hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9214 from hvitved/dataflow/lambda-fp-flow

Browse Source 
Data flow: Do not discard call context when computing reverse lambda flow through jumps
This commit is contained in:
Anders Schack-Mulligen
2022-05-23 10:02:51 +02:00
committed by GitHub
parent 5119de8d22 f83deb6571
commit f2218944f6
8 changed files with 27 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
View File

@@ -216,10 +216,9 @@ private module LambdaFlow {
or or
// jump step // jump step
exists(Node mid, DataFlowType t0 | exists(Node mid, DataFlowType t0 |
revLambdaFlow(lambdaCall, kind, mid, t0, _, _, _) and revLambdaFlow(lambdaCall, kind, mid, t0, _, _, lastCall) and
toReturn = false and toReturn = false and
toJump = true and toJump = true
lastCall = TDataFlowCallNone()
| |
jumpStepCached(node, mid) and jumpStepCached(node, mid) and
t = t0 t = t0

5
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
View File

@@ -216,10 +216,9 @@ private module LambdaFlow {
or or
// jump step // jump step
exists(Node mid, DataFlowType t0 | exists(Node mid, DataFlowType t0 |
revLambdaFlow(lambdaCall, kind, mid, t0, _, _, _) and revLambdaFlow(lambdaCall, kind, mid, t0, _, _, lastCall) and
toReturn = false and toReturn = false and
toJump = true and toJump = true
lastCall = TDataFlowCallNone()
| |
jumpStepCached(node, mid) and jumpStepCached(node, mid) and
t = t0 t = t0

5
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
View File

@@ -216,10 +216,9 @@ private module LambdaFlow {
or or
// jump step // jump step
exists(Node mid, DataFlowType t0 | exists(Node mid, DataFlowType t0 |
revLambdaFlow(lambdaCall, kind, mid, t0, _, _, _) and revLambdaFlow(lambdaCall, kind, mid, t0, _, _, lastCall) and
toReturn = false and toReturn = false and
toJump = true and toJump = true
lastCall = TDataFlowCallNone()
| |
jumpStepCached(node, mid) and jumpStepCached(node, mid) and
t = t0 t = t0

5
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll
View File

@@ -216,10 +216,9 @@ private module LambdaFlow {
or or
// jump step // jump step
exists(Node mid, DataFlowType t0 | exists(Node mid, DataFlowType t0 |
revLambdaFlow(lambdaCall, kind, mid, t0, _, _, _) and revLambdaFlow(lambdaCall, kind, mid, t0, _, _, lastCall) and
toReturn = false and toReturn = false and
toJump = true and toJump = true
lastCall = TDataFlowCallNone()
| |
jumpStepCached(node, mid) and jumpStepCached(node, mid) and
t = t0 t = t0

5
python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll
View File

@@ -216,10 +216,9 @@ private module LambdaFlow {
or or
// jump step // jump step
exists(Node mid, DataFlowType t0 | exists(Node mid, DataFlowType t0 |
revLambdaFlow(lambdaCall, kind, mid, t0, _, _, _) and revLambdaFlow(lambdaCall, kind, mid, t0, _, _, lastCall) and
toReturn = false and toReturn = false and
toJump = true and toJump = true
lastCall = TDataFlowCallNone()
| |
jumpStepCached(node, mid) and jumpStepCached(node, mid) and
t = t0 t = t0

5
ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplCommon.qll
View File

@@ -216,10 +216,9 @@ private module LambdaFlow {
or or
// jump step // jump step
exists(Node mid, DataFlowType t0 | exists(Node mid, DataFlowType t0 |
revLambdaFlow(lambdaCall, kind, mid, t0, _, _, _) and revLambdaFlow(lambdaCall, kind, mid, t0, _, _, lastCall) and
toReturn = false and toReturn = false and
toJump = true and toJump = true
lastCall = TDataFlowCallNone()
| |
jumpStepCached(node, mid) and jumpStepCached(node, mid) and
t = t0 t = t0

10
ruby/ql/test/library-tests/dataflow/call-sensitivity/call-sensitivity.expected
View File

