From f7cf327e7157bcb62b231baa09b325772fb09192 Mon Sep 17 00:00:00 2001 From: Anders Schack-Mulligen Date: Thu, 13 Jan 2022 13:28:43 +0100 Subject: [PATCH] Dataflow: Sync --- .../cpp/dataflow/internal/DataFlowImpl.qll | 46 ++++++++----------- .../cpp/dataflow/internal/DataFlowImpl2.qll | 46 ++++++++----------- .../cpp/dataflow/internal/DataFlowImpl3.qll | 46 ++++++++----------- .../cpp/dataflow/internal/DataFlowImpl4.qll | 46 ++++++++----------- .../dataflow/internal/DataFlowImplLocal.qll | 46 ++++++++----------- .../tainttracking1/TaintTrackingImpl.qll | 4 +- .../tainttracking2/TaintTrackingImpl.qll | 4 +- .../cpp/ir/dataflow/internal/DataFlowImpl.qll | 46 ++++++++----------- .../ir/dataflow/internal/DataFlowImpl2.qll | 46 ++++++++----------- .../ir/dataflow/internal/DataFlowImpl3.qll | 46 ++++++++----------- .../ir/dataflow/internal/DataFlowImpl4.qll | 46 ++++++++----------- .../tainttracking1/TaintTrackingImpl.qll | 4 +- .../tainttracking2/TaintTrackingImpl.qll | 4 +- .../tainttracking3/TaintTrackingImpl.qll | 4 +- .../csharp/dataflow/internal/DataFlowImpl.qll | 46 ++++++++----------- .../dataflow/internal/DataFlowImpl2.qll | 46 ++++++++----------- .../dataflow/internal/DataFlowImpl3.qll | 46 ++++++++----------- .../dataflow/internal/DataFlowImpl4.qll | 46 ++++++++----------- .../dataflow/internal/DataFlowImpl5.qll | 46 ++++++++----------- .../tainttracking1/TaintTrackingImpl.qll | 4 +- .../tainttracking2/TaintTrackingImpl.qll | 4 +- .../tainttracking3/TaintTrackingImpl.qll | 4 +- .../tainttracking4/TaintTrackingImpl.qll | 4 +- .../tainttracking5/TaintTrackingImpl.qll | 4 +- .../java/dataflow/internal/DataFlowImpl2.qll | 46 ++++++++----------- .../java/dataflow/internal/DataFlowImpl3.qll | 46 ++++++++----------- .../java/dataflow/internal/DataFlowImpl4.qll | 46 ++++++++----------- .../java/dataflow/internal/DataFlowImpl5.qll | 46 ++++++++----------- .../java/dataflow/internal/DataFlowImpl6.qll | 46 ++++++++----------- .../DataFlowImplForSerializability.qll | 46 ++++++++----------- .../tainttracking2/TaintTrackingImpl.qll | 4 +- .../dataflow/new/internal/DataFlowImpl.qll | 46 ++++++++----------- .../dataflow/new/internal/DataFlowImpl2.qll | 46 ++++++++----------- .../dataflow/new/internal/DataFlowImpl3.qll | 46 ++++++++----------- .../dataflow/new/internal/DataFlowImpl4.qll | 46 ++++++++----------- .../tainttracking1/TaintTrackingImpl.qll | 4 +- .../tainttracking2/TaintTrackingImpl.qll | 4 +- .../tainttracking3/TaintTrackingImpl.qll | 4 +- .../tainttracking4/TaintTrackingImpl.qll | 4 +- .../ruby/dataflow/internal/DataFlowImpl.qll | 46 ++++++++----------- .../ruby/dataflow/internal/DataFlowImpl2.qll | 46 ++++++++----------- .../tainttracking1/TaintTrackingImpl.qll | 4 +- 42 files changed, 552 insertions(+), 708 deletions(-) diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll index acb029c23d9..257c4c2fe59 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll @@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSource(DataFlow::Node source); + override predicate isSource(DataFlow::Node source) { none() } /** * Holds if `sink` is a relevant taint sink. @@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSink(DataFlow::Node sink); + override predicate isSink(DataFlow::Node sink) { none() } /** Holds if the node `node` is a taint sanitizer. */ predicate isSanitizer(DataFlow::Node node) { none() } diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll index acb029c23d9..257c4c2fe59 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll @@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSource(DataFlow::Node source); + override predicate isSource(DataFlow::Node source) { none() } /** * Holds if `sink` is a relevant taint sink. @@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSink(DataFlow::Node sink); + override predicate isSink(DataFlow::Node sink) { none() } /** Holds if the node `node` is a taint sanitizer. */ predicate isSanitizer(DataFlow::Node node) { none() } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll index acb029c23d9..257c4c2fe59 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking1/TaintTrackingImpl.qll @@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSource(DataFlow::Node source); + override predicate isSource(DataFlow::Node source) { none() } /** * Holds if `sink` is a relevant taint sink. @@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSink(DataFlow::Node sink); + override predicate isSink(DataFlow::Node sink) { none() } /** Holds if the node `node` is a taint sanitizer. */ predicate isSanitizer(DataFlow::Node node) { none() } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll index acb029c23d9..257c4c2fe59 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking2/TaintTrackingImpl.qll @@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSource(DataFlow::Node source); + override predicate isSource(DataFlow::Node source) { none() } /** * Holds if `sink` is a relevant taint sink. @@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSink(DataFlow::Node sink); + override predicate isSink(DataFlow::Node sink) { none() } /** Holds if the node `node` is a taint sanitizer. */ predicate isSanitizer(DataFlow::Node node) { none() } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll index acb029c23d9..257c4c2fe59 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/tainttracking3/TaintTrackingImpl.qll @@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSource(DataFlow::Node source); + override predicate isSource(DataFlow::Node source) { none() } /** * Holds if `sink` is a relevant taint sink. @@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSink(DataFlow::Node