Java/C++/C#: Add support for BarrierGuards.

2026-02-28 21:03:50 +01:00 · 2019-08-09 11:12:00 +02:00
parent 5e910a4808
commit 4550175b16
24 changed files with 221 additions and 0 deletions
--- a/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll
+++ b/java/ql/src/semmle/code/java/dataflow/TaintTracking.qll
@@ -80,6 +80,11 @@ module TaintTracking {

    final override predicate isBarrierOut(DataFlow::Node node) { isSanitizerOut(node) }

+    /** Holds if data flow through nodes guarded by `guard` is prohibited. */
+    predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
+
+    final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) }
+
    /**
     * Holds if the additional taint propagation step from `node1` to `node2`
     * must be taken into account in the analysis.
@@ -162,6 +167,11 @@ module TaintTracking {

    final override predicate isBarrierOut(DataFlow::Node node) { isSanitizerOut(node) }

+    /** Holds if data flow through nodes guarded by `guard` is prohibited. */
+    predicate isSanitizerGuard(DataFlow::BarrierGuard guard) { none() }
+
+    final override predicate isBarrierGuard(DataFlow::BarrierGuard guard) { isSanitizerGuard(guard) }
+
    /**
     * Holds if the additional taint propagation step from `node1` to `node2`
     * must be taken into account in the analysis.
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
@@ -75,6 +75,9 @@ abstract class Configuration extends string {
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

+  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
+  predicate isBarrierGuard(BarrierGuard guard) { none() }
+
  /**
   * Holds if the additional flow step from `node1` to `node2` must be taken
   * into account in the analysis.
@@ -136,6 +139,11 @@ private predicate fullBarrier(Node node, Configuration config) {
  or
  config.isBarrierOut(node) and
  not config.isSink(node)
+  or
+  exists(BarrierGuard g |
+    config.isBarrierGuard(g) and
+    node = g.getAGuardedNode()
+  )
 }

 private class AdditionalFlowStepSource extends Node {
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
@@ -75,6 +75,9 @@ abstract class Configuration extends string {
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

+  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
+  predicate isBarrierGuard(BarrierGuard guard) { none() }
+
  /**
   * Holds if the additional flow step from `node1` to `node2` must be taken
   * into account in the analysis.
@@ -136,6 +139,11 @@ private predicate fullBarrier(Node node, Configuration config) {
  or
  config.isBarrierOut(node) and
  not config.isSink(node)
+  or
+  exists(BarrierGuard g |
+    config.isBarrierGuard(g) and
+    node = g.getAGuardedNode()
+  )
 }

 private class AdditionalFlowStepSource extends Node {
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
@@ -75,6 +75,9 @@ abstract class Configuration extends string {
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

+  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
+  predicate isBarrierGuard(BarrierGuard guard) { none() }
+
  /**
   * Holds if the additional flow step from `node1` to `node2` must be taken
   * into account in the analysis.
@@ -136,6 +139,11 @@ private predicate fullBarrier(Node node, Configuration config) {
  or
  config.isBarrierOut(node) and
  not config.isSink(node)
+  or
+  exists(BarrierGuard g |
+    config.isBarrierGuard(g) and
+    node = g.getAGuardedNode()
+  )
 }

 private class AdditionalFlowStepSource extends Node {
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
@@ -75,6 +75,9 @@ abstract class Configuration extends string {
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

+  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
+  predicate isBarrierGuard(BarrierGuard guard) { none() }
+
  /**
   * Holds if the additional flow step from `node1` to `node2` must be taken
   * into account in the analysis.
@@ -136,6 +139,11 @@ private predicate fullBarrier(Node node, Configuration config) {
  or
  config.isBarrierOut(node) and
  not config.isSink(node)
+  or
+  exists(BarrierGuard g |
+    config.isBarrierGuard(g) and
+    node = g.getAGuardedNode()
+  )
 }

 private class AdditionalFlowStepSource extends Node {
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
@@ -75,6 +75,9 @@ abstract class Configuration extends string {
  /** Holds if data flow out of `node` is prohibited. */
  predicate isBarrierOut(Node node) { none() }

+  /** Holds if data flow through nodes guarded by `guard` is prohibited. */
+  predicate isBarrierGuard(BarrierGuard guard) { none() }
+
  /**
   * Holds if the additional flow step from `node1` to `node2` must be taken
   * into account in the analysis.
@@ -136,6 +139,11 @@ private predicate fullBarrier(Node node, Configuration config) {
  or
  config.isBarrierOut(node) and
  not config.isSink(node)
+  or
+  exists(BarrierGuard g |
+    config.isBarrierGuard(g) and
+    node = g.getAGuardedNode()
+  )
 }

 private class AdditionalFlowStepSource extends Node {
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowUtil.qll
@@ -6,6 +6,7 @@ private import java
 private import DataFlowPrivate
 private import semmle.code.java.dataflow.SSA
 private import semmle.code.java.dataflow.TypeFlow
+private import semmle.code.java.controlflow.Guards
 import semmle.code.java.dataflow.InstanceAccess

 cached
@@ -416,3 +417,19 @@ Node getInstanceArgument(Call call) {
  explicitInstanceArgument(call, result.asExpr()) or
  implicitInstanceArgument(call, result.(ImplicitInstanceAccess).getInstanceAccess())
 }
+
+/** A guard that validates some expression. */
+class BarrierGuard extends Guard {
+  /** Holds if this guard validates `e` upon evaluating to `branch`. */
+  abstract predicate checks(Expr e, boolean branch);
+
+  /** Gets a node guarded by this. */
+  final Node getAGuardedNode() {
+    exists(SsaVariable v, boolean branch, RValue use |
+      this.checks(v.getAUse(), branch) and
+      use = v.getAUse() and
+      this.controls(use.getBasicBlock(), branch) and
+      result.asExpr() = use
+    )
+  }
+}