@@ -5,12 +5,16 @@ edges
| call_sensitivity.rb:15:20:15:20 | x : | call_sensitivity.rb:15:28:15:28 | x | | call_sensitivity.rb:15:20:15:20 | x : | call_sensitivity.rb:15:28:15:28 | x |
| call_sensitivity.rb:17:27:17:27 | x : | call_sensitivity.rb:18:17:18:17 | x : | | call_sensitivity.rb:17:27:17:27 | x : | call_sensitivity.rb:18:17:18:17 | x : |
| call_sensitivity.rb:17:27:17:27 | x : | call_sensitivity.rb:18:17:18:17 | x : | | call_sensitivity.rb:17:27:17:27 | x : | call_sensitivity.rb:18:17:18:17 | x : |
| call_sensitivity.rb:17:27:17:27 | x : | call_sensitivity.rb:18:17:18:17 | x : |
| call_sensitivity.rb:18:17:18:17 | x : | call_sensitivity.rb:27:17:27:17 | x : | | call_sensitivity.rb:18:17:18:17 | x : | call_sensitivity.rb:27:17:27:17 | x : |
| call_sensitivity.rb:18:17:18:17 | x : | call_sensitivity.rb:36:23:36:23 | x : | | call_sensitivity.rb:18:17:18:17 | x : | call_sensitivity.rb:36:23:36:23 | x : |
| call_sensitivity.rb:18:17:18:17 | x : | call_sensitivity.rb:39:24:39:24 | x : |
| call_sensitivity.rb:27:17:27:17 | x : | call_sensitivity.rb:27:27:27:27 | x | | call_sensitivity.rb:27:17:27:17 | x : | call_sensitivity.rb:27:27:27:27 | x |
| call_sensitivity.rb:28:25:28:31 | "taint" : | call_sensitivity.rb:17:27:17:27 | x : | | call_sensitivity.rb:28:25:28:31 | "taint" : | call_sensitivity.rb:17:27:17:27 | x : |
| call_sensitivity.rb:36:23:36:23 | x : | call_sensitivity.rb:36:31:36:31 | x | | call_sensitivity.rb:36:23:36:23 | x : | call_sensitivity.rb:36:31:36:31 | x |
| call_sensitivity.rb:37:25:37:31 | "taint" : | call_sensitivity.rb:17:27:17:27 | x : | | call_sensitivity.rb:37:25:37:31 | "taint" : | call_sensitivity.rb:17:27:17:27 | x : |
| call_sensitivity.rb:39:24:39:24 | x : | call_sensitivity.rb:39:32:39:32 | x |
| call_sensitivity.rb:40:26:40:32 | "taint" : | call_sensitivity.rb:17:27:17:27 | x : |
nodes nodes
| call_sensitivity.rb:5:6:5:12 | "taint" | semmle.label | "taint" | | call_sensitivity.rb:5:6:5:12 | "taint" | semmle.label | "taint" |
| call_sensitivity.rb:7:13:7:13 | x : | semmle.label | x : | | call_sensitivity.rb:7:13:7:13 | x : | semmle.label | x : |
@@ -20,6 +24,8 @@ nodes
| call_sensitivity.rb:15:28:15:28 | x | semmle.label | x | | call_sensitivity.rb:15:28:15:28 | x | semmle.label | x |
| call_sensitivity.rb:17:27:17:27 | x : | semmle.label | x : | | call_sensitivity.rb:17:27:17:27 | x : | semmle.label | x : |
| call_sensitivity.rb:17:27:17:27 | x : | semmle.label | x : | | call_sensitivity.rb:17:27:17:27 | x : | semmle.label | x : |
| call_sensitivity.rb:17:27:17:27 | x : | semmle.label | x : |
| call_sensitivity.rb:18:17:18:17 | x : | semmle.label | x : |
| call_sensitivity.rb:18:17:18:17 | x : | semmle.label | x : | | call_sensitivity.rb:18:17:18:17 | x : | semmle.label | x : |
| call_sensitivity.rb:18:17:18:17 | x : | semmle.label | x : | | call_sensitivity.rb:18:17:18:17 | x : | semmle.label | x : |
