C++: Simplify dataflow taint test query

The complexity seems a left-over from before these tests were turned into inline expectation tests, where the aim seems to have been to have exactly one sink node for each `sink` call. Multiple sink nodes for the same `sink` call are not made visible in the inline expecation tests, and I am not conviced this was very useful before, so remove the complexity.
2026-05-05 05:35:13 +02:00 · 2022-11-10 10:38:22 +01:00
parent 2bef82babc
commit 4d7aeced3f
1 changed files with 1 additions and 10 deletions
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.ql
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.ql
@@ -95,16 +95,7 @@ module IRTest {
    override predicate isSink(DataFlow::Node sink) {
      exists(FunctionCall call |
        call.getTarget().getName() = "sink" and
-        sink.asConvertedExpr() = call.getAnArgument()
-        or
-        call.getTarget().getName() = "sink" and
-        sink.asExpr() = call.getAnArgument() and
-        sink.asConvertedExpr() instanceof ReferenceDereferenceExpr
-      )
-      or
-      exists(ReadSideEffectInstruction read |
-        read.getSideEffectOperand() = sink.asOperand() and
-        read.getPrimaryInstruction().(CallInstruction).getStaticCallTarget().hasName("sink")
+        sink.asExpr() = call.getAnArgument()
      )
    }