Merge pull request #20961 from aschackmull/dataflow/flowfrom

Dataflow: Add flowFrom predicates to mirror flowTo.
2025-12-16 08:43:11 +01:00 · 2025-12-04 10:09:29 +01:00
parent e74031bee4 78e1879c9e
commit 607ad1f886
42 changed files with 77 additions and 53 deletions
--- a/java/ql/lib/semmle/code/java/frameworks/google/GoogleHttpClientApi.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/google/GoogleHttpClientApi.qll
@@ -26,9 +26,7 @@ private module TypeLiteralToParseAsFlowConfig implements DataFlow::ConfigSig {

 private module TypeLiteralToParseAsFlow = DataFlow::Global<TypeLiteralToParseAsFlowConfig>;

-private TypeLiteral getSourceWithFlowToParseAs() {
-  TypeLiteralToParseAsFlow::flow(DataFlow::exprNode(result), _)
-}
+private TypeLiteral getSourceWithFlowToParseAs() { TypeLiteralToParseAsFlow::flowFromExpr(result) }

 /** A field that is deserialized by `HttpResponse.parseAs`. */
 class HttpResponseParseAsDeserializableField extends DeserializableField {
--- a/java/ql/lib/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
@@ -110,7 +110,7 @@ private module TypeLiteralToJacksonDatabindFlow =
  DataFlow::Global<TypeLiteralToJacksonDatabindFlowConfig>;

 private TypeLiteral getSourceWithFlowToJacksonDatabind() {
-  TypeLiteralToJacksonDatabindFlow::flow(DataFlow::exprNode(result), _)
+  TypeLiteralToJacksonDatabindFlow::flowFromExpr(result)
 }

 /** A type whose values are explicitly deserialized in a call to a Jackson method. */
--- a/java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll
+++ b/java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll
@@ -164,7 +164,7 @@ private module RegexFlowConfig implements DataFlow::ConfigSig {
 private module RegexFlow = DataFlow::Global<RegexFlowConfig>;

 private predicate usedAsRegexImpl(StringLiteral regex, string mode, boolean match_full_string) {
-  RegexFlow::flow(DataFlow::exprNode(regex), _) and
+  RegexFlow::flowFromExpr(regex) and
  mode = "None" and // TODO: proper mode detection
  (if matchesFullString(regex) then match_full_string = true else match_full_string = false)
 }
--- a/java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll
@@ -51,7 +51,7 @@ private module VerifiedIntentFlow = DataFlow::Global<VerifiedIntentConfig>;
 /** An `onReceive` method that doesn't verify the action of the intent it receives. */
 private class UnverifiedOnReceiveMethod extends OnReceiveMethod {
  UnverifiedOnReceiveMethod() {
-    not VerifiedIntentFlow::flow(DataFlow::parameterNode(this.getIntentParameter()), _) and
+    not VerifiedIntentFlow::flowFrom(DataFlow::parameterNode(this.getIntentParameter())) and
    // Empty methods do not need to be verified since they do not perform any actions.
    this.getBody().getNumStmt() > 0
  }
--- a/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql
+++ b/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql
@@ -118,7 +118,7 @@ where
  // implicit: no setAllowContentAccess(false)
  exists(WebViewSource source |
    source.asExpr() = e and
-    not WebViewDisallowContentAccessFlow::flow(source, _)
+    not WebViewDisallowContentAccessFlow::flowFrom(source)
  )
 select e,
  "Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView."
--- a/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
@@ -85,7 +85,7 @@ private module JxBrowserFlow = DataFlow::Global<JxBrowserFlowConfig>;

