From 7a39f077d9531d48e121659e2cade47488896d50 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Mon, 11 Mar 2024 11:58:20 +0100 Subject: [PATCH 1/4] Data flow: Add `ConfigSig::accessPathLimit` --- .../dataflow/internal/ContentDataFlow.qll | 2 ++ .../modelgenerator/internal/CaptureModels.qll | 6 +++--- .../modelgenerator/internal/CaptureModels.qll | 6 +++--- .../ruby/dataflow/internal/DataFlowImpl1.qll | 2 ++ shared/dataflow/codeql/dataflow/DataFlow.qll | 10 ++++++++++ .../codeql/dataflow/internal/DataFlowImpl.qll | 19 ++++++++++++++++--- 6 files changed, 36 insertions(+), 9 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ContentDataFlow.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ContentDataFlow.qll index e9cd7373975..76936549051 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ContentDataFlow.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ContentDataFlow.qll @@ -109,6 +109,8 @@ module Global { DataFlow::FlowFeature getAFeature() { result = ContentConfig::getAFeature() } + predicate accessPathLimit = ContentConfig::accessPathLimit/0; + // needed to record reads/stores inside summarized callables predicate includeHiddenNodes() { any() } } diff --git a/csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll b/csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll index 9c19e5b9cbb..0a22178d108 100644 --- a/csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll +++ b/csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll @@ -72,11 +72,11 @@ string captureQualifierFlow(TargetApiSpecific api) { result = ModelPrinting::asValueModel(api, qualifierString(), "ReturnValue") } -private int accessPathLimit() { result = 2 } +private int accessPathLimit0() { result = 2 } private newtype TTaintState = - TTaintRead(int n) { n in [0 .. accessPathLimit()] } or - TTaintStore(int n) { n in [1 .. accessPathLimit()] } + TTaintRead(int n) { n in [0 .. accessPathLimit0()] } or + TTaintStore(int n) { n in [1 .. accessPathLimit0()] } abstract private class TaintState extends TTaintState { abstract string toString(); diff --git a/java/ql/src/utils/modelgenerator/internal/CaptureModels.qll b/java/ql/src/utils/modelgenerator/internal/CaptureModels.qll index 9c19e5b9cbb..0a22178d108 100644 --- a/java/ql/src/utils/modelgenerator/internal/CaptureModels.qll +++ b/java/ql/src/utils/modelgenerator/internal/CaptureModels.qll @@ -72,11 +72,11 @@ string captureQualifierFlow(TargetApiSpecific api) { result = ModelPrinting::asValueModel(api, qualifierString(), "ReturnValue") } -private int accessPathLimit() { result = 2 } +private int accessPathLimit0() { result = 2 } private newtype TTaintState = - TTaintRead(int n) { n in [0 .. accessPathLimit()] } or - TTaintStore(int n) { n in [1 .. accessPathLimit()] } + TTaintRead(int n) { n in [0 .. accessPathLimit0()] } or + TTaintStore(int n) { n in [1 .. accessPathLimit0()] } abstract private class TaintState extends TTaintState { abstract string toString(); diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/shared/dataflow/codeql/dataflow/DataFlow.qll b/shared/dataflow/codeql/dataflow/DataFlow.qll index 6a18c166613..6b14d3d2e06 100644 --- a/shared/dataflow/codeql/dataflow/DataFlow.qll +++ b/shared/dataflow/codeql/dataflow/DataFlow.qll @@ -376,6 +376,9 @@ module Configs { */ default int fieldFlowBranchLimit() { result = 2 } + /** Gets the access path limit. */ + default int accessPathLimit() { result = Lang::accessPathLimit() } + /** * Gets a data flow configuration feature to add restrictions to the set of * valid flow paths. @@ -495,6 +498,9 @@ module Configs { */ default int fieldFlowBranchLimit() { result = 2 } + /** Gets the access path limit. */ + default int accessPathLimit() { result = Lang::accessPathLimit() } + /** * Gets a data flow configuration feature to add restrictions to the set of * valid flow paths. @@ -583,6 +589,8 @@ module DataFlowMake { private module C implements FullStateConfigSig { import DefaultState import Config + + predicate accessPathLimit = Config::accessPathLimit/0; } import Impl @@ -599,6 +607,8 @@ module DataFlowMake { module GlobalWithState implements GlobalFlowSig { private module C implements FullStateConfigSig { import Config + + predicate accessPathLimit = Config::accessPathLimit/0; } import Impl diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index d555b281710..2b43cbdd474 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -93,6 +93,9 @@ module MakeImpl { */ int fieldFlowBranchLimit(); + /** Gets the access path limit. */ + int accessPathLimit(); + /** * Gets a data flow configuration feature to add restrictions to the set of * valid flow paths. @@ -1328,6 +1331,13 @@ module MakeImpl { fwdFlow1(_, _, _, _, _, _, t0, t, ap, _) and t0 != t } + bindingset[c, t, tail] + additional Ap apCons(Content c, Typ t, Ap tail) { + result = Param::apCons(c, t, tail) and + Config::accessPathLimit() > 0 and + if tail instanceof ApNil then any() else Config::accessPathLimit() > 1 + } + pragma[nomagic] private predicate fwdFlow0( NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT, @@ -3026,11 +3036,11 @@ module MakeImpl { } or TConsCons(Content c1, DataFlowType t, Content c2, int len) { Stage4::consCand(c1, t, TFrontHead(c2)) and - len in [2 .. accessPathLimit()] and + len in [2 .. Config::accessPathLimit()] and not expensiveLen2unfolding(c1) } or TCons1(Content c, int len) { - len in [1 .. accessPathLimit()] and + len in [1 .. Config::accessPathLimit()] and expensiveLen2unfolding(c) } @@ -3189,7 +3199,10 @@ module MakeImpl { Typ getTyp(DataFlowType t) { result = t } bindingset[c, t, tail] - Ap apCons(Content c, Typ t, Ap tail) { result.isCons(c, t, tail) } + Ap apCons(Content