| call_sensitivity.rb:27:17:27:17 | x : | semmle.label | x : | | call_sensitivity.rb:27:17:27:17 | x : | semmle.label | x : |
@@ -28,9 +34,13 @@ nodes
| call_sensitivity.rb:36:23:36:23 | x : | semmle.label | x : | | call_sensitivity.rb:36:23:36:23 | x : | semmle.label | x : |
| call_sensitivity.rb:36:31:36:31 | x | semmle.label | x | | call_sensitivity.rb:36:31:36:31 | x | semmle.label | x |
| call_sensitivity.rb:37:25:37:31 | "taint" : | semmle.label | "taint" : | | call_sensitivity.rb:37:25:37:31 | "taint" : | semmle.label | "taint" : |
| call_sensitivity.rb:39:24:39:24 | x : | semmle.label | x : |
| call_sensitivity.rb:39:32:39:32 | x | semmle.label | x |
| call_sensitivity.rb:40:26:40:32 | "taint" : | semmle.label | "taint" : |
subpaths subpaths
#select #select
| call_sensitivity.rb:5:6:5:12 | "taint" | call_sensitivity.rb:5:6:5:12 | "taint" | call_sensitivity.rb:5:6:5:12 | "taint" | $@ | call_sensitivity.rb:5:6:5:12 | "taint" | "taint" | | call_sensitivity.rb:5:6:5:12 | "taint" | call_sensitivity.rb:5:6:5:12 | "taint" | call_sensitivity.rb:5:6:5:12 | "taint" | $@ | call_sensitivity.rb:5:6:5:12 | "taint" | "taint" |
| call_sensitivity.rb:15:28:15:28 | x | call_sensitivity.rb:15:9:15:15 | "taint" : | call_sensitivity.rb:15:28:15:28 | x | $@ | call_sensitivity.rb:15:9:15:15 | "taint" : | "taint" : | | call_sensitivity.rb:15:28:15:28 | x | call_sensitivity.rb:15:9:15:15 | "taint" : | call_sensitivity.rb:15:28:15:28 | x | $@ | call_sensitivity.rb:15:9:15:15 | "taint" : | "taint" : |
| call_sensitivity.rb:27:27:27:27 | x | call_sensitivity.rb:28:25:28:31 | "taint" : | call_sensitivity.rb:27:27:27:27 | x | $@ | call_sensitivity.rb:28:25:28:31 | "taint" : | "taint" : | | call_sensitivity.rb:27:27:27:27 | x | call_sensitivity.rb:28:25:28:31 | "taint" : | call_sensitivity.rb:27:27:27:27 | x | $@ | call_sensitivity.rb:28:25:28:31 | "taint" : | "taint" : |
| call_sensitivity.rb:36:31:36:31 | x | call_sensitivity.rb:37:25:37:31 | "taint" : | call_sensitivity.rb:36:31:36:31 | x | $@ | call_sensitivity.rb:37:25:37:31 | "taint" : | "taint" : | | call_sensitivity.rb:36:31:36:31 | x | call_sensitivity.rb:37:25:37:31 | "taint" : | call_sensitivity.rb:36:31:36:31 | x | $@ | call_sensitivity.rb:37:25:37:31 | "taint" : | "taint" : |
| call_sensitivity.rb:39:32:39:32 | x | call_sensitivity.rb:40:26:40:32 | "taint" : | call_sensitivity.rb:39:32:39:32 | x | $@ | call_sensitivity.rb:40:26:40:32 | "taint" : | "taint" : |

5
ruby/ql/test/library-tests/dataflow/call-sensitivity/call_sensitivity.rb
View File

@@ -36,3 +36,8 @@ apply_lambda(my_lambda, "taint") # no flow
my_lambda = lambda { |x| sink x } my_lambda = lambda { |x| sink x }
apply_lambda(my_lambda, "taint") # flow apply_lambda(my_lambda, "taint") # flow
MY_LAMBDA1 = lambda { |x| sink x }
apply_lambda(MY_LAMBDA1, "taint") # flow
MY_LAMBDA2 = lambda { |x| puts x }
apply_lambda(MY_LAMBDA2, "taint") # no flow