Skip to content

Data flow: Rework reverse flow through parameters #18109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 12 commits into
base: main
Choose a base branch
from
Draft

Data flow: Rework reverse flow through parameters #18109

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
6485bf5
Data flow: Change `toString` for parameter return nodes
hvitved Dec 6, 2024
9d7029c
C#: Add tests for missing reverse flow
hvitved Nov 22, 2024
77b34c1
Data flow: Rework reverse flow through parameters
hvitved Dec 5, 2024
283d61d
C++: Update expected test output
hvitved Dec 9, 2024
9435a6f
C#: Update expected test output
hvitved Dec 9, 2024
b8d32b1
Go: Update expected test output
hvitved Dec 9, 2024
e6e8eb7
Java: Update expected test output
hvitved Dec 9, 2024
5462dc1
Ruby: Update expected test output
hvitved Dec 9, 2024
e728f70
Swift: Update expected test output
hvitved Dec 9, 2024
828ba23
Disable reverse flow through stores
hvitved Dec 13, 2024
e7df00a
Data flow: Move `FlowThrough` module into `TypeTrackingInput`
hvitved Dec 13, 2024
d84ca39
wip
hvitved Dec 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Data flow: Rework reverse flow through parameters
  • Loading branch information
@hvitved
hvitved committed Dec 20, 2024
commit 77b34c18cdd0abbbd5385d1e5318d35a9830b38c
4 changes: 2 additions & 2 deletions cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -546,7 +546,7 @@ module ProductFlow {
Flow1::PathGraph::edges(pred1, succ1, _, _) and
exists(ReturnKindExt returnKind |
succ1.getNode() = getAnOutNodeExt(call, returnKind) and
returnKind = getParamReturnPosition(_, pred1.asParameterReturnNode()).getKind()
returnKind = getParamReturnPosition(pred1.asParameterReturnNode()).getKind()
)
}

Expand Down Expand Up @@ -574,7 +574,7 @@ module ProductFlow {
Flow2::PathGraph::edges(pred2, succ2, _, _) and
exists(ReturnKindExt returnKind |
succ2.getNode() = getAnOutNodeExt(call, returnKind) and
returnKind = getParamReturnPosition(_, pred2.asParameterReturnNode()).getKind()
returnKind = getParamReturnPosition(pred2.asParameterReturnNode()).getKind()
)
}

Expand Down
21 changes: 21 additions & 0 deletions shared/dataflow/codeql/dataflow/DataFlow.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -363,6 +363,13 @@ module Configs<LocationSig Location, InputSig<Location> Lang> {
*/
predicate isSink(Node sink);

/**
* INTERNAL: Do not use.
*
* Holds if `sink` is a relevant reverse data flow sink.
*/
default predicate isSinkReverse(Node sink) { none() }

/**
* Holds if data flow through `node` is prohibited. This completely removes
* `node` from the data flow graph.
Expand Down Expand Up @@ -465,6 +472,20 @@ module Configs<LocationSig Location, InputSig<Location> Lang> {
*/
default predicate isSink(Node sink) { none() }

/**
* INTERNAL: Do not use.
*
* Holds if `sink` is a relevant reverse data flow sink for any state.
*/
default predicate isSinkReverse(Node sink) { none() }

/**
* INTERNAL: Do not use.
*
* Holds if `sink` is a relevant reverse data flow sink accepting `state`.
*/
default predicate isSinkReverse(Node sink, FlowState state) { none() }

/**
* Holds if data flow through `node` is prohibited. This completely removes
* `node` from the data flow graph.
Expand Down
4 changes: 4 additions & 0 deletions shared/dataflow/codeql/dataflow/TaintTracking.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,10 @@ module TaintFlowMake<
Config::isSink(sink, state.getState())
}

predicate isSinkReverse(DataFlowLang::Node sink, FlowState state) {
Config::isSinkReverse(sink, state.getState())
}

predicate isBarrier(DataFlowLang::Node node, FlowState state) {
Config::isBarrier(node, state.getState())
}
Expand Down
20 changes: 19 additions & 1 deletion shared/dataflow/codeql/dataflow/internal/ContentDataFlowImpl.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,13 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang> {
*/
predicate isSink(Node sink);

/**
* INTERNAL: Do not use.
*
* Holds if `sink` is a relevant reverse data flow sink.
*/
default predicate isSinkReverse(Node sink) { none() }

/**
* Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
*/
Expand Down Expand Up @@ -98,6 +105,15 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang> {
)
}

predicate isSinkReverse(Node sink, FlowState state) {
ContentConfig::isSinkReverse(sink) and
(
state instanceof InitState or
state instanceof StoreState or
state instanceof ReadState
)
}

predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
storeStep(node1, state1, _, node2, state2) or
readStep(node1, state1, _, node2, state2) or
Expand Down Expand Up @@ -202,7 +218,7 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang> {
Node node1, State state1, ContentSet c, Node node2, StoreState state2
) {
exists(boolean preservesValue, int size |
storeSet(node1, c, node2, _, _) and
storeSet(node1, c, node2) and
ContentConfig::isRelevantContent(c) and
state2.decode(size + 1, preservesValue)
|
Expand Down Expand Up @@ -359,6 +375,8 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang> {
or
FlowConfig::isSink(node.getNode(), node.getState())
or
FlowConfig::isSinkReverse(node.getNode(), node.getState())
or
excludeStep(node, _)
or
Flow::PathGraph::subpaths(_, _, node, _)
Expand Down
Loading
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy