Fix finding more sources

2025-12-24 04:36:35 +01:00 · 2021-09-30 12:08:29 +02:00
parent 38579ef25b
commit c616eb1473
4 changed files with 10 additions and 5 deletions
--- a/java/ql/src/utils/model-generator/CaptureSinkModels.ql
+++ b/java/ql/src/utils/model-generator/CaptureSinkModels.ql
@@ -16,7 +16,7 @@ class PropagateToSinkConfiguration extends TaintTracking::Configuration {

  override predicate isSource(DataFlow::Node source) {
    exists(MethodAccess ma |
-      ma = source.asExpr() and
+      ma.getAChildExpr() = source.asExpr() and
      ma.getAnEnclosingStmt().getEnclosingCallable().isPublic() and
      ma.getAnEnclosingStmt().getEnclosingCallable().fromSource()
    )
@@ -25,7 +25,11 @@ class PropagateToSinkConfiguration extends TaintTracking::Configuration {
  override predicate isSink(DataFlow::Node sink) { sinkNode(sink, _) }
 }

-string asInputArgument(Expr source) { result = "Argument[" + source.(Argument).getPosition() + "]" }
+string asInputArgument(Expr source) {
+  result = "Argument[" + source.(Argument).getPosition() + "]"
+  or
+  result = source.(VarAccess).getVariable().toString()
+}

 string captureSink(Callable api) {
  exists(DataFlow::Node src, DataFlow::Node sink, PropagateToSinkConfiguration config, string kind |
--- a/java/ql/src/utils/model-generator/CaptureSourceModels.ql
+++ b/java/ql/src/utils/model-generator/CaptureSourceModels.ql
@@ -33,7 +33,7 @@ predicate specificSourceNode(DataFlow::Node node, string output, string kind) {
  exists(InterpretNode n | Private::External::isSourceNode(n, output, kind) and n.asNode() = node)
 }

-string captureSink(Callable api) {
+string captureSource(Callable api) {
  exists(
    DataFlow::Node src, DataFlow::Node sink, FromSourceConfiguration config, string kind,
    string output
@@ -47,6 +47,6 @@ string captureSink(Callable api) {

 from Callable api, string sink
 where
-  sink = captureSink(api) and
+  sink = captureSource(api) and
  not isInTestFile(api)
 select sink order by sink