C#: Always use PathNode in a path-problem query.

csharp/ql/src/Security Features/CWE-022/TaintedPath.ql

@@ -18,5 +18,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink, source, sink,
-  "$@ flows to here and is used in a path.", source, "User-provided value"
+select sink.getNode(), source, sink,
+  "$@ flows to here and is used in a path.", source.getNode(), "User-provided value"

csharp/ql/src/Security Features/CWE-022/ZipSlip.ql

@@ -17,5 +17,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 from TaintTrackingConfiguration zipTaintTracking, DataFlow::PathNode source, DataFlow::PathNode sink
 where zipTaintTracking.hasFlowPath(source, sink)
-select sink, source, sink,
-  "Unsanitized zip archive $@, which may contain '..', is used in a file system operation.", source, "item path"
+select sink.getNode(), source, sink,
+  "Unsanitized zip archive $@, which may contain '..', is used in a file system operation.", source.getNode(), "item path"

csharp/ql/src/Security Features/CWE-078/CommandInjection.ql

@@ -18,5 +18,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink, source, sink,
-  "$@ flows to here and is used in a command.", source, "User-provided value"
+select sink.getNode(), source, sink,
+  "$@ flows to here and is used in a command.", source.getNode(), "User-provided value"

csharp/ql/src/Security Features/CWE-078/StoredCommandInjection.ql

@@ -25,5 +25,5 @@ class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration {
 
 from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink, source, sink,
-  "$@ flows to here and is used in a command.", source, "Stored user-provided value"
+select sink.getNode(), source, sink,
+  "$@ flows to here and is used in a command.", source.getNode(), "Stored user-provided value"

csharp/ql/src/Security Features/CWE-079/StoredXSS.ql

@@ -21,11 +21,11 @@ class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration {
   }
 }
 
-from StoredTaintTrackingConfiguration c, StoredFlowSource source, Sink sink, string explanation
-where c.hasFlow(source, sink)
+from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink, string explanation
+where c.hasFlowPath(source, sink)
 and
-  if exists(sink.explanation())
-  then explanation = ": " + sink.explanation() + "."
+  if exists(sink.getNode().(Sink).explanation())
+  then explanation = ": " + sink.getNode().(Sink).explanation() + "."
   else explanation = "."
-select sink, source.getPathNode(c), sink.getPathNode(c),
-  "$@ flows to here and is written to HTML or JavaScript" + explanation, source, "Stored user-provided value"
+select sink.getNode(), source, sink,
+  "$@ flows to here and is written to HTML or JavaScript" + explanation, source.getNode(), "Stored user-provided value"

csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql

@@ -23,5 +23,5 @@ class StoredTaintTrackingConfiguration extends SqlInjection::TaintTrackingConfig
 
 from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink, source, sink,
-  "$@ flows to here and is used in an SQL query.", source, "Stored user-provided value"
+select sink.getNode(), source, sink,
+  "$@ flows to here and is used in an SQL query.", source.getNode(), "Stored user-provided value"

csharp/ql/src/Security Features/CWE-089/SqlInjection.ql

@@ -14,7 +14,7 @@ import csharp
 import semmle.code.csharp.security.dataflow.SqlInjection::SqlInjection
 import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
-from TaintTrackingConfiguration c, RemoteFlowSource source, Sink sink
-where c.hasFlow(source, sink)
-select sink, source.getPathNode(c), sink.getPathNode(c),
-  "Query might include code from $@.", source, ("this " + source.getSourceType())
+from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
+where c.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "Query might include code from $@.", source, ("this " + source.getNode().(RemoteFlowSource).getSourceType())

csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql

@@ -15,5 +15,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink, source, sink,
-  "$@ flows to here and is used in an LDAP query.", source, "User-provided value"
+select sink.getNode(), source, sink,
+  "$@ flows to here and is used in an LDAP query.", source.getNode(), "User-provided value"

csharp/ql/src/Security Features/CWE-090/StoredLDAPInjection.ql

@@ -22,5 +22,5 @@ class StoredTaintTrackingConfiguration extends TaintTrackingConfiguration {
 
 from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink, source, sink,
-  "$@ flows to here and is used in an LDAP query.", source, "Stored user-provided value"
+select sink.getNode(), source, sink,
+  "$@ flows to here and is used in an LDAP query.", source.getNode(), "Stored user-provided value"

