Adapt query not to depend on TaintTracking::FunctionModel

2025-12-17 01:03:14 +01:00 · 2023-03-23 14:46:11 +00:00
parent c8407ba323
commit a673610e18
1 changed files with 4 additions and 1 deletions
--- a/go/ql/src/Security/CWE-352/ConstantOauth2State.ql
+++ b/go/ql/src/Security/CWE-352/ConstantOauth2State.ql
@@ -106,7 +106,10 @@ class PrivateUrlFlowsToAuthCodeUrlCall extends DataFlow::Configuration {
    TaintTracking::referenceStep(pred, succ)
    or
    // Propagate across Sprintf and similar calls
-    any(Fmt::AppenderOrSprinter s).taintStep(pred, succ)
+    exists(DataFlow::CallNode cn |
+      cn.getACalleeIncludingExternals().asFunction() instanceof Fmt::AppenderOrSprinter |
+      pred = cn.getAnArgument() and succ = cn.getResult()
+    )
  }

  predicate isSinkCall(DataFlow::Node sink, DataFlow::CallNode call) {