Use flowFrom.

2025-12-16 16:53:25 +01:00 · 2025-12-03 14:04:18 +01:00
parent 4191b18410
commit dc6d3fe7ba
23 changed files with 26 additions and 34 deletions
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
@@ -263,7 +263,7 @@ module FromSensitiveFlow = TaintTracking::Global<FromSensitiveConfig>;
 * A taint flow configuration for flow from a sensitive expression to an encryption operation.
 */
 module ToEncryptionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { FromSensitiveFlow::flow(source, _) }
+  predicate isSource(DataFlow::Node source) { FromSensitiveFlow::flowFrom(source) }

  predicate isSink(DataFlow::Node sink) { isSinkEncrypt(sink, _) }

@@ -311,7 +311,7 @@ where
  FromSensitiveFlow::flowPath(source, sink) and
  isSinkSendRecv(sink.getNode(), networkSendRecv) and
  // no flow from sensitive -> evidence of encryption
-  not ToEncryptionFlow::flow(source.getNode(), _) and
+  not ToEncryptionFlow::flowFrom(source.getNode()) and
  not FromEncryptionFlow::flowTo(sink.getNode()) and
  // construct result
  if networkSendRecv instanceof NetworkSend
--- a/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
@@ -129,7 +129,7 @@ module PointerArithmeticToDerefFlow = DataFlow::Global<PointerArithmeticToDerefC

 predicate pointerArithOverflow(PointerArithmeticInstruction pai, int delta) {
  pointerArithOverflow0(pai, delta) and
-  PointerArithmeticToDerefFlow::flow(DataFlow::instructionNode(pai), _)
+  PointerArithmeticToDerefFlow::flowFrom(DataFlow::instructionNode(pai))
 }

 bindingset[v]
--- a/csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/Sql.qll
@@ -52,7 +52,7 @@ class IDbCommandConstructionSqlExpr extends SqlExpr, ObjectCreation {
 class DapperCommandDefinitionMethodCallSqlExpr extends SqlExpr, ObjectCreation {
  DapperCommandDefinitionMethodCallSqlExpr() {
    this.getObjectType() instanceof Dapper::CommandDefinitionStruct and
-    DapperCommandDefinitionMethodCallSql::flow(DataFlow::exprNode(this), _)
+    DapperCommandDefinitionMethodCallSql::flowFromExpr(this)
  }

  override Expr getSql() { result = this.getArgumentForName("commandText") }
--- a/Features/CWE-614/CookieWithoutSecure.ql
+++ b/Features/CWE-614/CookieWithoutSecure.ql
@@ -46,10 +46,7 @@ predicate insecureCookieOptionsCreation(ObjectCreation oc) {
  // `Secure` property in `CookieOptions` passed to IResponseCookies.Append(...) wasn't set
  oc.getType() instanceof MicrosoftAspNetCoreHttpCookieOptions and
  secureFalseOrNotSet(oc) and
-  exists(DataFlow::Node creation |
-    CookieOptionsTracking::flow(creation, _) and
-    creation.asExpr() = oc
-  )
+  CookieOptionsTracking::flowFromExpr(oc)
 }

 predicate insecureCookieAppend(Expr sink) {
--- a/go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll
+++ b/go/ql/lib/semmle/go/security/MissingJwtSignatureCheck.qll
@@ -15,7 +15,7 @@ module MissingJwtSignatureCheck {
  module Config implements DataFlow::ConfigSig {
    predicate isSource(DataFlow::Node source) {
      source instanceof Source and
-      not SafeParse::flow(source, _)
+      not SafeParse::flowFrom(source)
    }

    predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
--- a/go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll
+++ b/go/ql/lib/semmle/go/security/UnsafeUnzipSymlink.qll
@@ -32,7 +32,7 @@ module UnsafeUnzipSymlink {
   * Holds if `node` is an archive header field read that flows to a `path/filepath.EvalSymlinks` call.
   */
  private predicate symlinksEvald(DataFlow::Node node) {
-    EvalSymlinksFlow::flow(getASimilarReadNode(node), _)
+    EvalSymlinksFlow::flowFrom(getASimilarReadNode(node))
  }

  private module Config implements DataFlow::ConfigSig {
--- a/go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql
+++ b/go/ql/src/Security/CWE-020/MissingRegexpAnchor.ql
@@ -81,5 +81,5 @@ module Config implements DataFlow::ConfigSig {
 module Flow = DataFlow::Global<Config>;

 from DataFlow::Node source, string msg
-where Flow::flow(source, _) and Config::isSourceString(source, msg)
+where Flow::flowFrom(source) and Config::isSourceString(source, msg)
 select source, msg
--- a/go/ql/src/Security/CWE-352/ConstantOauth2State.ql
+++ b/go/ql/src/Security/CWE-352/ConstantOauth2State.ql
@@ -154,7 +154,7 @@ module FlowToPrintFlow = DataFlow::Global<FlowToPrintConfig>;