csharp/ql/src/Security Features/CWE-094/CodeInjection.ql

@@ -17,5 +17,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink, source, sink,
-  "$@ flows to here and is compiled as code.", source, "User-provided value"
+select sink.getNode(), source, sink,
+  "$@ flows to here and is compiled as code.", source.getNode(), "User-provided value"

csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql

@@ -15,5 +15,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink, source, sink,
-  "$@ flows to here and is used in a resource descriptor.", source, "User-provided value"
+select sink.getNode(), source, sink,
+  "$@ flows to here and is used in a resource descriptor.", source.getNode(), "User-provided value"

csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql

@@ -13,7 +13,7 @@ import csharp
 import semmle.code.csharp.security.dataflow.MissingXMLValidation::MissingXMLValidation
 import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
-from TaintTrackingConfiguration c, Source source, Sink sink
-where c.hasFlow(source, sink)
-select sink, source.getPathNode(c), sink.getPathNode(c),
-  "$@ flows to here and is processed as XML without validation because " + sink.getReason(), source, "User-provided value"
+from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
+where c.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "$@ flows to here and is processed as XML without validation because " + sink.getNode().(Sink).getReason(), source.getNode(), "User-provided value"

csharp/ql/src/Security Features/CWE-117/LogForging.ql

@@ -15,5 +15,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink, source, sink,
-  "$@ flows to log entry.", source, "User-provided value"
+select sink.getNode(), source, sink,
+  "$@ flows to log entry.", source.getNode(), "User-provided value"

csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql

@@ -52,5 +52,5 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
 
 from TaintTrackingConfiguration configuration, DataFlow::PathNode source, DataFlow::PathNode sink
 where configuration.hasFlowPath(source, sink)
-select sink, source, sink,
-  "Sensitive information from $@ flows to here, and is transmitted to the user.", source, source.toString()
+select sink.getNode(), source, sink,
+  "Sensitive information from $@ flows to here, and is transmitted to the user.", source.getNode(), source.toString()

csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql

@@ -59,5 +59,5 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink, source, sink,
-  "Exception information from $@ flows to here, and is exposed to the user.", source, source.toString()
+select sink.getNode(), source, sink,
+  "Exception information from $@ flows to here, and is exposed to the user.", source.getNode(), source.toString()

csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql

@@ -17,5 +17,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink, source, sink,
-  "Sensitive data returned by $@ is stored here.", source, source.toString()
+select sink.getNode(), source, sink,
+  "Sensitive data returned by $@ is stored here.", source.getNode(), source.toString()

csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql

@@ -15,5 +15,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink, source, sink,
-  "Private data returned by $@ is written to an external location.", source, source.toString()
+select sink.getNode(), source, sink,
+  "Private data returned by $@ is written to an external location.", source.getNode(), source.toString()

csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql

@@ -15,5 +15,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink, source, sink,
-  "Untrusted URL redirection due to $@.", source, "user-provided value"
+select sink.getNode(), source, sink,
+  "Untrusted URL redirection due to $@.", source.getNode(), "user-provided value"

csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql

@@ -14,7 +14,7 @@ import csharp
 import semmle.code.csharp.security.dataflow.XMLEntityInjection::XMLEntityInjection
 import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
-from TaintTrackingConfiguration c, Source source, Sink sink
-where c.hasFlow(source, sink)
-select sink, source.getPathNode(c), sink.getPathNode(c),
-  "$@ flows to here and is loaded insecurely as XML (" + sink.getReason() +").", source, "User-provided value"
+from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
+where c.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "$@ flows to here and is loaded insecurely as XML (" + sink.getNode().(Sink).getReason() +").", source.getNode(), "User-provided value"

csharp/ql/src/Security Features/CWE-643/StoredXPathInjection.ql

@@ -23,5 +23,5 @@ class StoredTaintTrackingConfiguration extends XPathInjection::TaintTrackingConf
 
 from StoredTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink, source, sink,
-  "$@ flows to here and is used in an XPath expression.", source, "Stored user-provided value"
+select sink.getNode(), source, sink,
+  "$@ flows to here and is used in an XPath expression.", source.getNode(), "Stored user-provided value"

