diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll index 8a62e2fe10d..5a6de5af0f4 100644 --- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll +++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll @@ -851,8 +851,6 @@ private class AccessPathFrontNilNode extends Node { localFlowBigStep(_, this, false, _) or additionalJumpStep(_, this, _) - or - simpleArgumentFlowsThrough(_, this, _, _) ) } @@ -914,10 +912,10 @@ private predicate flowCandFwd0(Node node, boolean fromArg, AccessPathFront apf, argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathFrontNil nil | + exists(Node mid, AccessPathFrontNil nil, DataFlowType t | flowCandFwd(mid, fromArg, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - apf = node.(AccessPathFrontNilNode).getApf() + simpleArgumentFlowsThrough(mid, node, t, config) and + apf = TFrontNil(t) ) ) or @@ -1187,10 +1185,10 @@ private predicate flowFwd0( argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathNil nil | + exists(Node mid, AccessPathNil nil, DataFlowType t | flowFwd(mid, fromArg, _, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - ap = node.(AccessPathNilNode).getAp() and + simpleArgumentFlowsThrough(mid, node, t, config) and + ap = TNil(t) and apf = ap.(AccessPathNil).getFront() ) ) @@ -1539,7 +1537,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, AccessPat or pathOutOfCallable(mid, node, cc) and ap = mid.getAp() or - pathThroughCallable(mid, node, cc) and ap = node.(AccessPathNilNode).getAp() + pathThroughCallable(mid, node, cc, ap) or valuePathThroughCallable(mid, node, cc) and ap = mid.getAp() } @@ -1670,14 +1668,14 @@ private predicate pathIntoCallable( /** Holds if data may flow from `p` to a return of kind `kind`. */ pragma[nomagic] private predicate paramFlowsThrough( - ParameterNode p, ReturnKind kind, CallContextCall cc, Configuration config + ParameterNode p, ReturnKind kind, CallContextCall cc, AccessPathNil apnil, Configuration config ) { exists(PathNodeMid mid, ReturnNode ret | mid.getNode() = ret and kind = ret.getKind() and cc = mid.getCallContext() and config = mid.getConfiguration() and - mid.getAp() instanceof AccessPathNil + apnil = mid.getAp() | cc = TSomeCall(p, true) or @@ -1689,11 +1687,11 @@ private predicate paramFlowsThrough( pragma[noinline] private predicate pathThroughCallable0( - DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc + DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc, AccessPathNil apnil ) { exists(ParameterNode p, CallContext innercc | pathIntoCallable(mid, p, cc, innercc, call) and - paramFlowsThrough(p, kind, innercc, unbind(mid.getConfiguration())) and + paramFlowsThrough(p, kind, innercc, apnil, unbind(mid.getConfiguration())) and not parameterValueFlowsThrough(p, kind, innercc) and mid.getAp() instanceof AccessPathNil ) @@ -1704,9 +1702,11 @@ private predicate pathThroughCallable0( * The context `cc` is restored to its value prior to entering the callable. */ pragma[noinline] -private predicate pathThroughCallable(PathNodeMid mid, OutNode out, CallContext cc) { +private predicate pathThroughCallable( + PathNodeMid mid, OutNode out, CallContext cc, AccessPathNil apnil +) { exists(DataFlowCall call, ReturnKind kind | - pathThroughCallable0(call, mid, kind, cc) and + pathThroughCallable0(call, mid, kind, cc, apnil) and out = getAnOutNode(call, kind) ) } diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll index 8a62e2fe10d..5a6de5af0f4 100644 --- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll +++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll @@ -851,8 +851,6 @@ private class AccessPathFrontNilNode extends Node { localFlowBigStep(_, this, false, _) or additionalJumpStep(_, this, _) - or - simpleArgumentFlowsThrough(_, this, _, _) ) } @@ -914,10 +912,10 @@ private predicate flowCandFwd0(Node node, boolean fromArg, AccessPathFront apf, argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathFrontNil nil | + exists(Node mid, AccessPathFrontNil nil, DataFlowType t | flowCandFwd(mid, fromArg, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - apf = node.(AccessPathFrontNilNode).getApf() + simpleArgumentFlowsThrough(mid, node, t, config) and + apf = TFrontNil(t) ) ) or @@ -1187,10 +1185,10 @@ private predicate flowFwd0( argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathNil nil | + exists(Node mid, AccessPathNil nil, DataFlowType t | flowFwd(mid, fromArg, _, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - ap = node.(AccessPathNilNode).getAp() and + simpleArgumentFlowsThrough(mid, node, t, config) and + ap = TNil(t) and apf = ap.(AccessPathNil).getFront() ) ) @@ -1539,7 +1537,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, AccessPat or pathOutOfCallable(mid, node, cc) and ap = mid.getAp() or - pathThroughCallable(mid, node, cc) and ap = node.(AccessPathNilNode).getAp() + pathThroughCallable(mid, node, cc, ap) or valuePathThroughCallable(mid, node, cc) and ap = mid.getAp() } @@ -1670,14 +1668,14 @@ private predicate pathIntoCallable( /** Holds if data may flow from `p` to a return of kind `kind`. */ pragma[nomagic] private predicate paramFlowsThrough( - ParameterNode p, ReturnKind kind, CallContextCall cc, Configuration config + ParameterNode p, ReturnKind kind, CallContextCall cc, AccessPathNil apnil, Configuration config ) { exists(PathNodeMid mid, ReturnNode ret | mid.getNode() = ret and kind = ret.getKind() and cc = mid.getCallContext() and config = mid.getConfiguration() and - mid.getAp() instanceof AccessPathNil + apnil = mid.getAp() | cc = TSomeCall(p, true) or @@ -1689,11 +1687,11 @@ private predicate paramFlowsThrough( pragma[noinline] private predicate pathThroughCallable0( - DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc + DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc, AccessPathNil apnil ) { exists(ParameterNode p, CallContext innercc | pathIntoCallable(mid, p, cc, innercc, call) and - paramFlowsThrough(p, kind, innercc, unbind(mid.getConfiguration())) and + paramFlowsThrough(p, kind, innercc, apnil, unbind(mid.getConfiguration())) and not parameterValueFlowsThrough(p, kind, innercc) and mid.getAp() instanceof AccessPathNil ) @@ -1704,9 +1702,11 @@ private predicate pathThroughCallable0( * The context `cc` is restored to its value prior to entering the callable. */ pragma[noinline] -private predicate pathThroughCallable(PathNodeMid mid, OutNode out, CallContext cc) { +private predicate pathThroughCallable( + PathNodeMid mid, OutNode out, CallContext cc, AccessPathNil apnil +) { exists(DataFlowCall call, ReturnKind kind | - pathThroughCallable0(call, mid, kind, cc) and + pathThroughCallable0(call, mid, kind, cc, apnil) and out = getAnOutNode(call, kind) ) } diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll index 8a62e2fe10d..5a6de5af0f4 100644 --- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll +++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll @@ -851,8 +851,6 @@ private class AccessPathFrontNilNode extends Node { localFlowBigStep(_, this, false, _) or additionalJumpStep(_, this, _) - or - simpleArgumentFlowsThrough(_, this, _, _) ) } @@ -914,10 +912,10 @@ private predicate flowCandFwd0(Node node, boolean fromArg, AccessPathFront apf, argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathFrontNil nil | + exists(Node mid, AccessPathFrontNil nil, DataFlowType t | flowCandFwd(mid, fromArg, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - apf = node.