From 9e5645fa9df3a5eb6049356f7944321cc249f45d Mon Sep 17 00:00:00 2001 From: Sauyon Lee Date: Wed, 13 May 2020 03:56:55 -0700 Subject: [PATCH] Add similar predicate to SsaWithFields --- ql/src/Security/CWE-601/BadRedirectCheck.ql | 13 ++----------- ql/src/semmle/go/dataflow/SSA.qll | 9 +++++++++ 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/ql/src/Security/CWE-601/BadRedirectCheck.ql b/ql/src/Security/CWE-601/BadRedirectCheck.ql index 968b1ab2c13..168326cb30e 100644 --- a/ql/src/Security/CWE-601/BadRedirectCheck.ql +++ b/ql/src/Security/CWE-601/BadRedirectCheck.ql @@ -141,15 +141,6 @@ predicate isBadRedirectCheckOrWrapper(DataFlow::Node check, SsaWithFields v) { ) } -/** - * Gets an SSA-with-fields variable that is similar to `v` in the sense that it has the same - * root variable and the same sequence of field accesses. - */ -SsaWithFields similar(SsaWithFields v) { - result.getBaseVariable().getSourceVariable() = v.getBaseVariable().getSourceVariable() and - result.getQualifiedName() = v.getQualifiedName() -} - /** * Holds if `check` checks that `v` has a leading slash, but not whether it has another slash or a * backslash in its second position. @@ -161,8 +152,8 @@ predicate isBadRedirectCheck(DataFlow::Node check, SsaWithFields v) { // (we allow those checks to be on variables that are most likely equivalent to `v` // to rule out false positives due to minor variations in data flow) not ( - isCheckedForSecondSlash(similar(v)) and - isCheckedForSecondBackslash(similar(v)) + isCheckedForSecondSlash(v.similar()) and + isCheckedForSecondBackslash(v.similar()) ) } diff --git a/ql/src/semmle/go/dataflow/SSA.qll b/ql/src/semmle/go/dataflow/SSA.qll index 15859eb1e60..4f31c197ef2 100644 --- a/ql/src/semmle/go/dataflow/SSA.qll +++ b/ql/src/semmle/go/dataflow/SSA.qll @@ -352,6 +352,15 @@ class SsaWithFields extends TSsaWithFields { exists(SsaWithFields base, Field f | this = TStep(base, f) | result = base + "." + f.getName()) } + /** + * Gets an SSA-with-fields variable that is similar to this SSA-with-fields variable in the + * sense that it has the same root variable and the same sequence of field accesses. + */ + SsaWithFields similar() { + result.getBaseVariable().getSourceVariable() = this.getBaseVariable().getSourceVariable() and + result.getQualifiedName() = this.getQualifiedName() + } + /** * Gets the qualified name of the source variable or variable and fields that this represents. *