hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #17246 from michaelnebel/modelgendebug

Browse Source 
C#/Java: Add some model generator summary debugging queries.
This commit is contained in:
Michael Nebel
2024-08-26 16:13:03 +02:00
committed by GitHub
parent 4e3440aad0 34d83a6b0d
commit e81fdc951a
8 changed files with 138 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
csharp/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPartialPath.ql Normal file
View File

@@ -0,0 +1,27 @@
/**
* @name Capture Summary Models Partial Path
* @description Capture Summary Models Partial Path
* @kind path-problem
* @precision low
* @id csharp/utils/modelgenerator/summary-models-partial-path
* @severity info
* @tags modelgenerator
*/
import csharp
import utils.modelgenerator.internal.CaptureModels
import PartialFlow::PartialPathGraph
int explorationLimit() { result = 3 }
module PartialFlow = PropagateFlow::FlowExplorationFwd<explorationLimit/0>;
from
PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink,
DataFlowSummaryTargetApi api, DataFlow::ParameterNode p
where
PartialFlow::partialFlow(source, sink, _) and
p = source.getNode() and
p.asParameter() = api.getAParameter()
select sink.getNode(), source, sink, "There is flow from a $@ to $@.", source.getNode(),
"parameter", sink.getNode(), "intermediate value"

24
csharp/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPath.ql Normal file
View File

@@ -0,0 +1,24 @@
/**
* @name Capture Summary Models Path
* @description Capture Summary Models Path
* @kind path-problem
* @precision low
* @id csharp/utils/modelgenerator/summary-models-path
* @severity warning
* @tags modelgenerator
*/
import csharp
import utils.modelgenerator.internal.CaptureModels
import PropagateFlow::PathGraph
from
PropagateFlow::PathNode source, PropagateFlow::PathNode sink, DataFlowSummaryTargetApi api,
DataFlow::Node p, DataFlow::Node returnNodeExt
where
PropagateFlow::flowPath(source, sink) and
p = source.getNode() and
returnNodeExt = sink.getNode() and
exists(captureThroughFlow0(api, p, returnNodeExt))
select sink.getNode(), source, sink, "There is flow from $@ to the $@.", source.getNode(),
"parameter", sink.getNode(), "return value"

1
csharp/ql/src/utils/modelgenerator/debug/README.md Normal file
View File

@@ -0,0 +1 @@
The queries in this directory are purely used for model generator debugging purposes in VS Code.

23
csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll
View File

@@ -194,14 +194,13 @@ module PropagateFlowConfig implements DataFlow::StateConfigSig {
}
}
private module PropagateFlow = TaintTracking::GlobalWithState<PropagateFlowConfig>;
module PropagateFlow = TaintTracking::GlobalWithState<PropagateFlowConfig>;
/**
* Gets the summary model(s) of `api`, if there is flow from parameters to return value or parameter.
*/
string captureThroughFlow(DataFlowSummaryTargetApi api) {
exists(DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt, string input, string output |
PropagateFlow::flow(p, returnNodeExt) and
string captureThroughFlow0(
DataFlowSummaryTargetApi api, DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt
) {
exists(string input, string output |
p.getEnclosingCallable() = api and
returnNodeExt.(DataFlow::Node).getEnclosingCallable() = api and
input = parameterNodeAsInput(p) and
output = returnNodeExt.getOutput() and
@@ -210,6 +209,16 @@ string captureThroughFlow(DataFlowSummaryTargetApi api) {
)
}
/**
* Gets the summary model(s) of `api`, if there is flow from parameters to return value or parameter.
*/
string captureThroughFlow(DataFlowSummaryTargetApi api) {
exists(DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt |
PropagateFlow::flow(p, returnNodeExt) and
result = captureThroughFlow0(api, p, returnNodeExt)
)
}
/**
* A dataflow configuration used for finding new sources.
* The sources are the already known existing sources and the sinks are the API return nodes.

28
java/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPartialPath.ql Normal file
View File

@@ -0,0 +1,28 @@
/**
* @name Capture Summary Models Partial Path
* @description Capture Summary Models Partial Path
* @kind path-problem
* @precision low
* @id java/utils/modelgenerator/summary-models-partial-path
* @severity info
* @tags modelgenerator
*/
import java
import semmle.code.java.dataflow.DataFlow
import utils.modelgenerator.internal.CaptureModels
import PartialFlow::PartialPathGraph
int explorationLimit() { result = 3 }
module PartialFlow = PropagateFlow::FlowExplorationFwd<explorationLimit/0>;
from
PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink,
DataFlowSummaryTargetApi api, DataFlow::ParameterNode p
where
PartialFlow::partialFlow(source, sink, _) and
p = source.getNode() and
p.asParameter() = api.getAParameter()
select sink.getNode(), source, sink, "There is flow from a $@ to $@.", source.getNode(),
"parameter", sink.getNode(), "intermediate value"

25
java/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPath.ql Normal file
View File

@@ -0,0 +1,25 @@
/**
* @name Capture Summary Models Path
* @description Capture Summary Models Path
* @kind path-problem
* @precision low
* @id java/utils/modelgenerator/summary-models-path
* @severity warning
* @tags modelgenerator
*/
import java
import semmle.code.java.dataflow.DataFlow
import utils.modelgenerator.internal.CaptureModels
import PropagateFlow::PathGraph
from
PropagateFlow::PathNode source, PropagateFlow::PathNode sink, DataFlowSummaryTargetApi api,
DataFlow::Node p, DataFlow::Node returnNodeExt
where
PropagateFlow::flowPath(source, sink) and
p = source.getNode() and
returnNodeExt = sink.getNode() and
exists(captureThroughFlow0(api, p, returnNodeExt))
select sink.getNode(), source, sink, "There is flow from $@ to the $@.", source.getNode(),
"parameter", sink.getNode(), "return value"

1
java/ql/src/utils/modelgenerator/debug/README.md Normal file
View File

@@ -0,0 +1 @@
The queries in this directory are purely used for model generator debugging purposes in VS Code.

23
java/ql/src/utils/modelgenerator/internal/CaptureModels.qll
View File

@@ -194,14 +194,13 @@ module PropagateFlowConfig implements DataFlow::StateConfigSig {
}
}
private module PropagateFlow = TaintTracking::GlobalWithState<PropagateFlowConfig>;
module PropagateFlow = TaintTracking::GlobalWithState<PropagateFlowConfig>;
/**
* Gets the summary model(s) of `api`, if there is flow from parameters to return value or parameter.
*/
string captureThroughFlow(DataFlowSummaryTargetApi api) {
exists(DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt, string input, string output |
PropagateFlow::flow(p, returnNodeExt) and
string captureThroughFlow0(
DataFlowSummaryTargetApi api, DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt
) {
exists(string input, string output |
p.getEnclosingCallable() = api and
returnNodeExt.(DataFlow::Node).getEnclosingCallable() = api and
input = parameterNodeAsInput(p) and
output = returnNodeExt.getOutput() and
@@ -210,6 +209,16 @@ string captureThroughFlow(DataFlowSummaryTargetApi api) {
)
}
/**
* Gets the summary model(s) of `api`, if there is flow from parameters to return value or parameter.
*/
string captureThroughFlow(DataFlowSummaryTargetApi api) {
exists(DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt |
PropagateFlow::flow(p, returnNodeExt) and
result = captureThroughFlow0(api, p, returnNodeExt)
)
}
/**
* A dataflow configuration used for finding new sources.
* The sources are the already known existing sources and the sinks are the API return nodes.