(AccessPathFrontNilNode).getApf() + simpleArgumentFlowsThrough(mid, node, t, config) and + apf = TFrontNil(t) ) ) or @@ -1187,10 +1185,10 @@ private predicate flowFwd0( argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathNil nil | + exists(Node mid, AccessPathNil nil, DataFlowType t | flowFwd(mid, fromArg, _, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - ap = node.(AccessPathNilNode).getAp() and + simpleArgumentFlowsThrough(mid, node, t, config) and + ap = TNil(t) and apf = ap.(AccessPathNil).getFront() ) ) @@ -1539,7 +1537,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, AccessPat or pathOutOfCallable(mid, node, cc) and ap = mid.getAp() or - pathThroughCallable(mid, node, cc) and ap = node.(AccessPathNilNode).getAp() + pathThroughCallable(mid, node, cc, ap) or valuePathThroughCallable(mid, node, cc) and ap = mid.getAp() } @@ -1670,14 +1668,14 @@ private predicate pathIntoCallable( /** Holds if data may flow from `p` to a return of kind `kind`. */ pragma[nomagic] private predicate paramFlowsThrough( - ParameterNode p, ReturnKind kind, CallContextCall cc, Configuration config + ParameterNode p, ReturnKind kind, CallContextCall cc, AccessPathNil apnil, Configuration config ) { exists(PathNodeMid mid, ReturnNode ret | mid.getNode() = ret and kind = ret.getKind() and cc = mid.getCallContext() and config = mid.getConfiguration() and - mid.getAp() instanceof AccessPathNil + apnil = mid.getAp() | cc = TSomeCall(p, true) or @@ -1689,11 +1687,11 @@ private predicate paramFlowsThrough( pragma[noinline] private predicate pathThroughCallable0( - DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc + DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc, AccessPathNil apnil ) { exists(ParameterNode p, CallContext innercc | pathIntoCallable(mid, p, cc, innercc, call) and - paramFlowsThrough(p, kind, innercc, unbind(mid.getConfiguration())) and + paramFlowsThrough(p, kind, innercc, apnil, unbind(mid.getConfiguration())) and not parameterValueFlowsThrough(p, kind, innercc) and mid.getAp() instanceof AccessPathNil ) @@ -1704,9 +1702,11 @@ private predicate pathThroughCallable0( * The context `cc` is restored to its value prior to entering the callable. */ pragma[noinline] -private predicate pathThroughCallable(PathNodeMid mid, OutNode out, CallContext cc) { +private predicate pathThroughCallable( + PathNodeMid mid, OutNode out, CallContext cc, AccessPathNil apnil +) { exists(DataFlowCall call, ReturnKind kind | - pathThroughCallable0(call, mid, kind, cc) and + pathThroughCallable0(call, mid, kind, cc, apnil) and out = getAnOutNode(call, kind) ) } diff --git a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll index 8a62e2fe10d..5a6de5af0f4 100644 --- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll +++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll @@ -851,8 +851,6 @@ private class AccessPathFrontNilNode extends Node { localFlowBigStep(_, this, false, _) or additionalJumpStep(_, this, _) - or - simpleArgumentFlowsThrough(_, this, _, _) ) } @@ -914,10 +912,10 @@ private predicate flowCandFwd0(Node node, boolean fromArg, AccessPathFront apf, argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathFrontNil nil | + exists(Node mid, AccessPathFrontNil nil, DataFlowType t | flowCandFwd(mid, fromArg, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - apf = node.(AccessPathFrontNilNode).getApf() + simpleArgumentFlowsThrough(mid, node, t, config) and + apf = TFrontNil(t) ) ) or @@ -1187,10 +1185,10 @@ private predicate flowFwd0( argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathNil nil | + exists(Node mid, AccessPathNil nil, DataFlowType t | flowFwd(mid, fromArg, _, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - ap = node.(AccessPathNilNode).getAp() and + simpleArgumentFlowsThrough(mid, node, t, config) and + ap = TNil(t) and apf = ap.(AccessPathNil).getFront() ) ) @@ -1539,7 +1537,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, AccessPat or pathOutOfCallable(mid, node, cc) and ap = mid.getAp() or - pathThroughCallable(mid, node, cc) and ap = node.(AccessPathNilNode).getAp() + pathThroughCallable(mid, node, cc, ap) or valuePathThroughCallable(mid, node, cc) and ap = mid.getAp() } @@ -1670,14 +1668,14 @@ private predicate pathIntoCallable( /** Holds if data may flow from `p` to a return of kind `kind`. */ pragma[nomagic] private predicate paramFlowsThrough( - ParameterNode p, ReturnKind kind, CallContextCall cc, Configuration config + ParameterNode p, ReturnKind kind, CallContextCall cc, AccessPathNil apnil, Configuration config ) { exists(PathNodeMid mid, ReturnNode ret | mid.getNode() = ret and kind = ret.getKind() and cc = mid.getCallContext() and config = mid.getConfiguration() and - mid.getAp() instanceof AccessPathNil + apnil = mid.getAp() | cc = TSomeCall(p, true) or @@ -1689,11 +1687,11 @@ private predicate paramFlowsThrough( pragma[noinline] private predicate pathThroughCallable0( - DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc + DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc, AccessPathNil apnil ) { exists(ParameterNode p, CallContext innercc | pathIntoCallable(mid, p, cc, innercc, call) and - paramFlowsThrough(p, kind, innercc, unbind(mid.getConfiguration())) and + paramFlowsThrough(p, kind, innercc, apnil, unbind(mid.getConfiguration())) and not parameterValueFlowsThrough(p, kind, innercc) and mid.getAp() instanceof AccessPathNil ) @@ -1704,9 +1702,11 @@ private predicate pathThroughCallable0( * The context `cc` is restored to its value prior to entering the callable. */ pragma[noinline] -private predicate pathThroughCallable(PathNodeMid mid, OutNode out, CallContext cc) { +private predicate pathThroughCallable( + PathNodeMid mid, OutNode out, CallContext cc, AccessPathNil apnil +) { exists(DataFlowCall call, ReturnKind kind | - pathThroughCallable0(call, mid, kind, cc) and + pathThroughCallable0(call, mid, kind, cc, apnil) and out = getAnOutNode(call, kind) ) } diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll index 8a62e2fe10d..5a6de5af0f4 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll @@ -851,8 +851,6 @@ private class AccessPathFrontNilNode extends Node { localFlowBigStep(_, this, false, _) or additionalJumpStep(_, this, _) - or - simpleArgumentFlowsThrough(_, this, _, _) ) } @@ -914,10 +912,10 @@ private predicate flowCandFwd0(Node node, boolean fromArg, AccessPathFront apf, argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathFrontNil nil | + exists(Node mid, AccessPathFrontNil nil, DataFlowType t | flowCandFwd(mid, fromArg, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - apf = node.