 /** Holds if the provided `CallNode`'s result flows to an argument of a printer call. */
 predicate resultFlowsToPrinter(DataFlow::CallNode authCodeUrlCall) {
-  FlowToPrintFlow::flow(authCodeUrlCall.getResult(), _)
+  FlowToPrintFlow::flowFrom(authCodeUrlCall.getResult())
 }

 /** Get a data-flow node that reads the value of `os.Stdin`. */
--- a/go/ql/src/experimental/CWE-285/PamAuthBypass.ql
+++ b/go/ql/src/experimental/CWE-285/PamAuthBypass.ql
@@ -70,5 +70,6 @@ module PamStartToAuthenticateFlow = TaintTracking::Global<PamStartToAuthenticate
 from DataFlow::Node source, DataFlow::Node sink
 where
  not isInTestFile(source.asExpr()) and
-  (PamStartToAuthenticateFlow::flow(source, sink) and not PamStartToAcctMgmtFlow::flow(source, _))
+  PamStartToAuthenticateFlow::flow(source, sink) and
+  not PamStartToAcctMgmtFlow::flowFrom(source)
 select source, "This Pam transaction may not be secure."
--- a/go/ql/src/experimental/CWE-321-V2/HardCodedKeys.ql
+++ b/go/ql/src/experimental/CWE-321-V2/HardCodedKeys.ql
@@ -24,7 +24,7 @@ module JwtParseWithConstantKeyConfig implements DataFlow::ConfigSig {
      or
      n = fd.(FuncDecl).getFunction().getARead()
    |
-      GolangJwtKeyFunc::flow(n, _) and
+      GolangJwtKeyFunc::flowFrom(n) and
      sink = rn and
      rn.getRoot() = fd and
      rn.getIndex() = 0
--- a/java/ql/lib/semmle/code/java/frameworks/google/GoogleHttpClientApi.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/google/GoogleHttpClientApi.qll
@@ -26,9 +26,7 @@ private module TypeLiteralToParseAsFlowConfig implements DataFlow::ConfigSig {

 private module TypeLiteralToParseAsFlow = DataFlow::Global<TypeLiteralToParseAsFlowConfig>;

-private TypeLiteral getSourceWithFlowToParseAs() {
-  TypeLiteralToParseAsFlow::flow(DataFlow::exprNode(result), _)
-}
+private TypeLiteral getSourceWithFlowToParseAs() { TypeLiteralToParseAsFlow::flowFromExpr(result) }

 /** A field that is deserialized by `HttpResponse.parseAs`. */
 class HttpResponseParseAsDeserializableField extends DeserializableField {
--- a/java/ql/lib/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
+++ b/java/ql/lib/semmle/code/java/frameworks/jackson/JacksonSerializability.qll
@@ -110,7 +110,7 @@ private module TypeLiteralToJacksonDatabindFlow =
  DataFlow::Global<TypeLiteralToJacksonDatabindFlowConfig>;

 private TypeLiteral getSourceWithFlowToJacksonDatabind() {
-  TypeLiteralToJacksonDatabindFlow::flow(DataFlow::exprNode(result), _)
+  TypeLiteralToJacksonDatabindFlow::flowFromExpr(result)
 }

 /** A type whose values are explicitly deserialized in a call to a Jackson method. */
--- a/java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll
+++ b/java/ql/lib/semmle/code/java/regex/RegexFlowConfigs.qll
@@ -164,7 +164,7 @@ private module RegexFlowConfig implements DataFlow::ConfigSig {
 private module RegexFlow = DataFlow::Global<RegexFlowConfig>;

 private predicate usedAsRegexImpl(StringLiteral regex, string mode, boolean match_full_string) {
-  RegexFlow::flow(DataFlow::exprNode(regex), _) and
+  RegexFlow::flowFromExpr(regex) and
  mode = "None" and // TODO: proper mode detection
  (if matchesFullString(regex) then match_full_string = true else match_full_string = false)
 }
--- a/java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/ImproperIntentVerificationQuery.qll
@@ -51,7 +51,7 @@ private module VerifiedIntentFlow = DataFlow::Global<VerifiedIntentConfig>;
 /** An `onReceive` method that doesn't verify the action of the intent it receives. */
 private class UnverifiedOnReceiveMethod extends OnReceiveMethod {
  UnverifiedOnReceiveMethod() {
-    not VerifiedIntentFlow::flow(DataFlow::parameterNode(this.getIntentParameter()), _) and
+    not VerifiedIntentFlow::flowFrom(DataFlow::parameterNode(this.getIntentParameter())) and
    // Empty methods do not need to be verified since they do not perform any actions.
    this.getBody().getNumStmt() > 0
  }
--- a/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql
+++ b/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql
@@ -118,7 +118,7 @@ where
  // implicit: no setAllowContentAccess(false)
  exists(WebViewSource source |
    source.asExpr() = e and
-    not WebViewDisallowContentAccessFlow::flow(source, _)
+    not WebViewDisallowContentAccessFlow::flowFrom(source)
  )
 select e,
  "Sensitive information may be exposed via a malicious link due to access to content:// links being allowed in this WebView."
--- a/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
@@ -85,7 +85,7 @@ private module JxBrowserFlow = DataFlow::Global<JxBrowserFlowConfig>;

