From a0975e7e196691c313b268371dd9989d9474bee3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nora=20Dimitrijevi=C4=87?= <d10c@users.noreply.github.com>
Date: Thu, 16 Oct 2025 14:19:05 +0200
Subject: [PATCH] Constrain location overrides to actual sources/sinks

---
 .../Security/CWE/CWE-190/ArithmeticUncontrolled.ql   |  1 +
 cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql         |  1 +
 .../code/java/security/ArithmeticTaintedQuery.qll    | 12 ++++++------
 .../java/security/ArithmeticUncontrolledQuery.qll    | 12 ++++++------
 .../java/security/BrokenCryptoAlgorithmQuery.qll     |  8 +++++---
 .../semmle/code/java/security/CommandLineQuery.qll   |  8 +++++---
 .../code/java/security/ConditionalBypassQuery.qll    |  4 +---
 ...lidationOfArrayConstructionCodeSpecifiedQuery.qll |  7 ++++---
 .../ImproperValidationOfArrayConstructionQuery.qll   |  7 ++++---
 .../java/security/UnsafeDeserializationQuery.qll     |  2 +-
 .../ShellCommandInjectionFromEnvironmentQuery.qll    |  4 +---
 .../swift/security/CleartextStorageDatabaseQuery.qll |  6 +++++-
 .../security/CleartextStoragePreferencesQuery.qll    |  6 +++++-
 13 files changed, 45 insertions(+), 33 deletions(-)

diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
index 55158ccbf72..3126573ac5a 100644
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -124,6 +124,7 @@ module UncontrolledArithConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSourceLocation(DataFlow::Node source) {
+    isSource(source) and
     result = [getExpr(source).getLocation(), source.getLocation()]
   }
 }
diff --git a/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql b/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
index f6db506f47c..682d8387433 100644
--- a/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
+++ b/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
@@ -91,6 +91,7 @@ module HttpStringToUrlOpenConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSourceLocation(DataFlow::Node source) {
+    isSource(source) and
     result = [source.asIndirectExpr().getLocation(), source.getLocation()]
   }
 }
diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll
index c3d4e7876d5..65e73f84149 100644
--- a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll
@@ -19,9 +19,9 @@ module ArithmeticOverflowConfig implements DataFlow::ConfigSig {
   }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(ArithExpr exp | result = exp.getLocation() | overflowSink(exp, sink.asExpr()))
+    exists(ArithExpr exp | result = [exp.getLocation(), sink.getLocation()] |
+      overflowSink(exp, sink.asExpr())
+    )
   }
 }
 
@@ -45,9 +45,9 @@ module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {
   }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(ArithExpr exp | result = exp.getLocation() | underflowSink(exp, sink.asExpr()))
+    exists(ArithExpr exp | result = [exp.getLocation(), sink.getLocation()] |
+      underflowSink(exp, sink.asExpr())
+    )
   }
 }
 
diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll
index ac79aef3f37..3c1ceaddc2f 100644
--- a/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll
@@ -25,9 +25,9 @@ module ArithmeticUncontrolledOverflowConfig implements DataFlow::ConfigSig {
   }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(ArithExpr exp | result = exp.getLocation() | overflowSink(exp, sink.asExpr()))
+    exists(ArithExpr exp | result = [exp.getLocation(), sink.getLocation()] |
+      overflowSink(exp, sink.asExpr())
+    )
   }
 }
 
@@ -48,9 +48,9 @@ module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig {
   }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(ArithExpr exp | result = exp.getLocation() | underflowSink(exp, sink.asExpr()))
+    exists(ArithExpr exp | result = [exp.getLocation(), sink.getLocation()] |
+      underflowSink(exp, sink.asExpr())
+    )
   }
 }
 
diff --git a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll
index 9bcf9dc2eaf..60f1e179397 100644
--- a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll
@@ -36,9 +36,11 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(CryptoAlgoSpec c | sink.asExpr() = c.getAlgoSpec() | result = c.getLocation())
+    exists(CryptoAlgoSpec c | sink.asExpr() = c.getAlgoSpec() |
+      result = c.getLocation()
+      or
+      result = sink.getLocation()
+    )
   }
 }
 
diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll
index 82d24eb718e..b6b9d02e289 100644
--- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll
@@ -66,9 +66,11 @@ module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
   // ExecTainted.ql queries use the argument as the primary location;
   // ExecUnescaped.ql does not (used to prevent overlapping results).
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(Expr argument | argumentToExec(argument, sink) | result = argument.getLocation())
+    exists(Expr argument | argumentToExec(argument, sink) |
+      result = argument.getLocation()
+      or
+      result = sink.getLocation()
+    )
   }
 }
 
diff --git a/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll b/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll
index 087ca674cda..babf129f19e 100644
--- a/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll
@@ -51,9 +51,7 @@ module ConditionalBypassFlowConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(MethodCall m, Expr e | result = [m, e].getLocation() |
+    exists(MethodCall m, Expr e | result = [[m, e].getLocation(), sink.getLocation()] |
       conditionControlsMethod(m, e) and
       sink.asExpr() = e
     )
diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll
index 487d9e3924e..97a6d159bc9 100644
--- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll
@@ -21,10 +21,11 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
     exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess |
-      result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and
+      result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation()
+      or
+      result = sink.getLocation()
+    |
       arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation)
     )
   }
diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll
index d37a8d882b3..74b8af7e588 100644
--- a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll
@@ -18,10 +18,11 @@ module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSi
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
     exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess |
-      result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and
+      result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation()
+      or
+      result = sink.getLocation()
+    |
       arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation)
     )
   }
diff --git a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll
index e0a66626be4..dc771a46606 100644
--- a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll
@@ -313,7 +313,7 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
+    result = sink.(UnsafeDeserializationSink).getLocation()
     or
     result = sink.(UnsafeDeserializationSink).getMethodCall().getLocation()
   }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll
index 34cee84aaae..e1dcdd339d9 100644
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll
@@ -31,11 +31,9 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
     exists(DataFlow::Node node |
       isSinkWithHighlight(sink, node) and
-      result = node.getLocation()
+      result = [node.getLocation(), sink.getLocation()]
     )
   }
 }
diff --git a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll
index 21bcb89efe4..50a421a05dc 100644
--- a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll
+++ b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll
@@ -54,7 +54,11 @@ module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig {
   Location getASelectedSinkLocation(DataFlow::Node sink) {
     result = sink.(CleartextStorageDatabaseSink).getLocation()
     or
-    result = sink.(DataFlow::PostUpdateNode).getPreUpdateNode().getLocation()
+    result =
+      sink.(CleartextStorageDatabaseSink)
+          .(DataFlow::PostUpdateNode)
+          .getPreUpdateNode()
+          .getLocation()
   }
 }
 
diff --git a/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll
index a0d3414f249..578fe0b36e0 100644
--- a/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll
+++ b/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll
@@ -36,7 +36,11 @@ module CleartextStoragePreferencesConfig implements DataFlow::ConfigSig {
   Location getASelectedSinkLocation(DataFlow::Node sink) {
     result = sink.(CleartextStoragePreferencesSink).getLocation()
     or
-    result = sink.(DataFlow::PostUpdateNode).getPreUpdateNode().getLocation()
+    result =
+      sink.(CleartextStoragePreferencesSink)
+          .(DataFlow::PostUpdateNode)
+          .getPreUpdateNode()
+          .getLocation()
   }
 }