mirror of
https://github.com/github/codeql.git
synced 2026-04-25 16:55:19 +02:00
Refactor dataflow library tests
This commit is contained in:
Ed Minnix
@@ -4,14 +4,12 @@
|
||||
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
import DataFlow::PathGraph
|
||||
import Flow::PathGraph
|
||||
|
||||
class Conf extends DataFlow::Configuration {
|
||||
Conf() { this = "CallSensitiveFlowConf" }
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof ClassInstanceExpr }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof ClassInstanceExpr }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess ma |
|
||||
ma.getMethod().hasName("sink") and
|
||||
ma.getAnArgument() = sink.asExpr()
|
||||
@@ -19,6 +17,8 @@ class Conf extends DataFlow::Configuration {
|
||||
}
|
||||
}
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, Conf conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
module Flow = DataFlow::Global<Config>;
|
||||
|
||||
from Flow::PathNode source, Flow::PathNode sink
|
||||
where Flow::flowPath(source, sink)
|
||||
select source, source, sink, "$@", sink, sink.toString()
|
||||
|
||||
@@ -2,18 +2,16 @@ import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
import TestUtilities.InlineExpectationsTest
|
||||
|
||||
class Conf extends DataFlow::Configuration {
|
||||
Conf() { this = "qltest:callback-dispatch" }
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node n) { n.asExpr().(MethodAccess).getMethod().hasName("source") }
|
||||
|
||||
override predicate isSource(DataFlow::Node n) {
|
||||
n.asExpr().(MethodAccess).getMethod().hasName("source")
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node n) {
|
||||
predicate isSink(DataFlow::Node n) {
|
||||
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
|
||||
}
|
||||
}
|
||||
|
||||
module Flow = DataFlow::Global<Config>;
|
||||
|
||||
class HasFlowTest extends InlineExpectationsTest {
|
||||
HasFlowTest() { this = "HasFlowTest" }
|
||||
|
||||
@@ -21,7 +19,7 @@ class HasFlowTest extends InlineExpectationsTest {
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "flow" and
|
||||
exists(DataFlow::Node src, DataFlow::Node sink, Conf conf | conf.hasFlow(src, sink) |
|
||||
exists(DataFlow::Node src, DataFlow::Node sink | Flow::flow(src, sink) |
|
||||
sink.getLocation() = location and
|
||||
element = sink.toString() and
|
||||
value = src.asExpr().(MethodAccess).getAnArgument().toString()
|
||||
|
||||
@@ -1,10 +1,8 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
|
||||
class Conf extends TaintTracking::Configuration {
|
||||
Conf() { this = "conf" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) {
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) {
|
||||
(
|
||||
src.asExpr().(VarAccess).getVariable().hasName("tainted")
|
||||
or
|
||||
@@ -14,7 +12,7 @@ class Conf extends TaintTracking::Configuration {
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess ma |
|
||||
sink.asExpr() = ma.getAnArgument() and
|
||||
ma.getMethod().hasName("sink")
|
||||
@@ -25,6 +23,8 @@ class Conf extends TaintTracking::Configuration {
|
||||
}
|
||||
}
|
||||
|
||||
from Conf c, DataFlow::Node src, DataFlow::Node sink
|
||||
where c.hasFlow(src, sink)
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
|
||||
from DataFlow::Node src, DataFlow::Node sink
|
||||
where Flow::flow(src, sink)
|
||||
select src, sink
|
||||
|
||||
@@ -8,16 +8,16 @@ class TestRemoteFlowSource extends RemoteFlowSource {
|
||||
override string getSourceType() { result = "test" }
|
||||
}
|
||||
|
||||
class TaintFlowConf extends TaintTracking::Configuration {
|
||||
TaintFlowConf() { this = "qltest:dataflow:entrypoint-types-taint" }
|
||||
module TaintFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node n) {
|
||||
predicate isSink(DataFlow::Node n) {
|
||||
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
|
||||
}
|
||||
}
|
||||
|
||||
module TaintFlow = TaintTracking::Global<TaintFlowConfig>;
|
||||
|
||||
class HasFlowTest extends InlineExpectationsTest {
|
||||
HasFlowTest() { this = "HasFlowTest" }
|
||||
|
||||
@@ -25,7 +25,7 @@ class HasFlowTest extends InlineExpectationsTest {
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "hasTaintFlow" and
|
||||
exists(DataFlow::Node sink, TaintFlowConf conf | conf.hasFlowTo(sink) |
|
||||
exists(DataFlow::Node sink | TaintFlow::flowTo(sink) |
|
||||
sink.getLocation() = location and
|
||||
element = sink.toString() and
|
||||
value = ""
|
||||
|
||||
@@ -1,12 +1,10 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
|
||||
class Conf extends DataFlow::Configuration {
|
||||
Conf() { this = "FieldFlowConf" }
