hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-23 04:06:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #11188 from aschackmull/java/mad-gen-sinks-precision

Browse Source 
Java: Improve sink model generation precision by excluding variable capture.
This commit is contained in:
Anders Schack-Mulligen
2022-11-10 10:49:56 +01:00
committed by GitHub
parent 24ba51d11e 151f12ef5e
commit a8ed6bad34
4 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
csharp/ql/src/utils/model-generator/internal/CaptureModels.qll
View File

@@ -272,6 +272,8 @@ private class PropagateToSinkConfiguration extends TaintTracking::Configuration
override predicate isSink(DataFlow::Node sink) { ExternalFlow::sinkNode(sink, _) } override predicate isSink(DataFlow::Node sink) { ExternalFlow::sinkNode(sink, _) }
override predicate isSanitizer(DataFlow::Node node) { sinkModelSanitizer(node) }
override DataFlow::FlowFeature getAFeature() { override DataFlow::FlowFeature getAFeature() {
result instanceof DataFlow::FeatureHasSourceCallContext result instanceof DataFlow::FeatureHasSourceCallContext
} }

2
csharp/ql/src/utils/model-generator/internal/CaptureModelsSpecific.qll
View File

@@ -175,6 +175,8 @@ private predicate isRelevantMemberAccess(DataFlow::Node node) {
) )
} }
predicate sinkModelSanitizer(DataFlow::Node node) { none() }
/** /**
* Holds if `source` is an api entrypoint relevant for creating sink models. * Holds if `source` is an api entrypoint relevant for creating sink models.
*/ */

2
java/ql/src/utils/model-generator/internal/CaptureModels.qll
View File

@@ -272,6 +272,8 @@ private class PropagateToSinkConfiguration extends TaintTracking::Configuration
override predicate isSink(DataFlow::Node sink) { ExternalFlow::sinkNode(sink, _) } override predicate isSink(DataFlow::Node sink) { ExternalFlow::sinkNode(sink, _) }
override predicate isSanitizer(DataFlow::Node node) { sinkModelSanitizer(node) }
override DataFlow::FlowFeature getAFeature() { override DataFlow::FlowFeature getAFeature() {
result instanceof DataFlow::FeatureHasSourceCallContext result instanceof DataFlow::FeatureHasSourceCallContext
} }

9
java/ql/src/utils/model-generator/internal/CaptureModelsSpecific.qll
View File

@@ -7,6 +7,7 @@ private import semmle.code.java.dataflow.internal.DataFlowNodes
private import semmle.code.java.dataflow.internal.DataFlowPrivate private import semmle.code.java.dataflow.internal.DataFlowPrivate
private import semmle.code.java.dataflow.internal.ContainerFlow as ContainerFlow private import semmle.code.java.dataflow.internal.ContainerFlow as ContainerFlow
private import semmle.code.java.dataflow.DataFlow as Df private import semmle.code.java.dataflow.DataFlow as Df
private import semmle.code.java.dataflow.SSA as Ssa
private import semmle.code.java.dataflow.TaintTracking as Tt private import semmle.code.java.dataflow.TaintTracking as Tt
import semmle.code.java.dataflow.ExternalFlow as ExternalFlow import semmle.code.java.dataflow.ExternalFlow as ExternalFlow
import semmle.code.java.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon import semmle.code.java.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
@@ -224,6 +225,14 @@ predicate isOwnInstanceAccessNode(ReturnNode node) {
node.asExpr().(J::ThisAccess).isOwnInstanceAccess() node.asExpr().(J::ThisAccess).isOwnInstanceAccess()
} }
predicate sinkModelSanitizer(DataFlow::Node node) {
// exclude variable capture jump steps
exists(Ssa::SsaImplicitInit closure |
closure.captures(_) and
node.asExpr() = closure.getAFirstUse()
)
}
/** /**
* Holds if `source` is an api entrypoint relevant for creating sink models. * Holds if `source` is an api entrypoint relevant for creating sink models.
*/ */