From c787bb2ff9dcfced956760f7135ee05c6e88e8a6 Mon Sep 17 00:00:00 2001 From: Michael Nebel Date: Wed, 12 Apr 2023 11:47:42 +0200 Subject: [PATCH] C#: Re-factor the callablereturnarg tests. --- .../dataflow/callablereturnsarg/Common.qll | 42 ++++++++++--------- .../dataflow/callablereturnsarg/DataFlow.ql | 6 +-- .../callablereturnsarg/TaintTracking.ql | 18 ++------ 3 files changed, 29 insertions(+), 37 deletions(-) diff --git a/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll b/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll index 2ddbd6cf123..ae9b56cd038 100644 --- a/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll +++ b/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll @@ -10,34 +10,38 @@ private predicate outRefDef(DataFlow::ExprNode ne, int outRef) { ) } -class Configuration extends DataFlow::Configuration { - Configuration() { this = "Configuration" } +module Config implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof DataFlow::ParameterNode } - override predicate isSource(DataFlow::Node source) { source instanceof DataFlow::ParameterNode } - - override predicate isSink(DataFlow::Node sink) { + predicate isSink(DataFlow::Node sink) { any(Callable c).canReturn(sink.asExpr()) or outRefDef(sink, _) } - override predicate isBarrier(DataFlow::Node node) { + predicate isBarrier(DataFlow::Node node) { exists(AbstractValues::NullValue nv | node.(GuardedDataFlowNode).mustHaveValue(nv) | nv.isNull() ) } } -predicate flowOutFromParameter(DataFlow::Configuration c, Parameter p) { - exists(DataFlow::ExprNode ne, DataFlow::ParameterNode np | - p.getCallable().canReturn(ne.getExpr()) and - np.getParameter() = p and - c.hasFlow(np, ne) - ) +module FlowOut { + predicate flowOutFromParameter(Parameter p) { + exists(DataFlow::ExprNode ne, DataFlow::ParameterNode np | + p.getCallable().canReturn(ne.getExpr()) and + np.getParameter() = p and + Input::flow(np, ne) + ) + } + + predicate flowOutFromParameterOutOrRef(Parameter p, int outRef) { + exists(DataFlow::ExprNode ne, DataFlow::ParameterNode np | + outRefDef(ne, outRef) and + np.getParameter() = p and + Input::flow(np, ne) + ) + } } -predicate flowOutFromParameterOutOrRef(DataFlow::Configuration c, Parameter p, int outRef) { - exists(DataFlow::ExprNode ne, DataFlow::ParameterNode np | - outRefDef(ne, outRef) and - np.getParameter() = p and - c.hasFlow(np, ne) - ) -} +module Data = FlowOut>; + +module Taint = FlowOut>; diff --git a/csharp/ql/test/library-tests/dataflow/callablereturnsarg/DataFlow.ql b/csharp/ql/test/library-tests/dataflow/callablereturnsarg/DataFlow.ql index 7b60ecdf507..2ef74457d7e 100644 --- a/csharp/ql/test/library-tests/dataflow/callablereturnsarg/DataFlow.ql +++ b/csharp/ql/test/library-tests/dataflow/callablereturnsarg/DataFlow.ql @@ -1,9 +1,9 @@ import csharp import Common -from Configuration c, Parameter p, int outRefArg +from Parameter p, int outRefArg where - flowOutFromParameter(c, p) and outRefArg = -1 + Data::flowOutFromParameter(p) and outRefArg = -1 or - flowOutFromParameterOutOrRef(c, p, outRefArg) + Data::flowOutFromParameterOutOrRef(p, outRefArg) select p.getCallable(), p.getPosition(), outRefArg diff --git a/csharp/ql/test/library-tests/dataflow/callablereturnsarg/TaintTracking.ql b/csharp/ql/test/library-tests/dataflow/callablereturnsarg/TaintTracking.ql index f1004b76160..6852b7c6bd0 100644 --- a/csharp/ql/test/library-tests/dataflow/callablereturnsarg/TaintTracking.ql +++ b/csharp/ql/test/library-tests/dataflow/callablereturnsarg/TaintTracking.ql @@ -1,21 +1,9 @@ import csharp import Common -class TaintTrackingConfiguration extends TaintTracking::Configuration { - Configuration c; - - TaintTrackingConfiguration() { this = "Taint " + c } - - override predicate isSource(DataFlow::Node source) { c.isSource(source) } - - override predicate isSink(DataFlow::Node sink) { c.isSink(sink) } - - override predicate isSanitizer(DataFlow::Node node) { c.isBarrier(node) } -} - -from TaintTrackingConfiguration c, Parameter p, int outRefArg +from Parameter p, int outRefArg where - flowOutFromParameter(c, p) and outRefArg = -1 + Taint::flowOutFromParameter(p) and outRefArg = -1 or - flowOutFromParameterOutOrRef(c, p, outRefArg) + Taint::flowOutFromParameterOutOrRef(p, outRefArg) select p.getCallable(), p.getPosition(), outRefArg