c, Typ t, Ap tail) { + result.isCons(c, t, tail) and + Config::accessPathLimit() > tail.len() + } class ApHeadContent = Content; From da66281fef261b93c2ca667d5c4a66effc53cbaf Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Mon, 11 Mar 2024 11:59:15 +0100 Subject: [PATCH 2/4] Sync files --- cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll | 2 ++ cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll | 2 ++ cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll | 2 ++ cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll | 2 ++ .../lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll | 2 ++ .../lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll | 2 ++ .../lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll | 2 ++ .../lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll | 2 ++ .../lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll | 2 ++ .../lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll | 2 ++ .../lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll | 2 ++ .../lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll | 2 ++ .../lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll | 2 ++ .../lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll | 2 ++ go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll | 2 ++ go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll | 2 ++ .../ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll | 2 ++ .../ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll | 2 ++ .../ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll | 2 ++ .../ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll | 2 ++ .../ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll | 2 ++ .../ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll | 2 ++ .../lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll | 2 ++ .../lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll | 2 ++ .../lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll | 2 ++ .../lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll | 2 ++ ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll | 2 ++ swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll | 2 ++ 28 files changed, 56 insertions(+) diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll index 2bbc565daa6..9b92f961e6f 100644 --- a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll +++ b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll @@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig { int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) } + int accessPathLimit() { result = 5 } + FlowFeature getAFeature() { result = any(Configuration config).getAFeature() } predicate sourceGrouping(Node source, string sourceGroup) { From 0e0b73a5e67c3f07530e40715358a471cfcc5ba5 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Tue, 12 Mar 2024 11:22:04 +0100 Subject: [PATCH 3/4] Address review comment --- shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index 2b43cbdd474..6fbeb35bded 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -1334,8 +1334,10 @@ module MakeImpl { bindingset[c, t, tail] additional Ap apCons(Content c, Typ t, Ap tail) { result = Param::apCons(c, t, tail) and - Config::accessPathLimit() > 0 and - if tail instanceof ApNil then any() else Config::accessPathLimit() > 1 + exists(int limit | + limit = Config::accessPathLimit() and + if tail instanceof ApNil then limit > 0 else limit > 1 + ) } pragma[nomagic] From d7790faeceeee0f9f43f1f2cc837ece38afcc592 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Tue, 12 Mar 2024 11:51:32 +0100 Subject: [PATCH 4/4] Address review comments --- .../codeql/dataflow/internal/DataFlowImpl.qll | 25 +++++++------------ 1 file changed, 9 insertions(+), 16 deletions(-) diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll index 6fbeb35bded..e075af108d1 100644 --- a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll @@ -480,7 +480,9 @@ module MakeImpl { /** * Holds if field flow should be used for the given configuration. */ - private predicate useFieldFlow() { Config::fieldFlowBranchLimit() >= 1 } + private predicate useFieldFlow() { + Config::fieldFlowBranchLimit() >= 1 and Config::accessPathLimit() > 0 + } private predicate hasSourceCallCtx() { exists(FlowFeature feature | feature = Config::getAFeature() | @@ -1331,15 +1333,6 @@ module MakeImpl { fwdFlow1(_, _, _, _, _, _, t0, t, ap, _) and t0 != t } - bindingset[c, t, tail] - additional Ap apCons(Content c, Typ t, Ap tail) { - result = Param::apCons(c, t, tail) and - exists(int limit | - limit = Config::accessPathLimit() and - if tail instanceof ApNil then limit > 0 else limit > 1 - ) - } - pragma[nomagic] private predicate fwdFlow0( NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT, @@ -2534,7 +2527,10 @@ module MakeImpl { bindingset[c, t, tail] Ap apCons(Content c, Typ t, Ap tail) { - result = true and exists(c) and exists(t) and exists(tail) + result = true and + exists(c) and + exists(t) and + if tail = true then Config::accessPathLimit() > 1 else any() } class ApHeadContent = Unit; @@ -3201,10 +3197,7 @@ module MakeImpl { Typ getTyp(DataFlowType t) { result = t } bindingset[c, t, tail] - Ap apCons(Content c, Typ t, Ap tail) { - result.isCons(c, t, tail) and - Config::accessPathLimit() > tail.len() - } + Ap apCons(Content c, Typ t, Ap tail) { result.isCons(c, t, tail) } class ApHeadContent = Content; @@ -4641,7 +4634,7 @@ module MakeImpl { private newtype TPartialAccessPath = TPartialNil() or - TPartialCons(Content c, int len) { len in [1 .. accessPathLimit()] } + TPartialCons(Content c, int len) { len in [1 .. Config::accessPathLimit()] } /** * Conceptually a list of `Content`s, but only the first