C#/Java: Exclude summaries using callbacks in fields, properties and synthetic fields.

2025-12-16 16:53:25 +01:00 · 2024-10-29 09:26:01 +01:00
parent 5c389355d0
commit 55cfbccd43
4 changed files with 36 additions and 0 deletions
--- a/csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll
+++ b/csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -318,6 +318,10 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, CsharpDat
    c.isField(_) or c.isSyntheticField(_) or c.isProperty(_)
  }

+  predicate isCallback(DataFlow::ContentSet c) {
+    c.isDelegateCallArgument(_) or c.isDelegateCallReturn()
+  }
+
  string getSyntheticName(DataFlow::ContentSet c) {
    exists(CS::Field f |
      not f.isEffectivelyPublic() and
--- a/csharp/ql/test/utils/modelgenerator/dataflow/Summaries.cs
+++ b/csharp/ql/test/utils/modelgenerator/dataflow/Summaries.cs
@@ -62,6 +62,15 @@ public class BasicFlow
    {
        return tainted;
    }
+
+    public Func<object, object> MyFunction;
+    // summary=Models;BasicFlow;false;MapMyFunction;(System.Object);;Argument[0];Argument[this];taint;df-generated
+    // summary=Models;BasicFlow;false;MapMyFunction;(System.Object);;Argument[this];ReturnValue;taint;df-generated
+    // No content based flow as MaD doesn't support callback logic in fields and properties.
+    public object MapMyFunction(object o)
+    {
+        return MyFunction(o);
+    }
 }

 public class CollectionFlow
--- a/java/ql/src/utils/modelgenerator/internal/CaptureModels.qll
+++ b/java/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -254,6 +254,8 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, JavaDataF
    c instanceof DataFlowUtil::SyntheticFieldContent
  }

+  predicate isCallback(DataFlow::ContentSet c) { none() }
+
  string getSyntheticName(DataFlow::ContentSet c) {
    exists(Field f |
      not f.isPublic() and
--- a/shared/mad/codeql/mad/modelgenerator/internal/ModelGeneratorImpl.qll
+++ b/shared/mad/codeql/mad/modelgenerator/internal/ModelGeneratorImpl.qll
@@ -206,6 +206,11 @@ signature module ModelGeneratorInputSig<LocationSig Location, InputSig<Location>
   */
  predicate isField(Lang::ContentSet c);

+  /**
+   * Holds if the content set `c` is callback like.
+   */
+  predicate isCallback(Lang::ContentSet c);
+
  /**
   * Gets the MaD synthetic name string representation for the content set `c`, if any.
   */
@@ -618,6 +623,20 @@ module MakeModelGenerator<
      isField(ap.getAtIndex(_))
    }

+    /**
+     * Holds if this access path `ap` mentions a callback.
+     */
+    private predicate mentionsCallback(PropagateContentFlow::AccessPath ap) {
+      isCallback(ap.getAtIndex(_))
+    }
+
+    /**
+     * Models as Data currently doesn't support callback logic in fields.
+     */
+    private predicate validateAccessPath(PropagateContentFlow::AccessPath ap) {
+      not (mentionsField(ap) and mentionsCallback(ap))
+    }
+
    private predicate apiFlow(
      DataFlowSummaryTargetApi api, DataFlow::ParameterNode p,
      PropagateContentFlow::AccessPath reads, ReturnNodeExt returnNodeExt,
@@ -859,6 +878,8 @@ module MakeModelGenerator<
        input = parameterNodeAsContentInput(p) + printReadAccessPath(reads) and
        output = getContentOutput(returnNodeExt) + printStoreAccessPath(stores) and
        input != output and
+        validateAccessPath(reads) and
+        validateAccessPath(stores) and
        (
          if mentionsField(reads) or mentionsField(stores)
          then lift = false and api.isRelevant()