csharp/ql/src/Security Features/CWE-643/XPathInjection.ql

@@ -15,5 +15,5 @@ import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
 where c.hasFlowPath(source, sink)
-select sink, source, sink,
-  "$@ flows to here and is used in an XPath expression.", source, "User-provided value"
+select sink.getNode(), source, sink,
+  "$@ flows to here and is used in an XPath expression.", source.getNode(), "User-provided value"

csharp/ql/src/Security Features/CWE-730/ReDoS.ql

@@ -15,9 +15,9 @@ import semmle.code.csharp.security.dataflow.ReDoS::ReDoS
 import semmle.code.csharp.frameworks.system.text.RegularExpressions
 import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
-from TaintTrackingConfiguration c, Source source, DataFlow::Node sink
-where c.hasFlow(source, sink)
+from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
+where c.hasFlowPath(source, sink)
   // No global timeout set
   and not exists(RegexGlobalTimeout r)
-select sink, source.getPathNode(c), sink.getPathNode(c),
-  "$@ flows to regular expression operation with dangerous regex.", source, "User-provided value"
+select sink.getNode().(Sink), source, sink,
+  "$@ flows to regular expression operation with dangerous regex.", source.getNode(), "User-provided value"

csharp/ql/src/Security Features/CWE-730/RegexInjection.ql

@@ -16,9 +16,9 @@ import semmle.code.csharp.security.dataflow.RegexInjection::RegexInjection
 import semmle.code.csharp.frameworks.system.text.RegularExpressions
 import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
-from TaintTrackingConfiguration c, Source source, Sink sink
-where c.hasFlow(source, sink)
+from TaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
+where c.hasFlowPath(source, sink)
   // No global timeout set
   and not exists(RegexGlobalTimeout r)
-select sink, source.getPathNode(c), sink.getPathNode(c),
-  "$@ flows to the construction of a regular expression.", source, "User-provided value"
+select sink.getNode(), source, sink,
+  "$@ flows to the construction of a regular expression.", source.getNode(), "User-provided value"

csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql

@@ -48,8 +48,8 @@ class ConnectionStringTaintTrackingConfiguration extends TaintTracking::Configur
   }
 }
 
-from ConnectionStringTaintTrackingConfiguration c, DataFlow::Node source, DataFlow::Node sink
-where c.hasFlow(source, sink)
-select source, source.getPathNode(c), sink.getPathNode(c),
+from ConnectionStringTaintTrackingConfiguration c, DataFlow::PathNode source, DataFlow::PathNode sink
+where c.hasFlowPath(source, sink)
+select source.getNode(), source, sink,
   "'ConnectionString' property includes hard-coded credentials set in $@.",
-  any(Call call | call.getAnArgument() = sink.asExpr()) as call, call.toString()
+  any(Call call | call.getAnArgument() = sink.getNode().asExpr()) as call, call.toString()

csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql

@@ -14,15 +14,18 @@ import csharp
 import semmle.code.csharp.security.dataflow.HardcodedCredentials::HardcodedCredentials
 import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
-from TaintTrackingConfiguration c, Source source, Sink sink, string value
+from TaintTrackingConfiguration c, Source source, Sink sink, DataFlow::PathNode sourcePath, DataFlow::PathNode sinkPath,
+  string value
 where
+  source = sourcePath.getNode() and
+  sink = sinkPath.getNode() and
   c.hasFlow(source, sink) and
   // Print the source value if it's available
   if exists(source.asExpr().getValue()) then
     value = "The hard-coded value \"" + source.asExpr().getValue() + "\""
   else
     value = "This hard-coded value"
-select source, source.getPathNode(c), sink.getPathNode(c),
+select source, sourcePath, sinkPath,
   value + " flows to " + sink.getSinkDescription() + ".",
   sink, sink.getSinkName(), sink.getSupplementaryElement(),
   sink.getSupplementaryElement().toString()

csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql

@@ -15,8 +15,8 @@ import csharp
 import semmle.code.csharp.security.dataflow.ConditionalBypass::UserControlledBypassOfSensitiveMethod
 import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
-from Configuration config, Source source, Sink sink
-where config.hasFlow(source, sink)
-select sink.getSensitiveMethodCall(), source.getPathNode(config), sink.getPathNode(config),
+from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
+where config.hasFlowPath(source, sink)
+select sink.getNode().(Sink).getSensitiveMethodCall(), source, sink,
   "Sensitive method may not be executed depending on $@, which flows from $@.",
   sink, "this condition", source, "user input"

