Supress paths that extend beyond the first sink

For this particular query it's hardly ever interesting to complain about a bad cipher suite being configured, then read from the list and re-added elsewhere. In such a case the longer path will be detected when the shorter one is fixed in any case.
2026-01-29 22:32:58 +01:00 · 2020-07-09 15:07:28 +01:00
parent 08ec017e4c
commit a6ab92bbca
1 changed files with 9 additions and 0 deletions
--- a/ql/src/experimental/CWE-327/InsecureTLS.ql
+++ b/ql/src/experimental/CWE-327/InsecureTLS.ql
@@ -119,6 +119,15 @@ class TlsInsecureCipherSuitesFlowConfig extends TaintTracking::Configuration {
      sink = fld.getAWrite().getRhs()
    )
  }
+
+  /**
+   * Declare sinks as out-sanitizers in order to avoid producing superfluous paths where a cipher
+   * is written to CipherSuites, then the list is further extended with either safe or tainted
+   * suites.
+   */
+  override predicate isSanitizerOut(DataFlow::Node node) {
+    super.isSanitizerOut(node) or isSink(node)
+  }
 }

 /**