diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll index d91dc41febeb..cb85f8aee0e4 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll @@ -6,6 +6,7 @@ private import cpp as Cpp private import codeql.dataflow.internal.FlowSummaryImpl private import codeql.dataflow.internal.AccessPathSyntax as AccessPath private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate +private import semmle.code.cpp.ir.dataflow.internal.DataFlowNodes private import semmle.code.cpp.ir.dataflow.internal.DataFlowUtil private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific as DataFlowImplSpecific private import semmle.code.cpp.dataflow.ExternalFlow @@ -20,8 +21,22 @@ module Input implements InputSig { class SinkBase = Void; + class FlowSummaryCallBase = CallInstruction; + predicate callableFromSource(SummarizedCallableBase c) { exists(c.getBlock()) } + FlowSummaryCallBase getASourceCall(SummarizedCallableBase sc) { + result.getStaticCallTarget() = sc + } + + DataFlowCallable getSummarizedCallableAsDataFlowCallable(SummarizedCallableBase c) { + result.asSummarizedCallable() = c + } + + DataFlowCallable getSourceCallEnclosingCallable(FlowSummaryCallBase call) { + result.asSourceCallable() = call.getEnclosingFunction() + } + ArgumentPosition callbackSelfParameterPosition() { result = TDirectPosition(-1) } ReturnKind getStandardReturnValueKind() { result = getReturnValueKind("") } @@ -30,6 +45,10 @@ module Input implements InputSig { arg = repeatStars(result.(NormalReturnKind).getIndirectionIndex()) } + ParameterPosition getFlowSummaryParameterPosition(ReturnKind rk) { + result = TFlowSummaryPosition(rk) + } + string encodeParameterPosition(ParameterPosition pos) { result = pos.toString() } string encodeArgumentPosition(ArgumentPosition pos) { result = pos.toString() } @@ -102,10 +121,22 @@ module Input implements InputSig { private import Make as Impl private module StepsInput implements Impl::Private::StepsInputSig { + Impl::Private::SummaryNode getSummaryNode(Node n) { + result = n.(FlowSummaryNode).getSummaryNode() + } + DataFlowCall getACall(Public::SummarizedCallable sc) { result.getStaticCallTarget().getUnderlyingCallable() = sc } + Node getSourceOutNode(Input::FlowSummaryCallBase call, ReturnKind rk) { + exists(IndirectReturnOutNode out | result = out | + out.getCallInstruction() = call and + pragma[only_bind_out](rk.(NormalReturnKind).getIndirectionIndex()) = + pragma[only_bind_out](out.getIndirectionIndex()) + ) + } + DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) { none() } Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) { none() } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll index bcf6a0d512c3..abcff398420c 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll @@ -1534,12 +1534,8 @@ class FlowSummaryNode extends Node, TFlowSummaryNode { result = this.getSummaryNode().getSummarizedCallable() } - /** - * Gets the enclosing callable. For a `FlowSummaryNode` this is always the - * summarized function this node is part of. - */ override DataFlowCallable getEnclosingCallable() { - result.asSummarizedCallable() = this.getSummarizedCallable() + result = FlowSummaryImpl::Private::getEnclosingCallable(this.getSummaryNode()) } override Location getLocationImpl() { result = this.getSummarizedCallable().getLocation() } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll index 83f240ddae51..f791850bd00d 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll @@ -561,6 +561,21 @@ class SummaryArgumentNode extends ArgumentNode, FlowSummaryNode { } } +/** An argument node that re-enters return output as input to a flow summary. */ +private class FlowSummaryArgumentNode extends ArgumentNode, FlowSummaryNode { + private CallInstruction callInstruction; + private ReturnKind rk; + + FlowSummaryArgumentNode() { + this.getSummaryNode() = FlowSummaryImpl::Private::summaryArgumentNode(callInstruction, rk) + } + + override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) { + call.asCallInstruction() = callInstruction and + pos = TFlowSummaryPosition(rk) + } +} + /** A parameter position represented by an integer. */ class ParameterPosition = Position; @@ -616,6 +631,18 @@ class IndirectionPosition extends Position, TIndirectionPosition { final override int getIndirectionIndex() { result = indirectionIndex } } +class FlowSummaryPosition extends Position, TFlowSummaryPosition { + ReturnKind rk; + + FlowSummaryPosition() { this = TFlowSummaryPosition(rk) } + + override string toString() { result = "write to: " + rk.toString() } + + override int getArgumentIndex() { none() } + + final override int getIndirectionIndex() { result = rk.getIndirectionIndex() } +} + newtype TPosition = TDirectPosition(int argumentIndex) { exists(any(CallInstruction c).getArgument(argumentIndex)) @@ -634,7 +661,8 @@ newtype TPosition = p = f.getParameter(argumentIndex) and indirectionIndex = [1 .. Ssa::getMaxIndirectionsForType(p.getUnspecifiedType()) - 1] ) - } + } or + TFlowSummaryPosition(ReturnKind rk) { FlowSummaryImpl::Private::relevantFlowSummaryPosition(rk) } private newtype TReturnKind = TNormalReturnKind(int indirectionIndex) { diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll index d42d959f56ee..2e3274c82c7c 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll @@ -158,7 +158,7 @@ private module Cached { model = "" or // models-as-data summarized flow - FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(), + FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, nodeTo.