csharp/ql/src/Security Features/InsecureRandomness.ql

@@ -3,7 +3,7 @@
  * @description Using a cryptographically weak pseudo-random number generator to generate a
  *              security sensitive value may allow an attacker to predict what sensitive value will
  *              be generated.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
  * @precision high
  * @id cs/insecure-randomness
@@ -12,6 +12,7 @@
  */
 import csharp
 import semmle.code.csharp.frameworks.Test
+import semmle.code.csharp.dataflow.DataFlow::DataFlow::PathGraph
 
 module Random {
   import semmle.code.csharp.dataflow.flowsources.Remote
@@ -103,6 +104,7 @@ module Random {
   }
 }
 
-from Random::TaintTrackingConfiguration randomTracking, Random::Source source, Random::Sink sink
-where randomTracking.hasFlow(source, sink)
-select sink, "Cryptographically insecure random number is generated at $@ and used here in a security context.", source, source.toString()
+from Random::TaintTrackingConfiguration randomTracking, DataFlow::PathNode source, DataFlow::PathNode sink
+where randomTracking.hasFlowPath(source, sink)
+select sink.getNode(), source, sink,
+  "Cryptographically insecure random number is generated at $@ and used here in a security context.", source.getNode(), source.toString()

csharp/ql/src/semmle/code/csharp/dataflow/DataFlow.qll

@@ -35,12 +35,6 @@ module DataFlow {
 
     /** Gets the location of this node. */
     Location getLocation() { none() }
-
-    /** Gets the path node for this node. */
-    PathNode getPathNode(Configuration config) {
-      result.getNode() = this and
-      result.getConfiguration() = config
-    }
   }
 
   /**

csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.expected

@@ -1,3 +1,13 @@
-| InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:28:29:28:43 | call to method Next | call to method Next |
-| InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:60:31:60:39 | call to method Next | call to method Next |
-| InsecureRandomness.cs:14:20:14:54 | call to method InsecureRandomStringFromIndexer | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:72:31:72:39 | call to method Next | call to method Next |
+edges
+| InsecureRandomness.cs:28:29:28:43 | call to method Next | InsecureRandomness.cs:29:27:29:61 | call to method GetString |
+| InsecureRandomness.cs:28:29:28:43 | call to method Next | InsecureRandomness.cs:31:16:31:32 | call to method ToString |
+| InsecureRandomness.cs:29:27:29:61 | call to method GetString | InsecureRandomness.cs:31:16:31:32 | call to method ToString |
+| InsecureRandomness.cs:31:16:31:32 | call to method ToString | InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString |
+| InsecureRandomness.cs:60:31:60:39 | call to method Next | InsecureRandomness.cs:62:16:62:32 | call to method ToString |
+| InsecureRandomness.cs:62:16:62:32 | call to method ToString | InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection |
+| InsecureRandomness.cs:72:31:72:39 | call to method Next | InsecureRandomness.cs:74:16:74:21 | access to local variable result |
+| InsecureRandomness.cs:74:16:74:21 | access to local variable result | InsecureRandomness.cs:14:20:14:54 | call to method InsecureRandomStringFromIndexer |
+#select
+| InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString | InsecureRandomness.cs:28:29:28:43 | call to method Next | InsecureRandomness.cs:12:27:12:50 | call to method InsecureRandomString | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:28:29:28:43 | call to method Next | call to method Next |
+| InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection | InsecureRandomness.cs:60:31:60:39 | call to method Next | InsecureRandomness.cs:13:20:13:56 | call to method InsecureRandomStringFromSelection | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:60:31:60:39 | call to method Next | call to method Next |
+| InsecureRandomness.cs:14:20:14:54 | call to method InsecureRandomStringFromIndexer | InsecureRandomness.cs:72:31:72:39 | call to method Next | InsecureRandomness.cs:14:20:14:54 | call to method InsecureRandomStringFromIndexer | Cryptographically insecure random number is generated at $@ and used here in a security context. | InsecureRandomness.cs:72:31:72:39 | call to method Next | call to method Next |