Dataflow: Add empty provenance column to PathGraph.

2026-04-22 15:25:18 +02:00 · 2024-02-08 11:10:46 +01:00
parent 4c0d535cc2
commit b7d4a6926f
7 changed files with 42 additions and 24 deletions
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll
@@ -507,13 +507,13 @@ module ProductFlow {
    private predicate pathSuccPlus(TNodePair n1, TNodePair n2) = fastTC(pathSucc/2)(n1, n2)

    private predicate localPathStep1(Flow1::PathNode pred, Flow1::PathNode succ) {
-      Flow1::PathGraph::edges(pred, succ) and
+      Flow1::PathGraph::edges(pred, succ, _, _) and
      pragma[only_bind_out](pred.getNode().getEnclosingCallable()) =
        pragma[only_bind_out](succ.getNode().getEnclosingCallable())
    }

    private predicate localPathStep2(Flow2::PathNode pred, Flow2::PathNode succ) {
-      Flow2::PathGraph::edges(pred, succ) and
+      Flow2::PathGraph::edges(pred, succ, _, _) and
      pragma[only_bind_out](pred.getNode().getEnclosingCallable()) =
        pragma[only_bind_out](succ.getNode().getEnclosingCallable())
    }
@@ -530,7 +530,7 @@ module ProductFlow {
      TJump()

    private predicate intoImpl1(Flow1::PathNode pred1, Flow1::PathNode succ1, DataFlowCall call) {
-      Flow1::PathGraph::edges(pred1, succ1) and
+      Flow1::PathGraph::edges(pred1, succ1, _, _) and
      pred1.getNode().(ArgumentNode).getCall() = call and
      succ1.getNode() instanceof ParameterNode
    }
@@ -543,7 +543,7 @@ module ProductFlow {
    }

    private predicate outImpl1(Flow1::PathNode pred1, Flow1::PathNode succ1, DataFlowCall call) {
-      Flow1::PathGraph::edges(pred1, succ1) and
+      Flow1::PathGraph::edges(pred1, succ1, _, _) and
      exists(ReturnKindExt returnKind |
        succ1.getNode() = returnKind.getAnOutNode(call) and
        pred1.getNode().(ReturnNodeExt).getKind() = returnKind
@@ -558,7 +558,7 @@ module ProductFlow {
    }

    private predicate intoImpl2(Flow2::PathNode pred2, Flow2::PathNode succ2, DataFlowCall call) {
-      Flow2::PathGraph::edges(pred2, succ2) and
+      Flow2::PathGraph::edges(pred2, succ2, _, _) and
      pred2.getNode().(ArgumentNode).getCall() = call and
      succ2.getNode() instanceof ParameterNode
    }
@@ -571,7 +571,7 @@ module ProductFlow {
    }

    private predicate outImpl2(Flow2::PathNode pred2, Flow2::PathNode succ2, DataFlowCall call) {
-      Flow2::PathGraph::edges(pred2, succ2) and
+      Flow2::PathGraph::edges(pred2, succ2, _, _) and
      exists(ReturnKindExt returnKind |
        succ2.getNode() = returnKind.getAnOutNode(call) and
        pred2.getNode().(ReturnNodeExt).getKind() = returnKind
@@ -590,7 +590,7 @@ module ProductFlow {
      Declaration predDecl, Declaration succDecl, Flow1::PathNode pred1, Flow1::PathNode succ1,
      TKind kind
    ) {
-      Flow1::PathGraph::edges(pred1, succ1) and
+      Flow1::PathGraph::edges(pred1, succ1, _, _) and
      predDecl != succDecl and
      pred1.getNode().getEnclosingCallable() = predDecl and
      succ1.getNode().getEnclosingCallable() = succDecl and
@@ -610,7 +610,7 @@ module ProductFlow {
      Declaration predDecl, Declaration succDecl, Flow2::PathNode pred2, Flow2::PathNode succ2,
      TKind kind
    ) {
-      Flow2::PathGraph::edges(pred2, succ2) and
+      Flow2::PathGraph::edges(pred2, succ2, _, _) and
      predDecl != succDecl and
      pred2.getNode().getEnclosingCallable() = predDecl and
      succ2.getNode().getEnclosingCallable() = succDecl and
--- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll
@@ -42,14 +42,18 @@ predicate xssFlow(XssNode source, XssNode sink, string message) {
 */
 module PathGraph {
  /** Holds if `(pred,succ)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(XssNode pred, XssNode succ) {
-    exists(XssTracking::PathNode a, XssTracking::PathNode b | XssTracking::PathGraph::edges(a, b) |
+  query predicate edges(XssNode pred, XssNode succ, string key, string val) {
+    exists(XssTracking::PathNode a, XssTracking::PathNode b |
+      XssTracking::PathGraph::edges(a, b, key, val)
+    |
      pred.asDataFlowNode() = a and
      succ.asDataFlowNode() = b
    )
    or
    xssFlow(pred, succ, _) and
-    pred instanceof XssAspNode
+    pred instanceof XssAspNode and
+    key = "provenance" and
+    val = ""
  }

