hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 11:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Improve naming; eliminate some harmless extra results

Browse Source 
Adding `src != valueSource` should have no effect as the introduced edge would already exist, but could reduce workload downstream.
This commit is contained in:
Chris Smowton
2021-03-16 08:57:14 +00:00
parent 516122aa74
commit 915a19fb9d
1 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
View File

@@ -71,18 +71,19 @@ private predicate localAdditionalBasicTaintStep(DataFlow::Node src, DataFlow::No
* `a` is tainted after `f` completes, and vice versa.
*/
private predicate composedValueAndTaintModelStep(ArgumentNode src, DataFlow::Node sink) {
exists(Call call, ArgumentNode valueSource, DataFlow::PostUpdateNode valueSourcePun |
exists(Call call, ArgumentNode valueSource, DataFlow::PostUpdateNode valueSourcePost |
src.argumentOf(call, _) and
valueSource.argumentOf(call, _) and
valueSourcePun.getPreUpdateNode() = valueSource and
src != valueSource and
valueSourcePost.getPreUpdateNode() = valueSource and
DataFlow::localFlowStep(valueSource, DataFlow::exprNode(call)) and
(
// in-x -value-> out-y and in-z -taint-> out-y ==> in-z -taint-> in-x
localAdditionalBasicTaintStep(src, DataFlow::exprNode(call)) and
sink = valueSourcePun
sink = valueSourcePost
or
// in-x -value-> out-y and in-z -taint-> in-x ==> in-z -taint-> out-y
localAdditionalBasicTaintStep(src, valueSourcePun) and
localAdditionalBasicTaintStep(src, valueSourcePost) and
sink = DataFlow::exprNode(call)
)
)