(FlowSummaryNode).getSummaryNode(), true, model) } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll index 3e85489b126f..e4e0adf5897b 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll @@ -67,7 +67,7 @@ private module Cached { model = "" or // models-as-data summarized flow - FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(), + FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, nodeTo.(FlowSummaryNode).getSummaryNode(), false, model) or // object->field conflation for content that is a `TaintInheritingContent`. diff --git a/cpp/ql/test/library-tests/dataflow/external-models/flow.expected b/cpp/ql/test/library-tests/dataflow/external-models/flow.expected index 8d247738c984..fed3717a0901 100644 --- a/cpp/ql/test/library-tests/dataflow/external-models/flow.expected +++ b/cpp/ql/test/library-tests/dataflow/external-models/flow.expected @@ -51,16 +51,19 @@ models | 50 | Summary: ; ; false; ymlStepGenerated; ; ; Argument[0]; ReturnValue; taint; df-generated | | 51 | Summary: ; ; false; ymlStepManual; ; ; Argument[0]; ReturnValue; taint; manual | | 52 | Summary: ; ; false; ymlStepManual_with_body; ; ; Argument[0]; ReturnValue; taint; manual | -| 53 | Summary: ; TemplateClass1; true; templateFunction2; (U,V); ; Argument[1]; ReturnValue; value; manual | -| 54 | Summary: ; TemplateClass1; false; templateFunction; (T,U); ; Argument[0]; ReturnValue; value; manual | -| 55 | Summary: ; TemplateClass2; true; function; (U,T); ; Argument[1]; ReturnValue; value; manual | -| 56 | Summary: Azure::Core::IO; BodyStream; true; Read; ; ; Argument[-1]; Argument[*0]; taint; manual | -| 57 | Summary: Azure::Core::IO; BodyStream; true; ReadToCount; ; ; Argument[-1]; Argument[*0]; taint; manual | -| 58 | Summary: Azure::Core::IO; BodyStream; true; ReadToEnd; ; ; Argument[-1]; ReturnValue.Element; taint; manual | -| 59 | Summary: Azure; Nullable; true; Value; ; ; Argument[-1]; ReturnValue[*]; taint; manual | -| 60 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual | +| 53 | Summary: ; MyString; true; operator[]; ; ; Argument[-1]; ReturnValue[*]; taint; manual | +| 54 | Summary: ; MyString; true; operator[]; ; ; ReturnValue[*]; Argument[-1]; taint; manual | +| 55 | Summary: ; ReverseFlow; true; get_ptr; ; ; ReturnValue[*]; Argument[-1].Field[value]; value; manual | +| 56 | Summary: ; TemplateClass1; true; templateFunction2; (U,V); ; Argument[1]; ReturnValue; value; manual | +| 57 | Summary: ; TemplateClass1; false; templateFunction; (T,U); ; Argument[0]; ReturnValue; value; manual | +| 58 | Summary: ; TemplateClass2; true; function; (U,T); ; Argument[1]; ReturnValue; value; manual | +| 59 | Summary: Azure::Core::IO; BodyStream; true; Read; ; ; Argument[-1]; Argument[*0]; taint; manual | +| 60 | Summary: Azure::Core::IO; BodyStream; true; ReadToCount; ; ; Argument[-1]; Argument[*0]; taint; manual | +| 61 | Summary: Azure::Core::IO; BodyStream; true; ReadToEnd; ; ; Argument[-1]; ReturnValue.Element; taint; manual | +| 62 | Summary: Azure; Nullable; true; Value; ; ; Argument[-1]; ReturnValue[*]; taint; manual | +| 63 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual | edges -| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:60 | +| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:63 | | asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:91:7:91:17 | recv_buffer | provenance | Src:MaD:32 | | asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:93:29:93:39 | *recv_buffer | provenance | Src:MaD:32 Sink:MaD:2 | | asio_streams.cpp:97:37:97:44 | call to source | asio_streams.cpp:98:7:98:14 | send_str | provenance | TaintFunction | @@ -69,24 +72,24 @@ edges | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:101:7:101:17 | send_buffer | provenance | | | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:2 | | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance | | -| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:60 | -| azure.cpp:62:10:62:14 | [summary param] this in Value | azure.cpp:62:10:62:14 | [summary] to write: ReturnValue[*] in Value | provenance | MaD:59 | -| azure.cpp:113:16:113:19 | [summary param] this in Read | azure.cpp:113:16:113:19 | [summary param] *0 in Read [Return] | provenance | MaD:56 | -| azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | azure.cpp:114:16:114:26 | [summary param] *0 in ReadToCount [Return] | provenance | MaD:57 | -| azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue.Element in ReadToEnd | provenance | MaD:58 | +| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:63 | +| azure.cpp:62:10:62:14 | [summary param] this in Value | azure.cpp:62:10:62:14 | [summary] to write: ReturnValue[*] in Value | provenance | MaD:62 | +| azure.cpp:113:16:113:19 | [summary param] this in Read | azure.cpp:113:16:113:19 | [summary param] *0 in Read [Return] | provenance | MaD:59 | +| azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | azure.cpp:114:16:114:26 | [summary