Do not compress local flow steps

Use `neverSkipPathGrap` to `any()` so no local flow steps get pruned and thrown away in order to compress the presented dataflow path.
2025-12-28 14:46:33 +01:00 · 2024-02-05 10:44:37 +01:00
parent 45d959d13f
commit 355ccf42ee
3 changed files with 12 additions and 22 deletions
--- a/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll
+++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll
@@ -6,6 +6,9 @@
 private import codeql.dataflow.DataFlow

 module ActionsDataFlow implements InputSig {
-  import DataFlowPrivate
+  import DataFlowPrivate as Private
  import DataFlowPublic
+  import Private
+
+  predicate neverSkipInPathGraph = Private::neverSkipInPathGraph/1;
 }
--- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll
+++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll
@@ -207,27 +207,6 @@ predicate stepOutputDefToUse(Node nodeFrom, Node nodeTo) {
  )
 }

-predicate test1(UsesExpr u, string f, JobStmt j) {
-  u.getLocation().getFile().getBaseName() = "inter1.yml" and
-  f = u.getId() and
-  j = u.getJob()
-}
-
-predicate test2(StepOutputAccessExpr r, string f, JobStmt j) {
-  r.getLocation().getFile().getBaseName() = "inter1.yml" and
-  f = r.getStepId() and
-  j = r.getJob()
-}
-
-predicate test3(UsesExpr u, StepOutputAccessExpr r, Node n) {
-  r.getLocation().getFile().getBaseName() = "inter1.yml" and
-  u.getLocation().getFile().getBaseName() = "inter1.yml" and
-  u.getId() = r.getStepId() and
-  u.getJob() = r.getJob() and
-  // el SOAE has no mapping DF NODE
-  n.asExpr() = r
-}
-
 predicate jobOutputDefToUse(Node nodeFrom, Node nodeTo) {
  // nodeTo is a JobOutputAccessExpr and nodeFrom is the Job output expression
  exists(Expression astFrom, JobOutputAccessExpr astTo |
@@ -310,3 +289,10 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { no

 /** Extra data-flow steps needed for lambda flow analysis. */
 predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }
+
+/**
+ * Since our model is so simple, we dont want to compress the local flow steps.
+ * This compression is normally done to not show SSA steps, casts, etc.
+ */
+predicate neverSkipInPathGraph(Node node) { any() }
+
--- a/ql/src/Security/CWE-094/ExpressionInjection.ql
+++ b/ql/src/Security/CWE-094/ExpressionInjection.ql
@@ -24,6 +24,7 @@ private module MyConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink }
+  //predicate neverSkip(DataFlow::Node node) { any() }
 }

 module MyFlow = TaintTracking::Global<MyConfig>;