Merge pull request #17663 from aschackmull/dataflow/speculative-flow

Dataflow: Add support for speculative taint flow.
2025-12-17 01:03:14 +01:00 · 2024-10-31 08:12:43 +01:00
parent 7e8a09aea1 570b042645
commit b556590ef8
47 changed files with 656 additions and 121 deletions
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll
@@ -261,13 +261,17 @@ deprecated private module Config implements FullStateConfigSig {
    model = ""
  }

-  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
+  predicate isAdditionalFlowStep(
+    Node node1, FlowState state1, Node node2, FlowState state2, string model
+  ) {
    getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
-    getConfig(state2) = getConfig(state1)
+    getConfig(state2) = getConfig(state1) and
+    model = ""
    or
    not singleConfiguration() and
    getConfig(state1).isAdditionalFlowStep(node1, node2) and
-    state2 = state1
+    state2 = state1 and
+    model = ""
  }

  predicate allowImplicitRead(Node node, ContentSet c) {
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
@@ -261,13 +261,17 @@ deprecated private module Config implements FullStateConfigSig {
    model = ""
  }

-  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
+  predicate isAdditionalFlowStep(
+    Node node1, FlowState state1, Node node2, FlowState state2, string model
+  ) {
    getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
-    getConfig(state2) = getConfig(state1)
+    getConfig(state2) = getConfig(state1) and
+    model = ""
    or
    not singleConfiguration() and
    getConfig(state1).isAdditionalFlowStep(node1, node2) and
-    state2 = state1
+    state2 = state1 and
+    model = ""
  }

  predicate allowImplicitRead(Node node, ContentSet c) {
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
@@ -261,13 +261,17 @@ deprecated private module Config implements FullStateConfigSig {
    model = ""
  }

-  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
+  predicate isAdditionalFlowStep(
+    Node node1, FlowState state1, Node node2, FlowState state2, string model
+  ) {
    getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
-    getConfig(state2) = getConfig(state1)
+    getConfig(state2) = getConfig(state1) and
+    model = ""
    or
    not singleConfiguration() and
    getConfig(state1).isAdditionalFlowStep(node1, node2) and
-    state2 = state1
+    state2 = state1 and
+    model = ""
  }

  predicate allowImplicitRead(Node node, ContentSet c) {
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
@@ -261,13 +261,17 @@ deprecated private module Config implements FullStateConfigSig {
    model = ""
  }

-  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
+  predicate isAdditionalFlowStep(
+    Node node1, FlowState state1, Node node2, FlowState state2, string model
+  ) {
    getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
-    getConfig(state2) = getConfig(state1)
+    getConfig(state2) = getConfig(state1) and
+    model = ""
    or
    not singleConfiguration() and
    getConfig(state1).isAdditionalFlowStep(node1, node2) and
-    state2 = state1
+    state2 = state1 and
+    model = ""
  }

  predicate allowImplicitRead(Node node, ContentSet c) {
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
@@ -261,13 +261,17 @@ deprecated private module Config implements FullStateConfigSig {
    model = ""
  }

-  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
+  predicate isAdditionalFlowStep(
+    Node node1, FlowState state1, Node node2, FlowState state2, string model
+  ) {
    getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
-    getConfig(state2) = getConfig(state1)
+    getConfig(state2) = getConfig(state1) and
+    model = ""
    or
    not singleConfiguration() and
    getConfig(state1).isAdditionalFlowStep(node1, node2) and
-    state2 = state1
+    state2 = state1 and
+    model = ""
  }

  predicate allowImplicitRead(Node node, ContentSet c) {
--- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
@@ -261,13 +261,17 @@ deprecated private module Config implements FullStateConfigSig {
    model = ""
  }

-  predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
+  predicate isAdditionalFlowStep(
+    Node node1, FlowState state1, Node node2, FlowState state2, string model
+  ) {
    getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
-    getConfig(state2) = getConfig(state1)
+    getConfig(state2) = getConfig(state1) and
+    model = ""
    or
    not singleConfiguration() and
    getConfig(state1).isAdditionalFlowStep(node1, node2) and
-    state2 = state1
+    state2 = state1 and
+    model = ""
  }

  predicate allowImplicitRead(Node node, ContentSet c) {
--- a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -658,3 +658,53 @@ private predicate entrypointFieldStep(DataFlow::Node src, DataFlow::Node sink) {
  ) and
  src.getType().(RefType).getSourceDeclaration() = entrypointType()
 }
+
+import SpeculativeTaintFlow
+
+private module SpeculativeTaintFlow {
+  private import semmle.code.java.dataflow.ExternalFlow as ExternalFlow
+  private import semmle.code.java.dataflow.internal.DataFlowNodes
+  private import semmle.code.java.dataflow.internal.FlowSummaryImpl as Impl
+  private import semmle.code.java.dispatch.VirtualDispatch
+  private import semmle.code.java.security.Sanitizers
+
+  private predicate hasTarget(Call call) {
+    exists(Impl::Public::SummarizedCallable sc | sc.getACall() = call)
+    or
+    exists(Impl::Public::NeutralSummaryCallable nc | nc.getACall() = call)
+    or
+    call.getCallee().getSourceDeclaration() instanceof ExternalFlow::SinkCallable
+    or
+    exists(FlowSummaryImpl::Public::NeutralSinkCallable sc | sc.getACall() = call)
+    or
+    exists(viableCallable(call))
+    or
+    call.getQualifier().getType() instanceof Array
+    or
+    call.getCallee().getSourceDeclaration() instanceof CloneMethod
+    or
+    call.getCallee()
+        .getSourceDeclaration()
+        .getDeclaringType()
+        .getPackage()
+        .hasName("java.util.function")
+  }
+
+  /**
+   * Holds if the additional step from `src` to `sink` should be considered in
+   * speculative taint flow exploration.
+   */
+  predicate speculativeTaintStep(DataFlow::Node src, DataFlow::Node sink) {
+    exists(DataFlowCall call, Call srcCall, int argpos |
+      not hasTarget(srcCall) and
+      call.asCall() = srcCall and
+      src.(ArgumentNode).argumentOf(call, argpos) and
+      not src instanceof SimpleTypeSanitizer
+    |
+      argpos != -1 and
+      sink.(DataFlow::PostUpdateNode).getPreUpdateNode() = Public::getInstanceArgument(srcCall)
+      or
+      sink.(OutNode).getCall() = call
+    )
+  }
+}