  /** Holds if `n` is a node in the graph of data flow path explanations. */
--- a/Features/backdoor/PotentialTimeBomb.ql
+++ b/Features/backdoor/PotentialTimeBomb.ql
@@ -13,14 +13,18 @@
 import csharp
 import Flow::PathGraph

-query predicate edges(Flow::PathNode a, Flow::PathNode b) {
-  Flow::PathGraph::edges(a, b)
+query predicate edges(Flow::PathNode a, Flow::PathNode b, string key, string val) {
+  Flow::PathGraph::edges(a, b, key, val)
  or
  FlowsFromGetLastWriteTimeConfigToTimeSpanArithmeticCallableConfig::isSink(a.getNode()) and
-  FlowsFromTimeSpanArithmeticToTimeComparisonCallableConfig::isSource(b.getNode())
+  FlowsFromTimeSpanArithmeticToTimeComparisonCallableConfig::isSource(b.getNode()) and
+  key = "provenance" and
+  val = ""
  or
  FlowsFromTimeSpanArithmeticToTimeComparisonCallableConfig::isSink(a.getNode()) and
-  FlowsFromTimeComparisonCallableToSelectionStatementConditionConfig::isSource(b.getNode())
+  FlowsFromTimeComparisonCallableToSelectionStatementConditionConfig::isSource(b.getNode()) and
+  key = "provenance" and
+  val = ""
 }

 /**
--- a/csharp/ql/test/library-tests/cil/dataflow/DataFlow.ql
+++ b/csharp/ql/test/library-tests/cil/dataflow/DataFlow.ql
@@ -13,8 +13,8 @@ private predicate relevantPathNode(Flow::PathNode n) {
  )
 }

-query predicate edges(Flow::PathNode a, Flow::PathNode b) {
-  Flow::PathGraph::edges(a, b) and
+query predicate edges(Flow::PathNode a, Flow::PathNode b, string key, string val) {
+  Flow::PathGraph::edges(a, b, key, val) and
  relevantPathNode(a) and
  relevantPathNode(b)
 }
--- a/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql
+++ b/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql
@@ -25,7 +25,11 @@ import semmle.code.java.security.TempDirLocalInformationDisclosureQuery
 * resulting in a zero-length paths.
 */
 module InsecureMethodPathGraph implements DataFlow::PathGraphSig<MethodCallInsecureFileCreation> {
-  predicate edges(MethodCallInsecureFileCreation n1, MethodCallInsecureFileCreation n2) { none() }
+  predicate edges(
+    MethodCallInsecureFileCreation n1, MethodCallInsecureFileCreation n2, string key, string value
+  ) {
+    none()
+  }

  predicate nodes(MethodCallInsecureFileCreation n, string key, string val) {
    key = "semmle.label" and val = n.toString()
--- a/shared/dataflow/codeql/dataflow/DataFlow.qll
+++ b/shared/dataflow/codeql/dataflow/DataFlow.qll
@@ -584,7 +584,7 @@ module DataFlowMake<InputSig Lang> {

  signature module PathGraphSig<PathNodeSig PathNode> {
    /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-    predicate edges(PathNode a, PathNode b);
+    predicate edges(PathNode a, PathNode b, string key, string val);

    /** Holds if `n` is a node in the graph of data flow path explanations. */
    predicate nodes(PathNode n, string key, string val);
@@ -648,9 +648,9 @@ module DataFlowMake<InputSig Lang> {
     */
    module PathGraph implements PathGraphSig<PathNode> {
      /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-      query predicate edges(PathNode a, PathNode b) {
-        Graph1::edges(a.asPathNode1(), b.asPathNode1()) or
-        Graph2::edges(a.asPathNode2(), b.asPathNode2())
+      query predicate edges(PathNode a, PathNode b, string key, string val) {
+        Graph1::edges(a.asPathNode1(), b.asPathNode1(), key, val) or
+        Graph2::edges(a.asPathNode2(), b.asPathNode2(), key, val)
      }

      /** Holds if `n` is a node in the graph of data flow path explanations. */
@@ -719,7 +719,9 @@ module DataFlowMake<InputSig Lang> {
     */
    module PathGraph implements PathGraphSig<PathNode> {
      /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-      query predicate edges(PathNode a, PathNode b) { Merged::PathGraph::edges(a, b) }
+      query predicate edges(PathNode a, PathNode b, string key, string val) {
+        Merged::PathGraph::edges(a, b, key, val)
+      }

      /** Holds if `n` is a node in the graph of data flow path explanations. */
      query predicate nodes(PathNode n, string key, string val) {
--- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
+++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
@@ -3724,7 +3724,11 @@ module MakeImpl<InputSig Lang> {
     */
    module PathGraph implements PathGraphSig<PathNode> {
      /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-      query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b }
+      query predicate edges(PathNode a, PathNode b, string key, string val) {
+        a.getASuccessor() = b and
+        key = "provenance" and
+        val = ""
+      }

      /** Holds if `n` is a node in the graph of data flow path explanations. */
      query predicate nodes(PathNode n, string key, string val) {