Shared: Put the content of CaptureSummaryFlowQuery into the shared library code.

csharp/ql/src/utils/modelgenerator/CaptureNeutralModels.ql

@@ -6,9 +6,7 @@
  * @tags modelgenerator
  */
 
-import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 import internal.CaptureModels
-import internal.CaptureSummaryFlowQuery
 
 from DataFlowSummaryTargetApi api, string noflow
 where noflow = captureNoFlow(api)

csharp/ql/src/utils/modelgenerator/CaptureSummaryModels.ql

@@ -6,9 +6,7 @@
  * @tags modelgenerator
  */
 
-import semmle.code.csharp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 import internal.CaptureModels
-import internal.CaptureSummaryFlowQuery
 
 from DataFlowSummaryTargetApi api, string flow
 where flow = captureFlow(api)

csharp/ql/src/utils/modelgenerator/internal/CaptureSummaryFlowQuery.qll

@@ -1,93 +0,0 @@
-private import CaptureModels
-
-/**
- * Capture fluent APIs that return `this`.
- * Example of a fluent API:
- * ```csharp
- * public class BasicFlow {
- *   public BasicFlow ReturnThis(object input)
- *   {
- *     // some side effect
- *     return this;
- *   }
- * ```
- * Captured Model:
- * ```Summaries;BasicFlow;false;ReturnThis;(System.Object);Argument[this];ReturnValue;value;df-generated```
- * Capture APIs that transfer taint from an input parameter to an output return
- * value or parameter.
- * Allows a sequence of read steps followed by a sequence of store steps.
- *
- * Examples:
- *
- * ```csharp
- * public class BasicFlow {
- *   private string tainted;
- *
- *   public String ReturnField()
- *   {
- *     return tainted;
- *   }
- *
- *   public void AssignFieldToArray(object[] target)
- *   {
- *     target[0] = tainted;
- *   }
- * }
- * ```
- * Captured Models:
- * ```
- * Summaries;BasicFlow;false;ReturnField;();Argument[this];ReturnValue;taint;df-generated |
- * Summaries;BasicFlow;false;AssignFieldToArray;(System.Object[]);Argument[this];Argument[0].Element;taint;df-generated
- * ```
- *
- * ```csharp
- * public class BasicFlow {
- *   private string tainted;
- *
- *   public void SetField(string s)
- *   {
- *     tainted = s;
- *   }
- * }
- * ```
- * Captured Model:
- * ```Summaries;BasicFlow;false;SetField;(System.String);Argument[0];Argument[this];taint;df-generated```
- *
- * ```csharp
- * public class BasicFlow {
- *   public void ReturnSubstring(string s)
- *   {
- *     return s.Substring(0, 1);
- *   }
- * }
- * ```
- * Captured Model:
- * ```Summaries;BasicFlow;false;ReturnSubstring;(System.String);Argument[0];ReturnValue;taint;df-generated```
- *
- * ```csharp
- * public class BasicFlow {
- *    public void AssignToArray(int data, int[] target)
- *    {
- *        target[0] = data;
- *    }
- * }
- * ```
- * Captured Model:
- * ```Summaries;BasicFlow;false;AssignToArray;(System.Int32,System.Int32[]);Argument[0];Argument[1].Element;taint;df-generated```
- */
-string captureFlow(DataFlowSummaryTargetApi api) {
-  result = captureQualifierFlow(api) or
-  result = captureThroughFlow(api)
-}
-
-/**
- * Gets the neutral summary model for `api`, if any.
- * A neutral summary model is generated, if we are not generating
- * a summary model that applies to `api` and if it relevant to generate
- * a model for `api`.
- */
-string captureNoFlow(DataFlowSummaryTargetApi api) {
-  not exists(DataFlowSummaryTargetApi api0 | exists(captureFlow(api0)) and api0.lift() = api.lift()) and
-  api.isRelevant() and
-  result = ModelPrinting::asNeutralSummaryModel(api)
-}

csharp/ql/test/utils/modelgenerator/dataflow/CaptureNeutralModels.ql

@@ -1,5 +1,5 @@
 import csharp
-import utils.modelgenerator.internal.CaptureSummaryFlowQuery
+import utils.modelgenerator.internal.CaptureModels
 import TestUtilities.InlineMadTest
 
 module InlineMadTestConfig implements InlineMadTestConfigSig {

csharp/ql/test/utils/modelgenerator/dataflow/CaptureSummaryModels.ql

@@ -1,5 +1,5 @@
 import csharp
-import utils.modelgenerator.internal.CaptureSummaryFlowQuery
+import utils.modelgenerator.internal.CaptureModels
 import TestUtilities.InlineMadTest
 
 module InlineMadTestConfig implements InlineMadTestConfigSig {

java/ql/src/utils/modelgenerator/CaptureNeutralModels.ql

@@ -7,7 +7,6 @@
  */
 
 import internal.CaptureModels
-import internal.CaptureSummaryFlowQuery
 
 from DataFlowSummaryTargetApi api, string noflow
 where noflow = captureNoFlow(api)

java/ql/src/utils/modelgenerator/CaptureSummaryModels.ql

@@ -7,7 +7,6 @@
  */
 
 import internal.CaptureModels
-import internal.CaptureSummaryFlowQuery
 
 from DataFlowSummaryTargetApi api, string flow
 where flow = captureFlow(api)