(AccessPathFrontNilNode).getApf() + simpleArgumentFlowsThrough(mid, node, t, config) and + apf = TFrontNil(t) ) ) or @@ -1187,10 +1185,10 @@ private predicate flowFwd0( argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathNil nil | + exists(Node mid, AccessPathNil nil, DataFlowType t | flowFwd(mid, fromArg, _, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - ap = node.(AccessPathNilNode).getAp() and + simpleArgumentFlowsThrough(mid, node, t, config) and + ap = TNil(t) and apf = ap.(AccessPathNil).getFront() ) ) @@ -1539,7 +1537,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, AccessPat or pathOutOfCallable(mid, node, cc) and ap = mid.getAp() or - pathThroughCallable(mid, node, cc) and ap = node.(AccessPathNilNode).getAp() + pathThroughCallable(mid, node, cc, ap) or valuePathThroughCallable(mid, node, cc) and ap = mid.getAp() } @@ -1670,14 +1668,14 @@ private predicate pathIntoCallable( /** Holds if data may flow from `p` to a return of kind `kind`. */ pragma[nomagic] private predicate paramFlowsThrough( - ParameterNode p, ReturnKind kind, CallContextCall cc, Configuration config + ParameterNode p, ReturnKind kind, CallContextCall cc, AccessPathNil apnil, Configuration config ) { exists(PathNodeMid mid, ReturnNode ret | mid.getNode() = ret and kind = ret.getKind() and cc = mid.getCallContext() and config = mid.getConfiguration() and - mid.getAp() instanceof AccessPathNil + apnil = mid.getAp() | cc = TSomeCall(p, true) or @@ -1689,11 +1687,11 @@ private predicate paramFlowsThrough( pragma[noinline] private predicate pathThroughCallable0( - DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc + DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc, AccessPathNil apnil ) { exists(ParameterNode p, CallContext innercc | pathIntoCallable(mid, p, cc, innercc, call) and - paramFlowsThrough(p, kind, innercc, unbind(mid.getConfiguration())) and + paramFlowsThrough(p, kind, innercc, apnil, unbind(mid.getConfiguration())) and not parameterValueFlowsThrough(p, kind, innercc) and mid.getAp() instanceof AccessPathNil ) @@ -1704,9 +1702,11 @@ private predicate pathThroughCallable0( * The context `cc` is restored to its value prior to entering the callable. */ pragma[noinline] -private predicate pathThroughCallable(PathNodeMid mid, OutNode out, CallContext cc) { +private predicate pathThroughCallable( + PathNodeMid mid, OutNode out, CallContext cc, AccessPathNil apnil +) { exists(DataFlowCall call, ReturnKind kind | - pathThroughCallable0(call, mid, kind, cc) and + pathThroughCallable0(call, mid, kind, cc, apnil) and out = getAnOutNode(call, kind) ) } diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll index 8a62e2fe10d..5a6de5af0f4 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll @@ -851,8 +851,6 @@ private class AccessPathFrontNilNode extends Node { localFlowBigStep(_, this, false, _) or additionalJumpStep(_, this, _) - or - simpleArgumentFlowsThrough(_, this, _, _) ) } @@ -914,10 +912,10 @@ private predicate flowCandFwd0(Node node, boolean fromArg, AccessPathFront apf, argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathFrontNil nil | + exists(Node mid, AccessPathFrontNil nil, DataFlowType t | flowCandFwd(mid, fromArg, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - apf = node.(AccessPathFrontNilNode).getApf() + simpleArgumentFlowsThrough(mid, node, t, config) and + apf = TFrontNil(t) ) ) or @@ -1187,10 +1185,10 @@ private predicate flowFwd0( argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathNil nil | + exists(Node mid, AccessPathNil nil, DataFlowType t | flowFwd(mid, fromArg, _, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - ap = node.(AccessPathNilNode).getAp() and + simpleArgumentFlowsThrough(mid, node, t, config) and + ap = TNil(t) and apf = ap.(AccessPathNil).getFront() ) ) @@ -1539,7 +1537,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, AccessPat or pathOutOfCallable(mid, node, cc) and ap = mid.getAp() or - pathThroughCallable(mid, node, cc) and ap = node.(AccessPathNilNode).getAp() + pathThroughCallable(mid, node, cc, ap) or valuePathThroughCallable(mid, node, cc) and ap = mid.getAp() } @@ -1670,14 +1668,14 @@ private predicate pathIntoCallable( /** Holds if data may flow from `p` to a return of kind `kind`. */ pragma[nomagic] private predicate paramFlowsThrough( - ParameterNode p, ReturnKind kind, CallContextCall cc, Configuration config + ParameterNode p, ReturnKind kind, CallContextCall cc, AccessPathNil apnil, Configuration config ) { exists(PathNodeMid mid, ReturnNode ret | mid.getNode() = ret and kind = ret.getKind() and cc = mid.getCallContext() and config = mid.getConfiguration() and - mid.getAp() instanceof AccessPathNil + apnil = mid.getAp() | cc = TSomeCall(p, true) or @@ -1689,11 +1687,11 @@ private predicate paramFlowsThrough( pragma[noinline] private predicate pathThroughCallable0( - DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc + DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc, AccessPathNil apnil ) { exists(ParameterNode p, CallContext innercc | pathIntoCallable(mid, p, cc, innercc, call) and - paramFlowsThrough(p, kind, innercc, unbind(mid.getConfiguration())) and + paramFlowsThrough(p, kind, innercc, apnil, unbind(mid.getConfiguration())) and not parameterValueFlowsThrough(p, kind, innercc) and mid.getAp() instanceof AccessPathNil ) @@ -1704,9 +1702,11 @@ private predicate pathThroughCallable0( * The context `cc` is restored to its value prior to entering the callable. */ pragma[noinline] -private predicate pathThroughCallable(PathNodeMid mid, OutNode out, CallContext cc) { +private predicate pathThroughCallable( + PathNodeMid mid, OutNode out, CallContext cc, AccessPathNil apnil +) { exists(DataFlowCall call, ReturnKind kind | - pathThroughCallable0(call, mid, kind, cc) and + pathThroughCallable0(call, mid, kind, cc, apnil) and out = getAnOutNode(call, kind) ) } diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll index 8a62e2fe10d..5a6de5af0f4 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll @@ -851,8 +851,6 @@ private class AccessPathFrontNilNode extends Node { localFlowBigStep(_, this, false, _) or additionalJumpStep(_, this, _) - or - simpleArgumentFlowsThrough(_, this, _, _) ) } @@ -914,10 +912,10 @@ private predicate flowCandFwd0(Node node, boolean fromArg, AccessPathFront apf, argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathFrontNil nil | + exists(Node mid, AccessPathFrontNil nil, DataFlowType t | flowCandFwd(mid, fromArg, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - apf = node.