Merge pull request #13851 from MathiasVP/sink-without-states

DataFlow: Support stateless `isSink` in `StateConfigSig`s
2025-12-22 19:56:32 +01:00 · 2023-08-04 18:01:42 +02:00
parent 97c688849d e066e87890
commit abe3a816ce
43 changed files with 126 additions and 14 deletions
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTracking.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTracking.qll
@@ -24,6 +24,7 @@ private module AddTaintDefaults<DataFlowInternal::FullStateConfigSig Config> imp
    Config::allowImplicitRead(node, c)
    or
    (
+      Config::isSink(node) or
      Config::isSink(node, _) or
      Config::isAdditionalFlowStep(node, _) or
      Config::isAdditionalFlowStep(node, _, _, _)
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
@@ -276,6 +276,8 @@ private module Config implements FullStateConfigSig {
    getConfig(state).isSource(source) and getState(state) instanceof FlowStateEmpty
  }

+  predicate isSink(Node sink) { none() }
+
  predicate isSink(Node sink, FlowState state) {
    getConfig(state).isSink(sink, getState(state))
    or
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTracking.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTracking.qll
@@ -24,6 +24,7 @@ private module AddTaintDefaults<DataFlowInternal::FullStateConfigSig Config> imp
    Config::allowImplicitRead(node, c)
    or
    (
+      Config::isSink(node) or
      Config::isSink(node, _) or
      Config::isAdditionalFlowStep(node, _) or
      Config::isAdditionalFlowStep(node, _, _, _)