java/ql/src/utils/modelgenerator/internal/CaptureSummaryFlowQuery.qll

@@ -1,84 +0,0 @@
-private import CaptureModels
-
-/**
- * Capture fluent APIs that return `this`.
- * Example of a fluent API:
- * ```java
- * public class Foo {
- *   public Foo someAPI() {
- *    // some side-effect
- *    return this;
- *  }
- * }
- * ```
- *
- * Capture APIs that transfer taint from an input parameter to an output return
- * value or parameter.
- * Allows a sequence of read steps followed by a sequence of store steps.
- *
- * Examples:
- *
- * ```java
- * public class Foo {
- *   private String tainted;
- *
- *   public String returnsTainted() {
- *     return tainted;
- *   }
- *
- *   public void putsTaintIntoParameter(List<String> foo) {
- *     foo.add(tainted);
- *   }
- * }
- * ```
- * Captured Models:
- * ```
- * p;Foo;true;returnsTainted;;Argument[this];ReturnValue;taint;df-generated
- * p;Foo;true;putsTaintIntoParameter;(List);Argument[this];Argument[0];taint;df-generated
- * ```
- *
- * ```java
- * public class Foo {
- *  private String tainted;
- *  public void doSomething(String input) {
- *    tainted = input;
- *  }
- * ```
- * Captured Model:
- * ```p;Foo;true;doSomething;(String);Argument[0];Argument[this];taint;df-generated```
- *
- * ```java
- * public class Foo {
- *   public String returnData(String tainted) {
- *     return tainted.substring(0,10)
- *   }
- * }
- * ```
- * Captured Model:
- * ```p;Foo;true;returnData;;Argument[0];ReturnValue;taint;df-generated```
- *
- * ```java
- * public class Foo {
- *   public void addToList(String tainted, List<String> foo) {
- *     foo.add(tainted);
- *   }
- * }
- * ```
- * Captured Model:
- * ```p;Foo;true;addToList;;Argument[0];Argument[1];taint;df-generated```
- */
-string captureFlow(DataFlowSummaryTargetApi api) {
-  result = captureQualifierFlow(api) or
-  result = captureThroughFlow(api)
-}
-
-/**
- * Gets the neutral summary model for `api`, if any.
- * A neutral summary model is generated, if we are not generating
- * a summary model that applies to `api`.
- */
-string captureNoFlow(DataFlowSummaryTargetApi api) {
-  not exists(DataFlowSummaryTargetApi api0 | exists(captureFlow(api0)) and api0.lift() = api.lift()) and
-  api.isRelevant() and
-  result = ModelPrinting::asNeutralSummaryModel(api)
-}

java/ql/test/utils/modelgenerator/dataflow/CaptureNeutralModels.ql

@@ -1,5 +1,5 @@
 import java
-import utils.modelgenerator.internal.CaptureSummaryFlowQuery
+import utils.modelgenerator.internal.CaptureModels
 import TestUtilities.InlineMadTest
 
 module InlineMadTestConfig implements InlineMadTestConfigSig {

java/ql/test/utils/modelgenerator/dataflow/CaptureSummaryModels.ql

@@ -1,5 +1,5 @@
 import java
-import utils.modelgenerator.internal.CaptureSummaryFlowQuery
+import utils.modelgenerator.internal.CaptureModels
 import TestUtilities.InlineMadTest
 
 module InlineMadTestConfig implements InlineMadTestConfigSig {

shared/mad/codeql/mad/modelgenerator/internal/ModelGeneratorImpl.qll

@@ -376,7 +376,7 @@ module MakeModelGenerator<
   /**
    * Gets the summary model of `api`, if it follows the `fluent` programming pattern (returns `this`).
    */
-  string captureQualifierFlow(DataFlowSummaryTargetApi api) {
+  private string captureQualifierFlow(DataFlowSummaryTargetApi api) {
     exists(ReturnNodeExt ret |
       api = returnNodeEnclosingCallable(ret) and
       isOwnInstanceAccessNode(ret)
@@ -498,13 +498,35 @@ module MakeModelGenerator<
   /**
    * Gets the summary model(s) of `api`, if there is flow from parameters to return value or parameter.
    */
-  string captureThroughFlow(DataFlowSummaryTargetApi api) {
+  private string captureThroughFlow(DataFlowSummaryTargetApi api) {
     exists(DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt |
       PropagateFlow::flow(p, returnNodeExt) and
       result = captureThroughFlow0(api, p, returnNodeExt)
     )
   }
 
+  /**
+   * Gets the summary model(s) of `api`, if there is flow from parameters to the
+   * return value or parameter or if `api` is a fluent API.
+   */
+  string captureFlow(DataFlowSummaryTargetApi api) {
+    result = captureQualifierFlow(api) or
+    result = captureThroughFlow(api)
+  }
+
+  /**
+   * Gets the neutral summary model for `api`, if any.
+   * A neutral summary model is generated, if we are not generating
+   * a summary model that applies to `api`.
+   */
+  string captureNoFlow(DataFlowSummaryTargetApi api) {
+    not exists(DataFlowSummaryTargetApi api0 |
+      exists(captureFlow(api0)) and api0.lift() = api.lift()
+    ) and
+    api.isRelevant() and
+    result = ModelPrinting::asNeutralSummaryModel(api)
+  }
+
   /**
    * Provides classes and predicates related to capturing summary models
    * based on content data flow.