(AccessPathFrontNilNode).getApf() + simpleArgumentFlowsThrough(mid, node, t, config) and + apf = TFrontNil(t) ) ) or @@ -1187,10 +1185,10 @@ private predicate flowFwd0( argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathNil nil | + exists(Node mid, AccessPathNil nil, DataFlowType t | flowFwd(mid, fromArg, _, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - ap = node.(AccessPathNilNode).getAp() and + simpleArgumentFlowsThrough(mid, node, t, config) and + ap = TNil(t) and apf = ap.(AccessPathNil).getFront() ) ) @@ -1539,7 +1537,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, AccessPat or pathOutOfCallable(mid, node, cc) and ap = mid.getAp() or - pathThroughCallable(mid, node, cc) and ap = node.(AccessPathNilNode).getAp() + pathThroughCallable(mid, node, cc, ap) or valuePathThroughCallable(mid, node, cc) and ap = mid.getAp() } @@ -1670,14 +1668,14 @@ private predicate pathIntoCallable( /** Holds if data may flow from `p` to a return of kind `kind`. */ pragma[nomagic] private predicate paramFlowsThrough( - ParameterNode p, ReturnKind kind, CallContextCall cc, Configuration config + ParameterNode p, ReturnKind kind, CallContextCall cc, AccessPathNil apnil, Configuration config ) { exists(PathNodeMid mid, ReturnNode ret | mid.getNode() = ret and kind = ret.getKind() and cc = mid.getCallContext() and config = mid.getConfiguration() and - mid.getAp() instanceof AccessPathNil + apnil = mid.getAp() | cc = TSomeCall(p, true) or @@ -1689,11 +1687,11 @@ private predicate paramFlowsThrough( pragma[noinline] private predicate pathThroughCallable0( - DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc + DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc, AccessPathNil apnil ) { exists(ParameterNode p, CallContext innercc | pathIntoCallable(mid, p, cc, innercc, call) and - paramFlowsThrough(p, kind, innercc, unbind(mid.getConfiguration())) and + paramFlowsThrough(p, kind, innercc, apnil, unbind(mid.getConfiguration())) and not parameterValueFlowsThrough(p, kind, innercc) and mid.getAp() instanceof AccessPathNil ) @@ -1704,9 +1702,11 @@ private predicate pathThroughCallable0( * The context `cc` is restored to its value prior to entering the callable. */ pragma[noinline] -private predicate pathThroughCallable(PathNodeMid mid, OutNode out, CallContext cc) { +private predicate pathThroughCallable( + PathNodeMid mid, OutNode out, CallContext cc, AccessPathNil apnil +) { exists(DataFlowCall call, ReturnKind kind | - pathThroughCallable0(call, mid, kind, cc) and + pathThroughCallable0(call, mid, kind, cc, apnil) and out = getAnOutNode(call, kind) ) } diff --git a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll index 8a62e2fe10d..5a6de5af0f4 100644 --- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll +++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll @@ -851,8 +851,6 @@ private class AccessPathFrontNilNode extends Node { localFlowBigStep(_, this, false, _) or additionalJumpStep(_, this, _) - or - simpleArgumentFlowsThrough(_, this, _, _) ) } @@ -914,10 +912,10 @@ private predicate flowCandFwd0(Node node, boolean fromArg, AccessPathFront apf, argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathFrontNil nil | + exists(Node mid, AccessPathFrontNil nil, DataFlowType t | flowCandFwd(mid, fromArg, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - apf = node.(AccessPathFrontNilNode).getApf() + simpleArgumentFlowsThrough(mid, node, t, config) and + apf = TFrontNil(t) ) ) or @@ -1187,10 +1185,10 @@ private predicate flowFwd0( argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathNil nil | + exists(Node mid, AccessPathNil nil, DataFlowType t | flowFwd(mid, fromArg, _, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - ap = node.(AccessPathNilNode).getAp() and + simpleArgumentFlowsThrough(mid, node, t, config) and + ap = TNil(t) and apf = ap.(AccessPathNil).getFront() ) ) @@ -1539,7 +1537,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, AccessPat or pathOutOfCallable(mid, node, cc) and ap = mid.getAp() or - pathThroughCallable(mid, node, cc) and ap = node.(AccessPathNilNode).getAp() + pathThroughCallable(mid, node, cc, ap) or valuePathThroughCallable(mid, node, cc) and ap = mid.getAp() } @@ -1670,14 +1668,14 @@ private predicate pathIntoCallable( /** Holds if data may flow from `p` to a return of kind `kind`. */ pragma[nomagic] private predicate paramFlowsThrough( - ParameterNode p, ReturnKind kind, CallContextCall cc, Configuration config + ParameterNode p, ReturnKind kind, CallContextCall cc, AccessPathNil apnil, Configuration config ) { exists(PathNodeMid mid, ReturnNode ret | mid.getNode() = ret and kind = ret.getKind() and cc = mid.getCallContext() and config = mid.getConfiguration() and - mid.getAp() instanceof AccessPathNil + apnil = mid.getAp() | cc = TSomeCall(p, true) or @@ -1689,11 +1687,11 @@ private predicate paramFlowsThrough( pragma[noinline] private predicate pathThroughCallable0( - DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc + DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc, AccessPathNil apnil ) { exists(ParameterNode p, CallContext innercc | pathIntoCallable(mid, p, cc, innercc, call) and - paramFlowsThrough(p, kind, innercc, unbind(mid.getConfiguration())) and + paramFlowsThrough(p, kind, innercc, apnil, unbind(mid.getConfiguration())) and not parameterValueFlowsThrough(p, kind, innercc) and mid.getAp() instanceof AccessPathNil ) @@ -1704,9 +1702,11 @@ private predicate pathThroughCallable0( * The context `cc` is restored to its value prior to entering the callable. */ pragma[noinline] -private predicate pathThroughCallable(PathNodeMid mid, OutNode out, CallContext