Java: Rearrange and refactor language specific content into standalone predicates.

2026-05-02 04:05:14 +02:00 · 2022-03-03 16:08:52 +01:00
parent 6259ecfc12
commit ba233ed7a1
1 changed files with 16 additions and 8 deletions
--- a/java/ql/src/utils/model-generator/CaptureSummaryModels.ql
+++ b/java/ql/src/utils/model-generator/CaptureSummaryModels.ql
@@ -12,11 +12,14 @@ import semmle.code.java.dataflow.internal.DataFlowPrivate
 import semmle.code.java.dataflow.InstanceAccess
 import ModelGeneratorUtils

-string captureFlow(TargetApi api) {
-  result = captureQualifierFlow(api) or
-  result = captureThroughFlow(api)
+predicate isOwnInstanceAccess(ReturnStmt rtn) { rtn.getResult().(ThisAccess).isOwnInstanceAccess() }
+
+predicate isOwnInstanceAccessNode(ReturnNode node) {
+  node.asExpr().(ThisAccess).isOwnInstanceAccess()
 }

+string qualifierString() { result = "Argument[-1]" }
+
 /**
 * Capture fluent APIs that return `this`.
 * Example of a fluent API:
@@ -29,12 +32,12 @@ string captureFlow(TargetApi api) {
 * }
 * ```
 */
-string captureQualifierFlow(TargetApi api) {
+private string captureQualifierFlow(TargetApi api) {
  exists(ReturnStmt rtn |
    rtn.getEnclosingCallable() = api and
-    rtn.getResult().(ThisAccess).isOwnInstanceAccess()
+    isOwnInstanceAccess(rtn)
  ) and
-  result = asValueModel(api, "Argument[-1]", "ReturnValue")
+  result = asValueModel(api, qualifierString(), "ReturnValue")
 }

 class TaintRead extends DataFlow::FlowState {
@@ -56,7 +59,7 @@ class ThroughFlowConfig extends TaintTracking::Configuration {

  override predicate isSink(DataFlow::Node sink, DataFlow::FlowState state) {
    sink instanceof ReturnNodeExt and
-    not sink.(ReturnNode).asExpr().(ThisAccess).isOwnInstanceAccess() and
+    not isOwnInstanceAccessNode(sink) and
    not exists(captureQualifierFlow(sink.asExpr().getEnclosingCallable())) and
    (state instanceof TaintRead or state instanceof TaintStore)
  }
@@ -145,7 +148,7 @@ class ThroughFlowConfig extends TaintTracking::Configuration {
 * Captured Model:
 * `p;Foo;true;addToList;;Argument[0];Argument[1];taint`
 */
-string captureThroughFlow(TargetApi api) {
+private string captureThroughFlow(TargetApi api) {
  exists(
    ThroughFlowConfig config, DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt, string input,
    string output
@@ -159,6 +162,11 @@ string captureThroughFlow(TargetApi api) {
  )
 }

+private string captureFlow(TargetApi api) {
+  result = captureQualifierFlow(api) or
+  result = captureThroughFlow(api)
+}
+
 from TargetApi api, string flow
 where flow = captureFlow(api)
 select flow order by flow