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof ClassInstanceExpr }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) { src.asExpr() instanceof ClassInstanceExpr }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess ma |
|
||||
ma.getMethod().hasName("sink") and
|
||||
ma.getAnArgument() = sink.asExpr()
|
||||
@@ -14,6 +12,8 @@ class Conf extends DataFlow::Configuration {
|
||||
}
|
||||
}
|
||||
|
||||
from DataFlow::Node src, DataFlow::Node sink, Conf conf
|
||||
where conf.hasFlow(src, sink)
|
||||
module Flow = DataFlow::Global<Config>;
|
||||
|
||||
from DataFlow::Node src, DataFlow::Node sink
|
||||
where Flow::flow(src, sink)
|
||||
select src, sink
|
||||
|
||||
@@ -1,16 +1,14 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
|
||||
class Conf extends TaintTracking::Configuration {
|
||||
Conf() { this = "qltest lambda" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) {
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) {
|
||||
src.asExpr().(VarAccess).getVariable().hasName("args")
|
||||
or
|
||||
src.asExpr().(MethodAccess).getMethod().hasName("source")
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
sink.asExpr().(Argument).getCall() =
|
||||
any(MethodAccess ma |
|
||||
ma.getMethod().hasName("exec") and
|
||||
@@ -19,6 +17,8 @@ class Conf extends TaintTracking::Configuration {
|
||||
}
|
||||
}
|
||||
|
||||
from DataFlow::Node src, DataFlow::Node sink, Conf c
|
||||
where c.hasFlow(src, sink)
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
|
||||
from DataFlow::Node src, DataFlow::Node sink
|
||||
where Flow::flow(src, sink)
|
||||
select src, sink
|
||||
|
||||
@@ -1,14 +1,12 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
|
||||
class Conf extends DataFlow::Configuration {
|
||||
Conf() { this = "conf" }
|
||||
|
||||
override predicate isSource(DataFlow::Node src) {
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node src) {
|
||||
src.asExpr().(MethodAccess).getMethod().hasName("source")
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(MethodAccess ma |
|
||||
sink.asExpr() = ma.getAnArgument() and
|
||||
ma.getMethod().hasName("sink")
|
||||
@@ -16,6 +14,8 @@ class Conf extends DataFlow::Configuration {
|
||||
}
|
||||
}
|
||||
|
||||
from Conf c, DataFlow::Node src, DataFlow::Node sink
|
||||
where c.hasFlow(src, sink)
|
||||
module Flow = DataFlow::Global<Config>;
|
||||
|
||||
from DataFlow::Node src, DataFlow::Node sink
|
||||
where Flow::flow(src, sink)
|
||||
select src, sink
|
||||
|
||||
@@ -1,14 +1,14 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.DataFlow
|
||||
|
||||
class Conf extends DataFlow::Configuration {
|
||||
Conf() { this = "qqconf" }
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node n) { n.asExpr() instanceof NullLiteral }
|
||||
|
||||
override predicate isSource(DataFlow::Node n) { n.asExpr() instanceof NullLiteral }
|
||||
|
||||
override predicate isSink(DataFlow::Node n) { any() }
|
||||
predicate isSink(DataFlow::Node n) { any() }
|
||||
}
|
||||
|
||||
from Conf conf, DataFlow::Node src, DataFlow::Node sink
|
||||
where conf.hasFlow(src, sink)
|
||||
module Flow = DataFlow::Global<Config>;
|
||||
|
||||
from DataFlow::Node src, DataFlow::Node sink
|
||||
where Flow::flow(src, sink)
|
||||
select src, sink
|
||||
|
||||
@@ -2,14 +2,14 @@ import semmle.code.java.dataflow.DataFlow
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
import semmle.code.java.dataflow.FlowSources
|
||||
|
||||
class Conf extends TaintTracking::Configuration {
|
||||
Conf() { this = "qltest:dataflow:ioutils" }
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof UserInput }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof UserInput }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) { any() }
|
||||
predicate isSink(DataFlow::Node sink) { any() }
|
||||
}
|
||||
|
||||
from UserInput u, DataFlow::Node e, Conf config
|
||||
where config.hasFlow(u, e) and e.getEnclosingCallable().hasName("ioutils")
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
|
||||
from UserInput u, DataFlow::Node e
|
||||
where Flow::flow(u, e) and e.getEnclosingCallable().hasName("ioutils")
|
||||
select e
|
||||
|
||||
@@ -1,18 +1,14 @@
|
||||
import java
|
||||
import semmle.code.java.dataflow.TaintTracking
|
||||
|
||||
class Conf extends TaintTracking::Configuration {
|
||||
Conf() { this = "qqconf" }
|
||||
module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node n) { n.asExpr().(MethodAccess).getMethod().hasName("taint") }
|
||||
|
||||
override predicate isSource(DataFlow::Node n) {
|
||||
n.asExpr().(MethodAccess).getMethod().hasName("taint")
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node n) {
|
||||
n.asExpr().(Argument).getCall().getCallee().hasName("sink")
|
||||
}
|
||||