 deprecated query predicate problems(DataFlow::Node src, string message) {
  JxBrowserFlowConfig::isSource(src) and
-  not JxBrowserFlow::flow(src, _) and
+  not JxBrowserFlow::flowFrom(src) and
  not isSafeJxBrowserVersion() and
  message = "This JxBrowser instance may not check HTTPS certificates."
 }
--- a/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
@@ -50,7 +50,7 @@ private Expr getAccessControlAllowOriginHeaderName() {
 * A taint-tracking configuration for flow from a source node to CorsProbableCheckAccess methods.
 */
 module CorsSourceReachesCheckConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { CorsOriginFlow::flow(source, _) }
+  predicate isSource(DataFlow::Node source) { CorsOriginFlow::flowFrom(source) }

  predicate isSink(DataFlow::Node sink) {
    sink.asExpr() = any(CorsProbableCheckAccess check).getAnArgument()
@@ -86,7 +86,7 @@ deprecated query predicate problems(
  string message1, DataFlow::Node sourceNode, string message2
 ) {
  CorsOriginFlow::flowPath(source, sink) and
-  not CorsSourceReachesCheckFlow::flow(sourceNode, _) and
+  not CorsSourceReachesCheckFlow::flowFrom(sourceNode) and
  sinkNode = sink.getNode() and
  message1 = "CORS header is being set using user controlled value $@." and
  sourceNode = source.getNode() and
--- a/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql
@@ -17,7 +17,7 @@ deprecated import JwtAuth0 as JwtAuth0
 deprecated module JwtDecodeConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) {
    source instanceof RemoteFlowSource and
-    not FlowToJwtVerify::flow(source, _)
+    not FlowToJwtVerify::flowFrom(source)
  }

  predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(JwtAuth0::GetPayload a) }
--- a/java/ql/test-kotlin1/library-tests/parameter-defaults/flowTest.ql
+++ b/java/ql/test-kotlin1/library-tests/parameter-defaults/flowTest.ql
@@ -25,9 +25,7 @@ module Config implements DataFlow::ConfigSig {

 module Flow = DataFlow::Global<Config>;

-predicate isSunk(StringLiteral sl) {
-  exists(DataFlow::Node source | Flow::flow(source, _) and sl = source.asExpr())
-}
+predicate isSunk(StringLiteral sl) { Flow::flowFromExpr(sl) }

 query predicate shouldBeSunkButIsnt(ShouldBeSunk src) { not isSunk(src) }

--- a/java/ql/test-kotlin2/library-tests/parameter-defaults/flowTest.ql
+++ b/java/ql/test-kotlin2/library-tests/parameter-defaults/flowTest.ql
@@ -25,9 +25,7 @@ module Config implements DataFlow::ConfigSig {

 module Flow = DataFlow::Global<Config>;

-predicate isSunk(StringLiteral sl) {
-  exists(DataFlow::Node source | Flow::flow(source, _) and sl = source.asExpr())
-}
+predicate isSunk(StringLiteral sl) { Flow::flowFromExpr(sl) }

 query predicate shouldBeSunkButIsnt(ShouldBeSunk src) { not isSunk(src) }

--- a/java/ql/test/library-tests/frameworks/android/taint-database/flowSteps.ql
+++ b/java/ql/test/library-tests/frameworks/android/taint-database/flowSteps.ql
@@ -20,7 +20,7 @@ module FlowStepTest implements TestSig {
  predicate hasActualResult(Location l, string element, string tag, string value) {
    tag = "taintReachesReturn" and
    value = "" and
-    exists(DataFlow::Node source | Flow::flow(source, _) |
+    exists(DataFlow::Node source | Flow::flowFrom(source) |
      l = source.getLocation() and
      element = source.toString()
    )
--- a/java/ql/test/library-tests/frameworks/android/taint-database/sinks.ql
+++ b/java/ql/test/library-tests/frameworks/android/taint-database/sinks.ql
@@ -20,7 +20,7 @@ module SinkTest implements TestSig {
  predicate hasActualResult(Location l, string element, string tag, string value) {
    tag = "taintReachesSink" and
    value = "" and
-    exists(DataFlow::Node source | Flow::flow(source, _) |
+    exists(DataFlow::Node source | Flow::flowFrom(source) |
      l = source.getLocation() and
      element = source.toString()
    )