cc) { +private predicate pathThroughCallable( + PathNodeMid mid, OutNode out, CallContext cc, AccessPathNil apnil +) { exists(DataFlowCall call, ReturnKind kind | - pathThroughCallable0(call, mid, kind, cc) and + pathThroughCallable0(call, mid, kind, cc, apnil) and out = getAnOutNode(call, kind) ) } diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll index 8a62e2fe10d..5a6de5af0f4 100644 --- a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll +++ b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll @@ -851,8 +851,6 @@ private class AccessPathFrontNilNode extends Node { localFlowBigStep(_, this, false, _) or additionalJumpStep(_, this, _) - or - simpleArgumentFlowsThrough(_, this, _, _) ) } @@ -914,10 +912,10 @@ private predicate flowCandFwd0(Node node, boolean fromArg, AccessPathFront apf, argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathFrontNil nil | + exists(Node mid, AccessPathFrontNil nil, DataFlowType t | flowCandFwd(mid, fromArg, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - apf = node.(AccessPathFrontNilNode).getApf() + simpleArgumentFlowsThrough(mid, node, t, config) and + apf = TFrontNil(t) ) ) or @@ -1187,10 +1185,10 @@ private predicate flowFwd0( argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathNil nil | + exists(Node mid, AccessPathNil nil, DataFlowType t | flowFwd(mid, fromArg, _, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - ap = node.(AccessPathNilNode).getAp() and + simpleArgumentFlowsThrough(mid, node, t, config) and + ap = TNil(t) and apf = ap.(AccessPathNil).getFront() ) ) @@ -1539,7 +1537,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, AccessPat or pathOutOfCallable(mid, node, cc) and ap = mid.getAp() or - pathThroughCallable(mid, node, cc) and ap = node.(AccessPathNilNode).getAp() + pathThroughCallable(mid, node, cc, ap) or valuePathThroughCallable(mid, node, cc) and ap = mid.getAp() } @@ -1670,14 +1668,14 @@ private predicate pathIntoCallable( /** Holds if data may flow from `p` to a return of kind `kind`. */ pragma[nomagic] private predicate paramFlowsThrough( - ParameterNode p, ReturnKind kind, CallContextCall cc, Configuration config + ParameterNode p, ReturnKind kind, CallContextCall cc, AccessPathNil apnil, Configuration config ) { exists(PathNodeMid mid, ReturnNode ret | mid.getNode() = ret and kind = ret.getKind() and cc = mid.getCallContext() and config = mid.getConfiguration() and - mid.getAp() instanceof AccessPathNil + apnil = mid.getAp() | cc = TSomeCall(p, true) or @@ -1689,11 +1687,11 @@ private predicate paramFlowsThrough( pragma[noinline] private predicate pathThroughCallable0( - DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc + DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc, AccessPathNil apnil ) { exists(ParameterNode p, CallContext innercc | pathIntoCallable(mid, p, cc, innercc, call) and - paramFlowsThrough(p, kind, innercc, unbind(mid.getConfiguration())) and + paramFlowsThrough(p, kind, innercc, apnil, unbind(mid.getConfiguration())) and not parameterValueFlowsThrough(p, kind, innercc) and mid.getAp() instanceof AccessPathNil ) @@ -1704,9 +1702,11 @@ private predicate pathThroughCallable0( * The context `cc` is restored to its value prior to entering the callable. */ pragma[noinline] -private predicate pathThroughCallable(PathNodeMid mid, OutNode out, CallContext cc) { +private predicate pathThroughCallable( + PathNodeMid mid, OutNode out, CallContext cc, AccessPathNil apnil +) { exists(DataFlowCall call, ReturnKind kind | - pathThroughCallable0(call, mid, kind, cc) and + pathThroughCallable0(call, mid, kind, cc, apnil) and out = getAnOutNode(call, kind) ) } diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll index 8a62e2fe10d..5a6de5af0f4 100644 --- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll +++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll @@ -851,8 +851,6 @@ private class AccessPathFrontNilNode extends Node { localFlowBigStep(_, this, false, _) or additionalJumpStep(_, this, _) - or - simpleArgumentFlowsThrough(_, this, _, _) ) } @@ -914,10 +912,10 @@ private predicate flowCandFwd0(Node node, boolean fromArg, AccessPathFront apf, argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathFrontNil nil | + exists(Node mid, AccessPathFrontNil nil, DataFlowType t | flowCandFwd(mid, fromArg, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - apf = node.(AccessPathFrontNilNode).getApf() + simpleArgumentFlowsThrough(mid, node, t, config) and + apf = TFrontNil(t) ) ) or @@ -1187,10 +1185,10 @@ private predicate flowFwd0( argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathNil nil | + exists(Node mid, AccessPathNil nil, DataFlowType t | flowFwd(mid, fromArg, _, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - ap = node.(AccessPathNilNode).getAp() and + simpleArgumentFlowsThrough(mid, node, t, config) and + ap = TNil(t) and apf = ap.(AccessPathNil).getFront() ) ) @@ -1539,7 +1537,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, AccessPat or pathOutOfCallable(mid, node, cc) and ap = mid.getAp() or - pathThroughCallable(mid, node, cc) and ap = node.(AccessPathNilNode).getAp() + pathThroughCallable(mid, node, cc, ap) or valuePathThroughCallable(mid, node, cc) and ap = mid.getAp() } @@ -1670,14 +1668,14 @@ private predicate pathIntoCallable( /** Holds if data may flow from `p` to a return of kind `kind`. */ pragma[nomagic] private predicate paramFlowsThrough( - ParameterNode p, ReturnKind kind, CallContextCall cc, Configuration config + ParameterNode p, ReturnKind kind, CallContextCall cc, AccessPathNil apnil, Configuration config ) { exists(PathNodeMid mid, ReturnNode ret | mid.getNode() = ret and kind = ret.getKind() and cc = mid.getCallContext() and config = mid.getConfiguration() and - mid.getAp() instanceof AccessPathNil + apnil = mid.getAp() | cc = TSomeCall(p, true) or @@ -1689,11 +1687,11 @@ private predicate paramFlowsThrough( pragma[noinline] private predicate pathThroughCallable0( - DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc + DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc, AccessPathNil apnil ) { exists(ParameterNode p, CallContext innercc | pathIntoCallable(mid, p, cc, innercc, call) and - paramFlowsThrough(p, kind, innercc, unbind(mid.getConfiguration())) and + paramFlowsThrough(p, kind, innercc, apnil, unbind(mid.getConfiguration())) and not parameterValueFlowsThrough(p, kind, innercc) and mid.getAp() instanceof AccessPathNil ) @@ -1704,9 +1702,11 @@ private predicate pathThroughCallable0( * The context `cc` is restored to its value prior to