predicate isSink(DataFlow::Node n) { n.asExpr().(Argument).getCall().getCallee().hasName("sink") }
|
||||
}
|
||||
|
||||
from DataFlow::Node src, DataFlow::Node sink, Conf conf
|
||||
where conf.hasFlow(src, sink)
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
|
||||
from DataFlow::Node src, DataFlow::Node sink
|
||||
where Flow::flow(src, sink)
|
||||
select src, sink
|
||||
|
||||
@@ -10,22 +10,22 @@ predicate isTestSink(DataFlow::Node n) {
|
||||
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
|
||||
}
|
||||
|
||||
class LocalValueConf extends DataFlow::Configuration {
|
||||
LocalValueConf() { this = "LocalValueConf" }
|
||||
module LocalValueConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node n) { n instanceof LocalSource }
|
||||
|
||||
override predicate isSource(DataFlow::Node n) { n instanceof LocalSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node n) { isTestSink(n) }
|
||||
predicate isSink(DataFlow::Node n) { isTestSink(n) }
|
||||
}
|
||||
|
||||
class LocalTaintConf extends TaintTracking::Configuration {
|
||||
LocalTaintConf() { this = "LocalTaintConf" }
|
||||
module LocalValueFlow = DataFlow::Global<LocalValueConfig>;
|
||||
|
||||
override predicate isSource(DataFlow::Node n) { n instanceof LocalSource }
|
||||
module LocalTaintConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node n) { n instanceof LocalSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node n) { isTestSink(n) }
|
||||
predicate isSink(DataFlow::Node n) { isTestSink(n) }
|
||||
}
|
||||
|
||||
module LocalTaintFlow = TaintTracking::Global<LocalTaintConfig>;
|
||||
|
||||
class LocalFlowTest extends InlineExpectationsTest {
|
||||
LocalFlowTest() { this = "LocalFlowTest" }
|
||||
|
||||
@@ -33,7 +33,7 @@ class LocalFlowTest extends InlineExpectationsTest {
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "hasLocalValueFlow" and
|
||||
exists(DataFlow::Node sink | any(LocalValueConf c).hasFlowTo(sink) |
|
||||
exists(DataFlow::Node sink | LocalValueFlow::flowTo(sink) |
|
||||
sink.getLocation() = location and
|
||||
element = sink.toString() and
|
||||
value = ""
|
||||
@@ -41,7 +41,7 @@ class LocalFlowTest extends InlineExpectationsTest {
|
||||
or
|
||||
tag = "hasLocalTaintFlow" and
|
||||
exists(DataFlow::Node src, DataFlow::Node sink |
|
||||
any(LocalTaintConf c).hasFlow(src, sink) and not any(LocalValueConf c).hasFlow(src, sink)
|
||||
LocalTaintFlow::flow(src, sink) and not LocalValueFlow::flow(src, sink)
|
||||
|
|
||||
sink.getLocation() = location and
|
||||
element = sink.toString() and
|
||||
|
||||
@@ -6,22 +6,22 @@ predicate isTestSink(DataFlow::Node n) {
|
||||
exists(MethodAccess ma | ma.getMethod().hasName("sink") | n.asExpr() = ma.getAnArgument())
|
||||
}
|
||||
|
||||
class RemoteValueConf extends DataFlow::Configuration {
|
||||
RemoteValueConf() { this = "RemoteValueConf" }
|
||||
module RemoteValueConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node n) { isTestSink(n) }
|
||||
predicate isSink(DataFlow::Node n) { isTestSink(n) }
|
||||
}
|
||||
|
||||
class RemoteTaintConf extends TaintTracking::Configuration {
|
||||
RemoteTaintConf() { this = "RemoteTaintConf" }
|
||||
module RemoteValueFlow = DataFlow::Global<RemoteValueConfig>;
|
||||
|
||||
override predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
|
||||
module RemoteTaintConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node n) { n instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node n) { isTestSink(n) }
|
||||
predicate isSink(DataFlow::Node n) { isTestSink(n) }
|
||||
}
|
||||
|
||||
module RemoteTaintFlow = TaintTracking::Global<RemoteTaintConfig>;
|
||||
|
||||
class RemoteFlowTest extends InlineExpectationsTest {
|
||||
RemoteFlowTest() { this = "RemoteFlowTest" }
|
||||
|
||||
@@ -29,7 +29,7 @@ class RemoteFlowTest extends InlineExpectationsTest {
|
||||
|
||||
override predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "hasRemoteValueFlow" and
|
||||
exists(DataFlow::Node sink | any(RemoteValueConf c).hasFlowTo(sink) |
|
||||
exists(DataFlow::Node sink | RemoteValueFlow::flowTo(sink) |
|
||||
sink.getLocation() = location and
|
||||
element = sink.toString() and
|
||||
value = ""
|
||||
@@ -37,7 +37,7 @@ class RemoteFlowTest extends InlineExpectationsTest {
|
||||
or
|
||||
tag = "hasRemoteTaintFlow" and
|
||||
exists(DataFlow::Node src, DataFlow::Node sink |
|
||||
any(RemoteTaintConf c).hasFlow(src, sink) and not any(RemoteValueConf c).hasFlow(src, sink)
|
||||
RemoteTaintFlow::flow(src, sink) and not RemoteValueFlow::flow(src, sink)
|
||||
|
|
||||
sink.getLocation() = location and
|
||||
element = sink.toString() and
|
||||
|
||||
Reference in New Issue
Block a user