From fa90655dd0a9380f466af16f8eabc8d954f7802e Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Tue, 23 Mar 2021 14:35:03 +0000 Subject: [PATCH] Partial revert: only introduce inferred taint edges from callsite-crossing value edges if an original taint edge targets the *start* of the value edge. Previously we would also take a taint edge targeting a result and a value-preserving edge propagating another argument to the result to imply a taint edge targeting that argument. --- .../java/dataflow/internal/TaintTrackingUtil.qll | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll index 2e27a390bdc..d7cf0a8440a 100644 --- a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll +++ b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll @@ -67,8 +67,8 @@ private predicate localAdditionalBasicTaintStep(DataFlow::Node src, DataFlow::No * Holds if an additional step from `src` to `sink` through a call can be inferred from the * combination of a value-preserving step providing an alias between an input and the output * and a taint step from `src` to one the aliased nodes. For example, if we know that `f(a, b)` returns - * the exact value of `a` and also propagates taint from `b` to its result, then we also know that - * `a` is tainted after `f` completes, and vice versa. + * the exact value of `a` and also propagates taint from `b` to `a`, then we also know that + * the return value is tainted after `f` completes. */ private predicate composedValueAndTaintModelStep(ArgumentNode src, DataFlow::Node sink) { exists(Call call, ArgumentNode valueSource, DataFlow::PostUpdateNode valueSourcePost | @@ -76,16 +76,10 @@ private predicate composedValueAndTaintModelStep(ArgumentNode src, DataFlow::Nod valueSource.argumentOf(call, _) and src != valueSource and valueSourcePost.getPreUpdateNode() = valueSource and + // in-x -value-> out-y and in-z -taint-> in-x ==> in-z -taint-> out-y + localAdditionalBasicTaintStep(src, valueSourcePost) and DataFlow::localFlowStep(valueSource, DataFlow::exprNode(call)) and - ( - // in-x -value-> out-y and in-z -taint-> out-y ==> in-z -taint-> in-x - localAdditionalBasicTaintStep(src, DataFlow::exprNode(call)) and - sink = valueSourcePost - or - // in-x -value-> out-y and in-z -taint-> in-x ==> in-z -taint-> out-y - localAdditionalBasicTaintStep(src, valueSourcePost) and - sink = DataFlow::exprNode(call) - ) + sink = DataFlow::exprNode(call) ) }