entering the callable. */ pragma[noinline] -private predicate pathThroughCallable(PathNodeMid mid, OutNode out, CallContext cc) { +private predicate pathThroughCallable( + PathNodeMid mid, OutNode out, CallContext cc, AccessPathNil apnil +) { exists(DataFlowCall call, ReturnKind kind | - pathThroughCallable0(call, mid, kind, cc) and + pathThroughCallable0(call, mid, kind, cc, apnil) and out = getAnOutNode(call, kind) ) } diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll index 8a62e2fe10d..5a6de5af0f4 100644 --- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll +++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll @@ -851,8 +851,6 @@ private class AccessPathFrontNilNode extends Node { localFlowBigStep(_, this, false, _) or additionalJumpStep(_, this, _) - or - simpleArgumentFlowsThrough(_, this, _, _) ) } @@ -914,10 +912,10 @@ private predicate flowCandFwd0(Node node, boolean fromArg, AccessPathFront apf, argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathFrontNil nil | + exists(Node mid, AccessPathFrontNil nil, DataFlowType t | flowCandFwd(mid, fromArg, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - apf = node.(AccessPathFrontNilNode).getApf() + simpleArgumentFlowsThrough(mid, node, t, config) and + apf = TFrontNil(t) ) ) or @@ -1187,10 +1185,10 @@ private predicate flowFwd0( argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathNil nil | + exists(Node mid, AccessPathNil nil, DataFlowType t | flowFwd(mid, fromArg, _, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - ap = node.(AccessPathNilNode).getAp() and + simpleArgumentFlowsThrough(mid, node, t, config) and + ap = TNil(t) and apf = ap.(AccessPathNil).getFront() ) ) @@ -1539,7 +1537,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, AccessPat or pathOutOfCallable(mid, node, cc) and ap = mid.getAp() or - pathThroughCallable(mid, node, cc) and ap = node.(AccessPathNilNode).getAp() + pathThroughCallable(mid, node, cc, ap) or valuePathThroughCallable(mid, node, cc) and ap = mid.getAp() } @@ -1670,14 +1668,14 @@ private predicate pathIntoCallable( /** Holds if data may flow from `p` to a return of kind `kind`. */ pragma[nomagic] private predicate paramFlowsThrough( - ParameterNode p, ReturnKind kind, CallContextCall cc, Configuration config + ParameterNode p, ReturnKind kind, CallContextCall cc, AccessPathNil apnil, Configuration config ) { exists(PathNodeMid mid, ReturnNode ret | mid.getNode() = ret and kind = ret.getKind() and cc = mid.getCallContext() and config = mid.getConfiguration() and - mid.getAp() instanceof AccessPathNil + apnil = mid.getAp() | cc = TSomeCall(p, true) or @@ -1689,11 +1687,11 @@ private predicate paramFlowsThrough( pragma[noinline] private predicate pathThroughCallable0( - DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc + DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc, AccessPathNil apnil ) { exists(ParameterNode p, CallContext innercc | pathIntoCallable(mid, p, cc, innercc, call) and - paramFlowsThrough(p, kind, innercc, unbind(mid.getConfiguration())) and + paramFlowsThrough(p, kind, innercc, apnil, unbind(mid.getConfiguration())) and not parameterValueFlowsThrough(p, kind, innercc) and mid.getAp() instanceof AccessPathNil ) @@ -1704,9 +1702,11 @@ private predicate pathThroughCallable0( * The context `cc` is restored to its value prior to entering the callable. */ pragma[noinline] -private predicate pathThroughCallable(PathNodeMid mid, OutNode out, CallContext cc) { +private predicate pathThroughCallable( + PathNodeMid mid, OutNode out, CallContext cc, AccessPathNil apnil +) { exists(DataFlowCall call, ReturnKind kind | - pathThroughCallable0(call, mid, kind, cc) and + pathThroughCallable0(call, mid, kind, cc, apnil) and out = getAnOutNode(call, kind) ) } diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll index 8a62e2fe10d..5a6de5af0f4 100644 --- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll +++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll @@ -851,8 +851,6 @@ private class AccessPathFrontNilNode extends Node { localFlowBigStep(_, this, false, _) or additionalJumpStep(_, this, _) - or - simpleArgumentFlowsThrough(_, this, _, _) ) } @@ -914,10 +912,10 @@ private predicate flowCandFwd0(Node node, boolean fromArg, AccessPathFront apf, argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathFrontNil nil | + exists(Node mid, AccessPathFrontNil nil, DataFlowType t | flowCandFwd(mid, fromArg, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - apf = node.(AccessPathFrontNilNode).getApf() + simpleArgumentFlowsThrough(mid, node, t, config) and + apf = TFrontNil(t) ) ) or @@ -1187,10 +1185,10 @@ private predicate flowFwd0( argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathNil nil | + exists(Node mid, AccessPathNil nil, DataFlowType t | flowFwd(mid, fromArg, _, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - ap = node.(AccessPathNilNode).getAp() and + simpleArgumentFlowsThrough(mid, node, t, config) and + ap = TNil(t) and apf = ap.(AccessPathNil).getFront() ) ) @@ -1539,7 +1537,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, AccessPat or pathOutOfCallable(mid, node, cc) and ap = mid.getAp() or - pathThroughCallable(mid, node, cc) and ap = node.(AccessPathNilNode).getAp() + pathThroughCallable(mid, node, cc, ap) or valuePathThroughCallable(mid, node, cc) and ap = mid.getAp() } @@ -1670,14 +1668,14 @@ private predicate pathIntoCallable( /** Holds if data may flow from `p` to a return of kind `kind`. */ pragma[nomagic] private predicate paramFlowsThrough( - ParameterNode p, ReturnKind kind, CallContextCall cc, Configuration config + ParameterNode p, ReturnKind kind, CallContextCall cc, AccessPathNil apnil, Configuration config ) { exists(PathNodeMid mid, ReturnNode ret | mid.getNode() = ret and kind = ret.getKind() and cc = mid.getCallContext() and config = mid.getConfiguration() and - mid.getAp() instanceof AccessPathNil + apnil = mid.getAp() | cc = TSomeCall(p, true) or @@ -1689,11 +1687,11 @@ private predicate paramFlowsThrough( pragma[noinline] private predicate pathThroughCallable0( - DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc + DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc, AccessPathNil apnil ) { exists(ParameterNode p, CallContext innercc | pathIntoCallable(mid, p, cc, innercc, call) and - paramFlowsThrough(p, kind, innercc, unbind(mid.getConfiguration())) and + paramFlowsThrough(p, kind, innercc, apnil, unbind(mid.getConfiguration())) and not parameterValueFlowsThrough(p, kind, innercc) and mid.getAp() instanceof AccessPathNil ) @@ -1704,9 +1702,11 @@ private predicate pathThroughCallable0( * The context `cc` is restored to its value prior to entering the callable. */ pragma[noinline] -private predicate pathThroughCallable(PathNodeMid mid, OutNode out, CallContext cc) { +private predicate pathThroughCallable( + PathNodeMid mid, OutNode out, CallContext cc, AccessPathNil apnil +) { exists(DataFlowCall call, ReturnKind kind | - pathThroughCallable0(call, mid, kind, cc) and + pathThroughCallable0(call, mid, kind, cc, apnil) and out = getAnOutNode(call, kind) ) } diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll index 8a62e2fe10d..5a6de5af0f4 100644 --- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll +++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll @@ -851,8 +851,6 @@ private class AccessPathFrontNilNode extends Node { localFlowBigStep(_, this, false, _) or additionalJumpStep(_, this, _) - or - simpleArgumentFlowsThrough(_, this, _, _) ) } @@ -914,10 +912,10 @@ private predicate flowCandFwd0(Node node, boolean fromArg, AccessPathFront apf, argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathFrontNil nil | + exists(Node mid, AccessPathFrontNil nil, DataFlowType t | flowCandFwd(mid, fromArg, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - apf = node.(AccessPathFrontNilNode).getApf() + simpleArgumentFlowsThrough(mid, node, t, config) and + apf = TFrontNil(t) ) ) or @@ -1187,10 +1185,10 @@ private predicate flowFwd0( argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathNil nil | + exists(Node mid, AccessPathNil nil, DataFlowType t | flowFwd(mid, fromArg, _, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - ap = node.(AccessPathNilNode).getAp() and + simpleArgumentFlowsThrough(mid, node, t, config) and + ap = TNil(t) and apf = ap.(AccessPathNil).getFront() ) ) @@ -1539,7 +1537,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, AccessPat or pathOutOfCallable(mid, node, cc) and ap = mid.getAp() or - pathThroughCallable(mid, node, cc) and ap = node.(AccessPathNilNode).getAp() + pathThroughCallable(mid, node, cc, ap) or valuePathThroughCallable(mid, node, cc) and ap = mid.getAp() } @@ -1670,14 +1668,14 @@ private predicate pathIntoCallable( /** Holds if data may flow from `p` to a return of kind `kind`. */ pragma[nomagic] private predicate paramFlowsThrough( - ParameterNode p, ReturnKind kind, CallContextCall cc, Configuration config + ParameterNode p, ReturnKind kind, CallContextCall cc, AccessPathNil apnil, Configuration config ) { exists(PathNodeMid mid, ReturnNode ret | mid.getNode() = ret and kind = ret.getKind() and cc = mid.getCallContext() and config = mid.getConfiguration() and - mid.getAp() instanceof AccessPathNil + apnil = mid.getAp() | cc = TSomeCall(p, true) or @@ -1689,11 +1687,11 @@ private predicate paramFlowsThrough( pragma[noinline] private predicate pathThroughCallable0( - DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc + DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc, AccessPathNil apnil ) { exists(ParameterNode p, CallContext innercc | pathIntoCallable(mid, p, cc, innercc, call) and - paramFlowsThrough(p, kind, innercc, unbind(mid.getConfiguration())) and + paramFlowsThrough(p, kind, innercc, apnil, unbind(mid.getConfiguration())) and not parameterValueFlowsThrough(p, kind, innercc) and mid.getAp() instanceof AccessPathNil ) @@ -1704,9 +1702,11 @@ private predicate pathThroughCallable0( * The context `cc` is restored to its value prior to entering the callable. */ pragma[noinline] -private predicate pathThroughCallable(PathNodeMid mid, OutNode out, CallContext cc) { +private predicate pathThroughCallable( + PathNodeMid mid, OutNode out, CallContext cc, AccessPathNil apnil +) { exists(DataFlowCall call, ReturnKind kind | - pathThroughCallable0(call, mid, kind, cc) and + pathThroughCallable0(call, mid, kind, cc, apnil) and out = getAnOutNode(call, kind) ) } diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll index 8a62e2fe10d..5a6de5af0f4 100644 --- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll +++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll @@ -851,8 +851,6 @@ private class AccessPathFrontNilNode extends Node { localFlowBigStep(_, this, false, _) or additionalJumpStep(_, this, _) - or - simpleArgumentFlowsThrough(_, this, _, _) ) } @@ -914,10 +912,10 @@ private predicate flowCandFwd0(Node node, boolean fromArg, AccessPathFront apf, argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathFrontNil nil | + exists(Node mid, AccessPathFrontNil nil, DataFlowType t | flowCandFwd(mid, fromArg, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - apf = node.(AccessPathFrontNilNode).getApf() + simpleArgumentFlowsThrough(mid, node, t, config) and + apf = TFrontNil(t) ) ) or @@ -1187,10 +1185,10 @@ private predicate flowFwd0( argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathNil nil | + exists(Node mid, AccessPathNil nil, DataFlowType t | flowFwd(mid, fromArg, _, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - ap = node.(AccessPathNilNode).getAp() and + simpleArgumentFlowsThrough(mid, node, t, config) and + ap = TNil(t) and apf = ap.(AccessPathNil).getFront() ) ) @@ -1539,7 +1537,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, AccessPat or pathOutOfCallable(mid, node, cc) and ap = mid.getAp() or - pathThroughCallable(mid, node, cc) and ap = node.(AccessPathNilNode).getAp() + pathThroughCallable(mid, node, cc, ap) or valuePathThroughCallable(mid, node, cc) and ap = mid.getAp() } @@ -1670,14 +1668,14 @@ private predicate pathIntoCallable( /** Holds if data may flow from `p` to a return of kind `kind`. */ pragma[nomagic] private predicate paramFlowsThrough( - ParameterNode p, ReturnKind kind, CallContextCall cc, Configuration config + ParameterNode p, ReturnKind kind, CallContextCall cc, AccessPathNil apnil, Configuration config ) { exists(PathNodeMid mid, ReturnNode ret | mid.getNode() = ret and kind = ret.getKind() and cc = mid.getCallContext() and config = mid.getConfiguration() and - mid.getAp() instanceof AccessPathNil + apnil = mid.getAp() | cc = TSomeCall(p, true) or @@ -1689,11 +1687,11 @@ private predicate paramFlowsThrough( pragma[noinline] private predicate pathThroughCallable0( - DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc + DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc, AccessPathNil apnil ) { exists(ParameterNode p, CallContext innercc | pathIntoCallable(mid, p, cc, innercc, call) and - paramFlowsThrough(p, kind, innercc, unbind(mid.getConfiguration())) and + paramFlowsThrough(p, kind, innercc, apnil, unbind(mid.getConfiguration())) and not parameterValueFlowsThrough(p, kind, innercc) and mid.getAp() instanceof AccessPathNil ) @@ -1704,9 +1702,11 @@ private predicate pathThroughCallable0( * The context `cc` is restored to its value prior to entering the callable. */ pragma[noinline] -private predicate pathThroughCallable(PathNodeMid mid, OutNode out, CallContext cc) { +private predicate pathThroughCallable( + PathNodeMid mid, OutNode out, CallContext cc, AccessPathNil apnil +) { exists(DataFlowCall call, ReturnKind kind | - pathThroughCallable0(call, mid, kind, cc) and + pathThroughCallable0(call, mid, kind, cc, apnil) and out = getAnOutNode(call, kind) ) } diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplDepr.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplDepr.qll index 8a62e2fe10d..5a6de5af0f4 100644 --- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplDepr.qll +++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplDepr.qll @@ -851,8 +851,6 @@ private class AccessPathFrontNilNode extends Node { localFlowBigStep(_, this, false, _) or additionalJumpStep(_, this, _) - or - simpleArgumentFlowsThrough(_, this, _, _) ) } @@ -914,10 +912,10 @@ private predicate flowCandFwd0(Node node, boolean fromArg, AccessPathFront apf, argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathFrontNil nil | + exists(Node mid, AccessPathFrontNil nil, DataFlowType t | flowCandFwd(mid, fromArg, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - apf = node.(AccessPathFrontNilNode).getApf() + simpleArgumentFlowsThrough(mid, node, t, config) and + apf = TFrontNil(t) ) ) or @@ -1187,10 +1185,10 @@ private predicate flowFwd0( argumentValueFlowsThrough(mid, node, _) ) or - exists(Node mid, AccessPathNil nil | + exists(Node mid, AccessPathNil nil, DataFlowType t | flowFwd(mid, fromArg, _, nil, config) and - simpleArgumentFlowsThrough(mid, node, _, config) and - ap = node.(AccessPathNilNode).getAp() and + simpleArgumentFlowsThrough(mid, node, t, config) and + ap = TNil(t) and apf = ap.(AccessPathNil).getFront() ) ) @@ -1539,7 +1537,7 @@ private predicate pathStep(PathNodeMid mid, Node node, CallContext cc, AccessPat or pathOutOfCallable(mid, node, cc) and ap = mid.getAp() or - pathThroughCallable(mid, node, cc) and ap = node.(AccessPathNilNode).getAp() + pathThroughCallable(mid, node, cc, ap) or valuePathThroughCallable(mid, node, cc) and ap = mid.getAp() } @@ -1670,14 +1668,14 @@ private predicate pathIntoCallable( /** Holds if data may flow from `p` to a return of kind `kind`. */ pragma[nomagic] private predicate paramFlowsThrough( - ParameterNode p, ReturnKind kind, CallContextCall cc, Configuration config + ParameterNode p, ReturnKind kind, CallContextCall cc, AccessPathNil apnil, Configuration config ) { exists(PathNodeMid mid, ReturnNode ret | mid.getNode() = ret and kind = ret.getKind() and cc = mid.getCallContext() and config = mid.getConfiguration() and - mid.getAp() instanceof AccessPathNil + apnil = mid.getAp() | cc = TSomeCall(p, true) or @@ -1689,11 +1687,11 @@ private predicate paramFlowsThrough( pragma[noinline] private predicate pathThroughCallable0( - DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc + DataFlowCall call, PathNodeMid mid, ReturnKind kind, CallContext cc, AccessPathNil apnil ) { exists(ParameterNode p, CallContext innercc | pathIntoCallable(mid, p, cc, innercc, call) and - paramFlowsThrough(p, kind, innercc, unbind(mid.getConfiguration())) and + paramFlowsThrough(p, kind, innercc, apnil, unbind(mid.getConfiguration())) and not parameterValueFlowsThrough(p, kind, innercc) and mid.getAp() instanceof AccessPathNil ) @@ -1704,9 +1702,11 @@ private predicate pathThroughCallable0( * The context `cc` is restored to its value prior to entering the callable. */ pragma[noinline] -private predicate pathThroughCallable(PathNodeMid mid, OutNode out, CallContext cc) { +private predicate pathThroughCallable( + PathNodeMid mid, OutNode out, CallContext cc, AccessPathNil apnil +) { exists(DataFlowCall call, ReturnKind kind | - pathThroughCallable0(call, mid, kind, cc) and + pathThroughCallable0(call, mid, kind, cc, apnil) and out = getAnOutNode(call, kind) ) } diff --git a/java/ql/test/library-tests/dataflow/taintreturn/Test.java b/java/ql/test/library-tests/dataflow/taintreturn/Test.java new file mode 100644 index 00000000000..2b3fa1a771c --- /dev/null +++ b/java/ql/test/library-tests/dataflow/taintreturn/Test.java @@ -0,0 +1,22 @@ +public class Test { + static class A { + B step() { return null; } + } + static class B extends C { } + static class C { } + + A src() { return new A(); } + + void sink(Object o) { } + + void flow() { + A a = src(); + C c = m1(a); + sink(c); + } + + C m1(A a) { + return a.step(); + } +} + diff --git a/java/ql/test/library-tests/dataflow/taintreturn/taintreturn.expected b/java/ql/test/library-tests/dataflow/taintreturn/taintreturn.expected new file mode 100644 index 00000000000..d782ab52217 --- /dev/null +++ b/java/ql/test/library-tests/dataflow/taintreturn/taintreturn.expected @@ -0,0 +1 @@ +| 1 | 1 | diff --git a/java/ql/test/library-tests/dataflow/taintreturn/taintreturn.ql b/java/ql/test/library-tests/dataflow/taintreturn/taintreturn.ql new file mode 100644 index 00000000000..4d264ac6f28 --- /dev/null +++ b/java/ql/test/library-tests/dataflow/taintreturn/taintreturn.ql @@ -0,0 +1,44 @@ +import java +import semmle.code.java.dataflow.TaintTracking +import DataFlow + +predicate step(Expr e1, Expr e2) { + exists(MethodAccess ma | + ma.getMethod().hasName("step") and + ma = e2 and + ma.getQualifier() = e1 + ) +} + +predicate isSink0(Expr sink) { + exists(MethodAccess ma | + ma.getMethod().hasName("sink") and + ma.getAnArgument() = sink + ) +} + +class Conf1 extends Configuration { + Conf1() { this = "testconf1" } + + override predicate isSource(Node n) { n.asExpr().(MethodAccess).getMethod().hasName("src") } + + override predicate isSink(Node n) { any() } + + override predicate isAdditionalFlowStep(Node n1, Node n2) { step(n1.asExpr(), n2.asExpr()) } +} + +class Conf2 extends Configuration { + Conf2() { this = "testconf2" } + + override predicate isSource(Node n) { n.asExpr().(MethodAccess).getMethod().hasName("src") } + + override predicate isSink(Node n) { isSink0(n.asExpr()) } + + override predicate isAdditionalFlowStep(Node n1, Node n2) { step(n1.asExpr(), n2.asExpr()) } +} + +from int i1, int i2 +where + i1 = count(Node src, Node sink, Conf1 c | c.hasFlow(src, sink) and isSink0(sink.asExpr())) and + i2 = count(Node src, Node sink, Conf2 c | c.hasFlow(src, sink)) +select i1, i2