlowPath(_, sink)) | sink.getNode().getLocation() = location and element = sink.getNode().toString() and value = "" diff --git a/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.ql b/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.ql index 557fc28bf01..b4f4c1c445e 100644 --- a/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.ql +++ b/java/ql/test/query-tests/security/CWE-347/MissingJWTSignatureCheckTest.ql @@ -9,9 +9,7 @@ class HasMissingJwtSignatureCheckTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasMissingJwtSignatureCheck" and - exists(DataFlow::Node source, DataFlow::Node sink, MissingJwtSignatureCheckConf conf | - conf.hasFlow(source, sink) - | + exists(DataFlow::Node sink, MissingJwtSignatureCheckConf conf | conf.hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuthTest.ql b/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuthTest.ql index 53064d42bd5..b593c5476ef 100644 --- a/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuthTest.ql +++ b/java/ql/test/query-tests/security/CWE-522/InsecureBasicAuthTest.ql @@ -9,9 +9,7 @@ class HasInsecureBasicAuthTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasInsecureBasicAuth" and - exists(DataFlow::Node src, DataFlow::Node sink, BasicAuthFlowConfig conf | - conf.hasFlow(src, sink) - | + exists(DataFlow::Node sink, BasicAuthFlowConfig conf | conf.hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.ql b/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.ql index f675651c40f..c52221999d1 100644 --- a/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.ql +++ b/java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.ql @@ -19,7 +19,7 @@ class HasXPathInjectionTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasXPathInjection" and - exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) | + exists(DataFlow::Node sink, Conf conf | conf.hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/query-tests/security/CWE-730/PolynomialReDoS.ql b/java/ql/test/query-tests/security/CWE-730/PolynomialReDoS.ql index c8c1566a7a4..742781d2d58 100644 --- a/java/ql/test/query-tests/security/CWE-730/PolynomialReDoS.ql +++ b/java/ql/test/query-tests/security/CWE-730/PolynomialReDoS.ql @@ -8,11 +8,8 @@ class HasPolyRedos extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasPolyRedos" and - exists( - DataFlow::PathNode source, DataFlow::PathNode sink, - SuperlinearBackTracking::PolynomialBackTrackingTerm regexp - | - hasPolynomialReDoSResult(source, sink, regexp) and + exists(DataFlow::PathNode sink | + hasPolynomialReDoSResult(_, sink, _) and location = sink.getNode().getLocation() and element = sink.getNode().toString() and value = "" diff --git a/java/ql/test/query-tests/security/CWE-730/ReDoS.ql b/java/ql/test/query-tests/security/CWE-730/ReDoS.ql index 7226541bcb2..f7d5d7175b3 100644 --- a/java/ql/test/query-tests/security/CWE-730/ReDoS.ql +++ b/java/ql/test/query-tests/security/CWE-730/ReDoS.ql @@ -11,8 +11,8 @@ class HasExpRedos extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasExpRedos" and - exists(TreeView::RegExpTerm t, string pump, ExponentialBackTracking::State s, string prefixMsg | - ExponentialBackTracking::hasReDoSResult(t, pump, s, prefixMsg) and + exists(TreeView::RegExpTerm t | + ExponentialBackTracking::hasReDoSResult(t, _, _, _) and not t.getRegex().getAMode() = "VERBOSE" and value = "" and location = t.getLocation() and diff --git a/java/ql/test/query-tests/security/CWE-730/RegexInjectionTest.ql b/java/ql/test/query-tests/security/CWE-730/RegexInjectionTest.ql index 368b5170bfc..63b4f19b3a1 100644 --- a/java/ql/test/query-tests/security/CWE-730/RegexInjectionTest.ql +++ b/java/ql/test/query-tests/security/CWE-730/RegexInjectionTest.ql @@ -9,9 +9,7 @@ class RegexInjectionTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasRegexInjection" and - exists(DataFlow::PathNode source, DataFlow::PathNode sink, RegexInjectionConfiguration c | - c.hasFlowPath(source, sink) - | + exists(DataFlow::PathNode sink, RegexInjectionConfiguration c | c.hasFlowPath(_, sink) | location = sink.getNode().getLocation() and element = sink.getNode().toString() and value = "" diff --git a/java/ql/test/query-tests/security/CWE-749/UnsafeAndroidAccessTest.ql b/java/ql/test/query-tests/security/CWE-749/UnsafeAndroidAccessTest.ql index 14f72c5e88c..7305d6aeb6f 100644 --- a/java/ql/test/query-tests/security/CWE-749/UnsafeAndroidAccessTest.ql +++ b/java/ql/test/query-tests/security/CWE-749/UnsafeAndroidAccessTest.ql @@ -9,9 +9,7 @@ class UnsafeAndroidAccessTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasUnsafeAndroidAccess" and - exists(DataFlow::Node src, DataFlow::Node sink, FetchUntrustedResourceConfiguration conf | - conf.hasFlow(src, sink) - | + exists(DataFlow::Node sink, FetchUntrustedResourceConfiguration conf | conf.hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.ql b/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.ql index 8fc8fe9b9af..ef676d4a8f0 100644 --- a/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.ql +++ b/java/ql/test/query-tests/security/CWE-807/semmle/tests/ConditionalBypassTest.ql @@ -9,9 +9,7 @@ class ConditionalBypassTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasConditionalBypassTest" and - exists(DataFlow::Node src, DataFlow::Node sink, ConditionalBypassFlowConfig conf | - conf.hasFlow(src, sink) - | + exists(DataFlow::Node sink, ConditionalBypassFlowConfig conf | conf.hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.ql b/java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.ql index dc1fc57a0a6..efbf1508fe4 100644 --- a/java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.ql +++ b/java/ql/test/query-tests/security/CWE-917/OgnlInjectionTest.ql @@ -9,9 +9,7 @@ class OgnlInjectionTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasOgnlInjection" and - exists(DataFlow::Node src, DataFlow::Node sink, OgnlInjectionFlowConfig conf | - conf.hasFlow(src, sink) - | + exists(DataFlow::Node sink, OgnlInjectionFlowConfig conf | conf.hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.ql b/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.ql index 69e631f5a2a..871dcd2cef2 100644 --- a/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.ql +++ b/java/ql/test/query-tests/security/CWE-927/ImplicitPendingIntentsTest.ql @@ -9,9 +9,7 @@ class ImplicitPendingIntentsTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasImplicitPendingIntent" and - exists(DataFlow::Node src, DataFlow::Node sink | - any(ImplicitPendingIntentStartConf c).hasFlow(src, sink) - | + exists(DataFlow::Node sink | any(ImplicitPendingIntentStartConf c).hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.ql b/java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.ql index 9e883b26498..62605ed505d 100644 --- a/java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.ql +++ b/java/ql/test/query-tests/security/CWE-940/AndroidIntentRedirectionTest.ql @@ -9,9 +9,7 @@ class HasAndroidIntentRedirectionTest extends InlineExpectationsTest { override predicate hasActualResult(Location location, string element, string tag, string value) { tag = "hasAndroidIntentRedirection" and - exists(DataFlow::Node src, DataFlow::Node sink, IntentRedirectionConfiguration conf | - conf.hasFlow(src, sink) - | + exists(DataFlow::Node sink, IntentRedirectionConfiguration conf | conf.hasFlowTo(sink) | sink.getLocation() = location and element = sink.toString() and value = "" diff --git a/java/ql/test/utils/model-generator/typebasedflow/CaptureTypeBasedSummaryModels.ql b/java/ql/test/utils/model-generator/typebasedflow/CaptureTypeBasedSummaryModels.ql index d1f5c9c520e..fe77abaa6df 100644 --- a/java/ql/test/utils/model-generator/typebasedflow/CaptureTypeBasedSummaryModels.ql +++ b/java/ql/test/utils/model-generator/typebasedflow/CaptureTypeBasedSummaryModels.ql @@ -7,7 +7,7 @@ private string expects() { ) } -private string flows() { exists(TypeBasedFlowTargetApi api | result = captureFlow(api)) } +private string flows() { result = captureFlow(_) } query predicate unexpectedSummary(string msg) { exists(string flow |