 deprecated query predicate problems(DataFlow::Node src, string message) {
  JxBrowserFlowConfig::isSource(src) and
-  not JxBrowserFlow::flow(src, _) and
+  not JxBrowserFlow::flowFrom(src) and
  not isSafeJxBrowserVersion() and
  message = "This JxBrowser instance may not check HTTPS certificates."
 }
--- a/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
@@ -50,7 +50,7 @@ private Expr getAccessControlAllowOriginHeaderName() {
 * A taint-tracking configuration for flow from a source node to CorsProbableCheckAccess methods.
 */
 module CorsSourceReachesCheckConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { CorsOriginFlow::flow(source, _) }
+  predicate isSource(DataFlow::Node source) { CorsOriginFlow::flowFrom(source) }

  predicate isSink(DataFlow::Node sink) {
    sink.asExpr() = any(CorsProbableCheckAccess check).getAnArgument()
@@ -86,7 +86,7 @@ deprecated query predicate problems(
  string message1, DataFlow::Node sourceNode, string message2
 ) {
  CorsOriginFlow::flowPath(source, sink) and
-  not CorsSourceReachesCheckFlow::flow(sourceNode, _) and
+  not CorsSourceReachesCheckFlow::flowFrom(sourceNode) and
  sinkNode = sink.getNode() and
  message1 = "CORS header is being set using user controlled value $@." and
  sourceNode = source.getNode() and
--- a/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql
+++ b/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql
@@ -17,7 +17,7 @@ deprecated import JwtAuth0 as JwtAuth0
 deprecated module JwtDecodeConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) {
    source instanceof RemoteFlowSource and
-    not FlowToJwtVerify::flow(source, _)
+    not FlowToJwtVerify::flowFrom(source)
  }

  predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(JwtAuth0::GetPayload a) }
--- a/java/ql/test-kotlin1/library-tests/parameter-defaults/flowTest.ql
+++ b/java/ql/test-kotlin1/library-tests/parameter-defaults/flowTest.ql
@@ -25,9 +25,7 @@ module Config implements DataFlow::ConfigSig {

 module Flow = DataFlow::Global<Config>;

-predicate isSunk(StringLiteral sl) {
-  exists(DataFlow::Node source | Flow::flow(source, _) and sl = source.asExpr())
-}
+predicate isSunk(StringLiteral sl) { Flow::flowFromExpr(sl) }

 query predicate shouldBeSunkButIsnt(ShouldBeSunk src) { not isSunk(src) }

--- a/java/ql/test-kotlin2/library-tests/parameter-defaults/flowTest.ql
+++ b/java/ql/test-kotlin2/library-tests/parameter-defaults/flowTest.ql
@@ -25,9 +25,7 @@ module Config implements DataFlow::ConfigSig {

 module Flow = DataFlow::Global<Config>;

-predicate isSunk(StringLiteral sl) {
-  exists(DataFlow::Node source | Flow::flow(source, _) and sl = source.asExpr())
-}
+predicate isSunk(StringLiteral sl) { Flow::flowFromExpr(sl) }

 query predicate shouldBeSunkButIsnt(ShouldBeSunk src) { not isSunk(src) }

--- a/java/ql/test/library-tests/frameworks/android/taint-database/flowSteps.ql
+++ b/java/ql/test/library-tests/frameworks/android/taint-database/flowSteps.ql
@@ -20,7 +20,7 @@ module FlowStepTest implements TestSig {
  predicate hasActualResult(Location l, string element, string tag, string value) {
    tag = "taintReachesReturn" and
    value = "" and
-    exists(DataFlow::Node source | Flow::flow(source, _) |
+    exists(DataFlow::Node source | Flow::flowFrom(source) |
      l = source.getLocation() and
      element = source.toString()
    )
--- a/java/ql/test/library-tests/frameworks/android/taint-database/sinks.ql
+++ b/java/ql/test/library-tests/frameworks/android/taint-database/sinks.ql
@@ -20,7 +20,7 @@ module SinkTest implements TestSig {
  predicate hasActualResult(Location l, string element, string tag, string value) {
    tag = "taintReachesSink" and
    value = "" and
-    exists(DataFlow::Node source | Flow::flow(source, _) |
+    exists(DataFlow::Node source | Flow::flowFrom(source) |
      l = source.getLocation() and
      element = source.toString()
    )
--- a/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql
+++ b/javascript/ql/src/experimental/Security/CWE-347/decodeJwtWithoutVerification.ql
@@ -36,6 +36,6 @@ import UnverifiedDecodeFlow::PathGraph
 from UnverifiedDecodeFlow::PathNode source, UnverifiedDecodeFlow::PathNode sink
 where
  UnverifiedDecodeFlow::flowPath(source, sink) and
-  not VerifiedDecodeFlow::flow(source.getNode(), _)
+  not VerifiedDecodeFlow::flowFrom(source.getNode())
 select source.getNode(), source, sink, "Decoding JWT $@.", sink.getNode(),
  "without signature verification"