mirror of
https://github.com/github/codeql.git
synced 2025-12-20 02:44:30 +01:00
7faa4fd938
This test case exposes two bugs in our data flow library (fixed by the
two previous commits):
- the charpreds of `SourcePathNode` and `SinkPathNode` only ensured
that they were on a path from a source to a sink, not that they
actually were the source/sink themselves;
- function summarization would allow for non-level paths; in the
test case, this meant that one of the summaries for `source`
represented the path returning from `source` on line 13 and then
flowing back into the call on line 15, in the process transforming
the parity of the flow label and hence causing a spurious flow.
34 lines
1008 B
Plaintext
34 lines
1008 B
Plaintext
import javascript
|
|
|
|
class Parity extends DataFlow::FlowLabel {
|
|
Parity() { this = "even" or this = "odd" }
|
|
|
|
Parity flip() { result != this }
|
|
}
|
|
|
|
class Config extends DataFlow::Configuration {
|
|
Config() { this = "config" }
|
|
|
|
override predicate isSource(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
|
|
nd.(DataFlow::CallNode).getCalleeName() = "source" and
|
|
lbl = "even"
|
|
}
|
|
|
|
override predicate isSink(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
|
|
nd = any(DataFlow::CallNode c | c.getCalleeName() = "sink").getAnArgument() and
|
|
lbl = "even"
|
|
}
|
|
|
|
override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::FlowLabel predLabel, DataFlow::FlowLabel succLabel) {
|
|
exists(DataFlow::CallNode c | c = succ |
|
|
c.getCalleeName() = "inc" and
|
|
pred = c.getAnArgument() and
|
|
succLabel = predLabel.(Parity).flip()
|
|
)
|
|
}
|
|
}
|
|
|
|
from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
|
where cfg.hasFlowPath(source, sink)
|
|
select source, sink
|