sink); + override predicate isSink(DataFlow::Node sink) { none() } /** Holds if the node `node` is a taint sanitizer. */ predicate isSanitizer(DataFlow::Node node) { none() } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll index acb029c23d9..257c4c2fe59 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking1/TaintTrackingImpl.qll @@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSource(DataFlow::Node source); + override predicate isSource(DataFlow::Node source) { none() } /** * Holds if `sink` is a relevant taint sink. @@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSink(DataFlow::Node sink); + override predicate isSink(DataFlow::Node sink) { none() } /** Holds if the node `node` is a taint sanitizer. */ predicate isSanitizer(DataFlow::Node node) { none() } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll index acb029c23d9..257c4c2fe59 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking2/TaintTrackingImpl.qll @@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSource(DataFlow::Node source); + override predicate isSource(DataFlow::Node source) { none() } /** * Holds if `sink` is a relevant taint sink. @@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSink(DataFlow::Node sink); + override predicate isSink(DataFlow::Node sink) { none() } /** Holds if the node `node` is a taint sanitizer. */ predicate isSanitizer(DataFlow::Node node) { none() } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll index acb029c23d9..257c4c2fe59 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking3/TaintTrackingImpl.qll @@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSource(DataFlow::Node source); + override predicate isSource(DataFlow::Node source) { none() } /** * Holds if `sink` is a relevant taint sink. @@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSink(DataFlow::Node sink); + override predicate isSink(DataFlow::Node sink) { none() } /** Holds if the node `node` is a taint sanitizer. */ predicate isSanitizer(DataFlow::Node node) { none() } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll index acb029c23d9..257c4c2fe59 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking4/TaintTrackingImpl.qll @@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSource(DataFlow::Node source); + override predicate isSource(DataFlow::Node source) { none() } /** * Holds if `sink` is a relevant taint sink. @@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSink(DataFlow::Node sink); + override predicate isSink(DataFlow::Node sink) { none() } /** Holds if the node `node` is a taint sanitizer. */ predicate isSanitizer(DataFlow::Node node) { none() } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll index acb029c23d9..257c4c2fe59 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/tainttracking5/TaintTrackingImpl.qll @@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSource(DataFlow::Node source); + override predicate isSource(DataFlow::Node source) { none() } /** * Holds if `sink` is a relevant taint sink. @@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSink(DataFlow::Node sink); + override predicate isSink(DataFlow::Node sink) { none() } /** Holds if the node `node` is a taint sanitizer. */ predicate isSanitizer(DataFlow::Node node) { none() } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplForSerializability.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll b/java/ql/lib/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll index acb029c23d9..257c4c2fe59 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll @@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSource(DataFlow::Node source); + override predicate isSource(DataFlow::Node source) { none() } /** * Holds if `sink` is a relevant taint sink. @@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSink(DataFlow::Node sink); + override predicate isSink(DataFlow::Node sink) { none() } /** Holds if the node `node` is a taint sanitizer. */ predicate isSanitizer(DataFlow::Node node) { none() } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll b/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll index acb029c23d9..257c4c2fe59 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking1/TaintTrackingImpl.qll @@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSource(DataFlow::Node source); + override predicate isSource(DataFlow::Node source) { none() } /** * Holds if `sink` is a relevant taint sink. @@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSink(DataFlow::Node sink); + override predicate isSink(DataFlow::Node sink) { none() } /** Holds if the node `node` is a taint sanitizer. */ predicate isSanitizer(DataFlow::Node node) { none() } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll b/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll index acb029c23d9..257c4c2fe59 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking2/TaintTrackingImpl.qll @@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSource(DataFlow::Node source); + override predicate isSource(DataFlow::Node source) { none() } /** * Holds if `sink` is a relevant taint sink. @@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSink(DataFlow::Node sink); + override predicate isSink(DataFlow::Node sink) { none() } /** Holds if the node `node` is a taint sanitizer. */ predicate isSanitizer(DataFlow::Node node) { none() } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll b/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll index acb029c23d9..257c4c2fe59 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking3/TaintTrackingImpl.qll @@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSource(DataFlow::Node source); + override predicate isSource(DataFlow::Node source) { none() } /** * Holds if `sink` is a relevant taint sink. @@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSink(DataFlow::Node sink); + override predicate isSink(DataFlow::Node sink) { none() } /** Holds if the node `node` is a taint sanitizer. */ predicate isSanitizer(DataFlow::Node node) { none() } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll b/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll index acb029c23d9..257c4c2fe59 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/tainttracking4/TaintTrackingImpl.qll @@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSource(DataFlow::Node source); + override predicate isSource(DataFlow::Node source) { none() } /** * Holds if `sink` is a relevant taint sink. @@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSink(DataFlow::Node sink); + override predicate isSink(DataFlow::Node sink) { none() } /** Holds if the node `node` is a taint sanitizer. */ predicate isSanitizer(DataFlow::Node node) { none() } diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll index 3e4b3d84724..a265b4cbd27 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll @@ -54,7 +54,7 @@ abstract class Configuration extends string { /** * Holds if `source` is a relevant data flow source. */ - abstract predicate isSource(Node source); + predicate isSource(Node source) { none() } /** * Holds if `source` is a relevant data flow source with the given initial @@ -65,7 +65,7 @@ abstract class Configuration extends string { /** * Holds if `sink` is a relevant data flow sink. */ - abstract predicate isSink(Node sink); + predicate isSink(Node sink) { none() } /** * Holds if `sink` is a relevant data flow sink accepting `state`. @@ -308,16 +308,18 @@ private class RetNodeEx extends NodeEx { private predicate inBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierIn(n) and - (config.isSource(n) or config.isSource(n, _)) + config.isBarrierIn(n) + | + config.isSource(n) or config.isSource(n, _) ) } private predicate outBarrier(NodeEx node, Configuration config) { exists(Node n | node.asNode() = n and - config.isBarrierOut(n) and - (config.isSink(n) or config.isSink(n, _)) + config.isBarrierOut(n) + | + config.isSink(n) or config.isSink(n, _) ) } @@ -1586,9 +1588,11 @@ private module Stage2 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -2349,9 +2353,11 @@ private module Stage3 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3175,9 +3181,11 @@ private module Stage4 { pragma[nomagic] predicate revFlow(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias(NodeEx node, Configuration config) { revFlow(node, _, _, _, _, config) } + // use an alias as a workaround for bad functionality-induced joins pragma[nomagic] predicate revFlowAlias( NodeEx node, FlowState state, boolean toReturn, ApOption returnAp, Ap ap, Configuration config @@ -3990,14 +3998,10 @@ private predicate pathIntoArg( PathNodeMid mid, ParameterPosition ppos, FlowState state, CallContext cc, DataFlowCall call, AccessPath ap, AccessPathApprox apa, Configuration config ) { - exists(ArgNode arg, ArgumentPosition apos | - arg = mid.getNodeEx().asNode() and - state = mid.getState() and - cc = mid.getCallContext() and - arg.argumentOf(call, apos) and - ap = mid.getAp() and + exists(ArgNodeEx arg, ArgumentPosition apos | + pathNode(mid, arg, state, cc, _, ap, config, _) and + arg.asNode().(ArgNode).argumentOf(call, apos) and apa = ap.getApprox() and - config = mid.getConfiguration() and parameterMatch(ppos, apos) ) } @@ -4063,13 +4067,8 @@ private predicate paramFlowsThrough( AccessPathApprox apa, Configuration config ) { exists(PathNodeMid mid, RetNodeEx ret, ParameterPosition pos | - mid.getNodeEx() = ret and + pathNode(mid, ret, state, cc, sc, ap, config, _) and kind = ret.getKind() and - state = mid.getState() and - cc = mid.getCallContext() and - sc = mid.getSummaryCtx() and - config = mid.getConfiguration() and - ap = mid.getAp() and apa = ap.getApprox() and pos = sc.getParameterPos() and // we don't expect a parameter to return stored in itself, unless explicitly allowed @@ -4150,13 +4149,8 @@ private module Subpaths { ) { exists(SummaryCtxSome sc, CallContext innercc, ReturnKindExt kind, RetNodeEx retnode | subpaths02(arg, par, sc, innercc, kind, out, sout, apout) and - ret.getNodeEx() = retnode and - kind = retnode.getKind() and - innercc = ret.getCallContext() and - sc = ret.getSummaryCtx() and - ret.getConfiguration() = unbindConf(getPathNodeConf(arg)) and - sout = ret.getState() and - apout = ret.getAp() + pathNode(ret, retnode, sout, innercc, sc, apout, unbindConf(getPathNodeConf(arg)), _) and + kind = retnode.getKind() ) } diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll index acb029c23d9..257c4c2fe59 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/tainttracking1/TaintTrackingImpl.qll @@ -61,7 +61,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSource(DataFlow::Node source); + override predicate isSource(DataFlow::Node source) { none() } /** * Holds if `sink` is a relevant taint sink. @@ -69,7 +69,7 @@ abstract class Configuration extends DataFlow::Configuration { * The smaller this predicate is, the faster `hasFlow()` will converge. */ // overridden to provide taint-tracking specific qldoc - abstract override predicate isSink(DataFlow::Node sink); + override predicate isSink(DataFlow::Node sink) { none() } /** Holds if the node `node` is a taint sanitizer. */ predicate isSanitizer(DataFlow::Node node) { none() }