Constrain location overrides to actual sources/sinks

cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql

@@ -124,6 +124,7 @@ module UncontrolledArithConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSourceLocation(DataFlow::Node source) {
+    isSource(source) and
     result = [getExpr(source).getLocation(), source.getLocation()]
   }
 }

cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql

@@ -91,6 +91,7 @@ module HttpStringToUrlOpenConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSourceLocation(DataFlow::Node source) {
+    isSource(source) and
     result = [source.asIndirectExpr().getLocation(), source.getLocation()]
   }
 }

java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll

@@ -19,9 +19,9 @@ module ArithmeticOverflowConfig implements DataFlow::ConfigSig {
   }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(ArithExpr exp | result = exp.getLocation() | overflowSink(exp, sink.asExpr()))
+    exists(ArithExpr exp | result = [exp.getLocation(), sink.getLocation()] |
+      overflowSink(exp, sink.asExpr())
+    )
   }
 }
 
@@ -45,9 +45,9 @@ module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {
   }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(ArithExpr exp | result = exp.getLocation() | underflowSink(exp, sink.asExpr()))
+    exists(ArithExpr exp | result = [exp.getLocation(), sink.getLocation()] |
+      underflowSink(exp, sink.asExpr())
+    )
   }
 }
 

java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll

@@ -25,9 +25,9 @@ module ArithmeticUncontrolledOverflowConfig implements DataFlow::ConfigSig {
   }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(ArithExpr exp | result = exp.getLocation() | overflowSink(exp, sink.asExpr()))
+    exists(ArithExpr exp | result = [exp.getLocation(), sink.getLocation()] |
+      overflowSink(exp, sink.asExpr())
+    )
   }
 }
 
@@ -48,9 +48,9 @@ module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig {
   }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(ArithExpr exp | result = exp.getLocation() | underflowSink(exp, sink.asExpr()))
+    exists(ArithExpr exp | result = [exp.getLocation(), sink.getLocation()] |
+      underflowSink(exp, sink.asExpr())
+    )
   }
 }
 

java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll

@@ -36,9 +36,11 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(CryptoAlgoSpec c | sink.asExpr() = c.getAlgoSpec() | result = c.getLocation())
+    exists(CryptoAlgoSpec c | sink.asExpr() = c.getAlgoSpec() |
+      result = c.getLocation()
+      or
+      result = sink.getLocation()
+    )
   }
 }
 

java/ql/lib/semmle/code/java/security/CommandLineQuery.qll

@@ -66,9 +66,11 @@ module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
   // ExecTainted.ql queries use the argument as the primary location;
   // ExecUnescaped.ql does not (used to prevent overlapping results).
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(Expr argument | argumentToExec(argument, sink) | result = argument.getLocation())
+    exists(Expr argument | argumentToExec(argument, sink) |
+      result = argument.getLocation()
+      or
+      result = sink.getLocation()
+    )
   }
 }
 

java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll

@@ -51,9 +51,7 @@ module ConditionalBypassFlowConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(MethodCall m, Expr e | result = [m, e].getLocation() |
+    exists(MethodCall m, Expr e | result = [[m, e].getLocation(), sink.getLocation()] |
       conditionControlsMethod(m, e) and
       sink.asExpr() = e
     )

java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll

@@ -21,10 +21,11 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
     exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess |
-      result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and
+      result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation()
+      or
+      result = sink.getLocation()
+    |
       arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation)
     )
   }

java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll

@@ -18,10 +18,11 @@ module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSi
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
     exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess |
-      result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and
+      result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation()
+      or
+      result = sink.getLocation()
+    |
       arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation)
     )
   }

java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll

@@ -313,7 +313,7 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
+    result = sink.(UnsafeDeserializationSink).getLocation()
     or
     result = sink.(UnsafeDeserializationSink).getMethodCall().getLocation()
   }

javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll

@@ -31,11 +31,9 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
     exists(DataFlow::Node node |
       isSinkWithHighlight(sink, node) and
-      result = node.getLocation()
+      result = [node.getLocation(), sink.getLocation()]
     )
   }
 }

swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll

@@ -54,7 +54,11 @@ module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig {
   Location getASelectedSinkLocation(DataFlow::Node sink) {
     result = sink.(CleartextStorageDatabaseSink).getLocation()
     or
-    result = sink.(DataFlow::PostUpdateNode).getPreUpdateNode().getLocation()
+    result =
+      sink.(CleartextStorageDatabaseSink)
+          .(DataFlow::PostUpdateNode)
+          .getPreUpdateNode()
+          .getLocation()
   }
 }
 

swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll

@@ -36,7 +36,11 @@ module CleartextStoragePreferencesConfig implements DataFlow::ConfigSig {
   Location getASelectedSinkLocation(DataFlow::Node sink) {
     result = sink.(CleartextStoragePreferencesSink).getLocation()
     or
-    result = sink.(DataFlow::PostUpdateNode).getPreUpdateNode().getLocation()
+    result =
+      sink.(CleartextStoragePreferencesSink)
+          .(DataFlow::PostUpdateNode)
+          .getPreUpdateNode()
+          .getLocation()
   }
 }