From ef0c6d01eb72e728033e661641471a5b72b7c73e Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Thu, 22 Aug 2019 16:38:59 +0200 Subject: [PATCH 1/2] Java: Add a global extension point for taint steps. --- .../java/dataflow/internal/TaintTrackingUtil.qll | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll index 19764af049c..1aa4c589ee2 100644 --- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll +++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll @@ -40,12 +40,26 @@ predicate localAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) { ) } +/** + * A `DataFlow::Node` that is the origin of a taint step. + * + * Extend this class to add additional taint steps that should apply to all + * taint configurations. + */ +abstract class AdditionalTaintStepNode extends DataFlow::Node { + /** + * Gets a `DataFlow::Node` that this node can step to in one taint step. + */ + abstract DataFlow::Node step(); +} + /** * Holds if the additional step from `src` to `sink` should be included in all * global taint flow configurations. */ predicate defaultAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) { - localAdditionalTaintStep(src, sink) + localAdditionalTaintStep(src, sink) or + src.(AdditionalTaintStepNode).step() = sink } /** From ae98d4fd8e200bb6c93f31ec9cf107eb7ea96bb5 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Thu, 29 Aug 2019 11:05:45 +0200 Subject: [PATCH 2/2] Java: Change extension point to use a unit type. --- .../dataflow/internal/TaintTrackingUtil.qll | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll index 1aa4c589ee2..41e7911115f 100644 --- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll +++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll @@ -40,17 +40,24 @@ predicate localAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) { ) } +private newtype TUnit = TMkUnit() + +class Unit extends TUnit { + string toString() { result = "unit" } +} + /** - * A `DataFlow::Node` that is the origin of a taint step. + * A unit class for adding additional taint steps. * * Extend this class to add additional taint steps that should apply to all * taint configurations. */ -abstract class AdditionalTaintStepNode extends DataFlow::Node { +class AdditionalTaintStep extends Unit { /** - * Gets a `DataFlow::Node` that this node can step to in one taint step. + * Holds if the step from `node1` to `node2` should be considered a taint + * step for all configurations. */ - abstract DataFlow::Node step(); + abstract predicate step(DataFlow::Node node1, DataFlow::Node node2); } /** @@ -59,7 +66,7 @@ abstract class AdditionalTaintStepNode extends DataFlow::Node { */ predicate defaultAdditionalTaintStep(DataFlow::Node src, DataFlow::Node sink) { localAdditionalTaintStep(src, sink) or - src.(AdditionalTaintStepNode).step() = sink + any(AdditionalTaintStep a).step(src, sink) } /**