Refactor: Create writesFieldOnSsaWithFields

2025-12-16 16:53:25 +01:00 · 2025-09-18 14:35:43 +01:00
parent cf6cfe2a1e
commit 748c53a791
6 changed files with 19 additions and 27 deletions
--- a/go/ql/lib/semmle/go/controlflow/ControlFlowGraph.qll
+++ b/go/ql/lib/semmle/go/controlflow/ControlFlowGraph.qll
@@ -152,6 +152,15 @@ module ControlFlow {
      )
    }

+    /**
+     * Holds if this node sets the value of field `f` on `v` to `rhs`.
+     */
+    predicate writesFieldOnSsaWithFields(SsaWithFields v, Field f, DataFlow::Node rhs) {
+      exists(IR::Instruction insn | this.writesFieldInsn(insn, f, rhs.asInstruction()) |
+        v.getAUse().asInstruction() = insn
+      )
+    }
+
    private predicate writesFieldInsn(IR::Instruction base, Field f, IR::Instruction rhs) {
      exists(IR::FieldTarget trg | trg = super.getLhs() |
        (
--- a/go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll
+++ b/go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll
@@ -90,10 +90,9 @@ module OpenUrlRedirect {
   */
  class PathAssignmentBarrier extends Barrier, Read {
    PathAssignmentBarrier() {
-      exists(Write w, DataFlow::Node base, SsaWithFields var |
+      exists(Write w, SsaWithFields var |
        hasHostnameSanitizingSubstring(w.getRhs()) and
-        w.writesField(base, any(Field f | f.getName() = "Path"), _) and
-        [base, base.(DataFlow::PostUpdateNode).getPreUpdateNode()] = var.getAUse() and
+        w.writesFieldOnSsaWithFields(var, any(Field f | f.getName() = "Path"), _) and
        useIsDominated(var, w, this)
      )
    }
--- a/go/ql/lib/semmle/go/security/RequestForgery.qll
+++ b/go/ql/lib/semmle/go/security/RequestForgery.qll
@@ -27,11 +27,8 @@ module RequestForgery {

    predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
      // propagate to a URL when its host is assigned to
-      exists(Write w, DataFlow::Node base, Field f, SsaWithFields v |
-        f.hasQualifiedName("net/url", "URL", "Host")
-      |
-        w.writesField(base, f, pred) and
-        [base, base.(DataFlow::PostUpdateNode).getPreUpdateNode()] = v.getAUse() and
+      exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
+        w.writesFieldOnSsaWithFields(v, f, pred) and
        succ = v.getAUse()
      )
    }
--- a/go/ql/lib/semmle/go/security/SafeUrlFlow.qll
+++ b/go/ql/lib/semmle/go/security/SafeUrlFlow.qll
@@ -23,11 +23,8 @@ module SafeUrlFlow {

    predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
      // propagate to a URL when its host is assigned to
-      exists(Write w, DataFlow::Node base, Field f, SsaWithFields v |
-        f.hasQualifiedName("net/url", "URL", "Host")
-      |
-        w.writesField(base, f, node1) and
-        [base, base.(DataFlow::PostUpdateNode).getPreUpdateNode()] = v.getAUse() and
+      exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
+        w.writesFieldOnSsaWithFields(v, f, node1) and
        node2 = v.getAUse()
      )
    }
--- a/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql
+++ b/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql
@@ -98,15 +98,8 @@ predicate hostCheckReachesSink(Flow::PathNode sink) {
        Flow::flowPath(source, otherSink) and
        Config::writeIsSink(sink.getNode(), sinkWrite) and
        Config::writeIsSink(otherSink.getNode(), otherSinkWrite) and
-        exists(DataFlow::Node base1 |
-          sinkWrite.writesField(base1, _, sink.getNode()) and
-          [base1, base1.(DataFlow::PostUpdateNode).getPreUpdateNode()] = sinkAccessPath.getAUse()
-        ) and
-        exists(DataFlow::Node base2 |
-          otherSinkWrite.writesField(base2, _, otherSink.getNode()) and
-          [base2, base2.(DataFlow::PostUpdateNode).getPreUpdateNode()] =
-            otherSinkAccessPath.getAUse()
-        ) and
+        sinkWrite.writesFieldOnSsaWithFields(sinkAccessPath, _, sink.getNode()) and
+        otherSinkWrite.writesFieldOnSsaWithFields(otherSinkAccessPath, _, otherSink.getNode()) and
        otherSinkAccessPath = sinkAccessPath.similar()
      )
    )
--- a/go/ql/src/experimental/CWE-918/SSRF.qll
+++ b/go/ql/src/experimental/CWE-918/SSRF.qll
@@ -22,11 +22,8 @@ module ServerSideRequestForgery {

    predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
      // propagate to a URL when its host is assigned to
-      exists(Write w, DataFlow::Node base, Field f, SsaWithFields v |
-        f.hasQualifiedName("net/url", "URL", "Host")
-      |
-        w.writesField(base, f, node1) and
-        [base, base.(DataFlow::PostUpdateNode).getPreUpdateNode()] = v.getAUse() and
+      exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
+        w.writesFieldOnSsaWithFields(v, f, node1) and
        node2 = v.getAUse()
      )
    }