param] *0 in ReadToCount [Return] | provenance | MaD:60 | +| azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue.Element in ReadToEnd | provenance | MaD:61 | | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue.Element in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue in ReadToEnd [element] | provenance | | | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:253:48:253:60 | *call to GetBodyStream | provenance | Src:MaD:29 | | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:257:5:257:8 | *resp | provenance | | | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:262:5:262:8 | *resp | provenance | | | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:266:38:266:41 | *resp | provenance | | | azure.cpp:257:5:257:8 | *resp | azure.cpp:113:16:113:19 | [summary param] this in Read | provenance | | -| azure.cpp:257:5:257:8 | *resp | azure.cpp:257:16:257:21 | Read output argument | provenance | MaD:56 | +| azure.cpp:257:5:257:8 | *resp | azure.cpp:257:16:257:21 | Read output argument | provenance | MaD:59 | | azure.cpp:257:16:257:21 | Read output argument | azure.cpp:258:10:258:16 | * ... | provenance | | | azure.cpp:262:5:262:8 | *resp | azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | provenance | | -| azure.cpp:262:5:262:8 | *resp | azure.cpp:262:23:262:28 | ReadToCount output argument | provenance | MaD:57 | +| azure.cpp:262:5:262:8 | *resp | azure.cpp:262:23:262:28 | ReadToCount output argument | provenance | MaD:60 | | azure.cpp:262:23:262:28 | ReadToCount output argument | azure.cpp:263:10:263:16 | * ... | provenance | | | azure.cpp:266:38:266:41 | *resp | azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | provenance | | -| azure.cpp:266:38:266:41 | *resp | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance | MaD:58 | +| azure.cpp:266:38:266:41 | *resp | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance | MaD:61 | | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance | | | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | azure.cpp:267:10:267:12 | vec [element] | provenance | | | azure.cpp:267:10:267:12 | vec [element] | azure.cpp:267:10:267:12 | vec | provenance | | @@ -103,11 +106,11 @@ edges | azure.cpp:281:68:281:84 | *call to ExtractBodyStream | azure.cpp:281:68:281:84 | *call to ExtractBodyStream | provenance | Src:MaD:26 | | azure.cpp:281:68:281:84 | *call to ExtractBodyStream | azure.cpp:282:21:282:23 | *call to get | provenance | | | azure.cpp:282:21:282:23 | *call to get | azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | provenance | | -| azure.cpp:282:21:282:23 | *call to get | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance | MaD:58 | +| azure.cpp:282:21:282:23 | *call to get | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance | MaD:61 | | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | azure.cpp:282:10:282:38 | call to ReadToEnd | provenance | | | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance | | | azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:62:10:62:14 | [summary param] this in Value | provenance | | -| azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:289:63:289:65 | call to Value | provenance | MaD:59 | +| azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:289:63:289:65 | call to Value | provenance | MaD:62 | | azure.cpp:289:32:289:40 | call to GetHeader | azure.cpp:289:24:289:56 | call to GetHeader | provenance | | | azure.cpp:289:32:289:40 | call to GetHeader | azure.cpp:289:32:289:40 | call to GetHeader | provenance | Src:MaD:30 | | azure.cpp:289:63:289:65 | call to Value | azure.cpp:289:63:289:65 | call to Value | provenance | | @@ -119,6 +122,10 @@ edges | azure.cpp:294:38:294:53 | call to operator[] | azure.cpp:295:10:295:20 | contentType | provenance | | | azure.cpp:294:38:294:53 | call to operator[] | azure.cpp:295:10:295:20 | contentType | provenance | | | azure.cpp:295:10:295:20 | contentType | azure.cpp:295:10:295:20 | contentType | provenance | | +| file://:0:0:0:0 | [summary] value written to indirect return at Call: call to get_ptr | test.cpp:178:7:178:13 | [summary param] write to: indirect return in get_ptr | provenance | | +| file://:0:0:0:0 | [summary] value written to indirect return at Call: call to get_ptr | test.cpp:188:3:188:4 | get_ptr output argument [value] | provenance | MaD:55 | +| file://:0:0:0:0 | [summary] value written to indirect return at Call: call to operator[] | test.cpp:182:8:182:17 | [summary param] write to: indirect return in operator[] | provenance | | +| file://:0:0:0:0 | [summary] value written to indirect return at Call: call to operator[] | test.cpp:194:3:194:3 | operator[] output argument | provenance | MaD:54 | | test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | provenance | MaD:51 | | test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | provenance | MaD:50 | | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | provenance | MaD:52 | @@ -183,39 +190,57 @@ edges | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | test.cpp:119:10:119:11 | y2 | provenance | Sink:MaD:1 | | test.cpp:118:44:118:44 | *x | test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | provenance | | | test.cpp:118:44:118:44 | *x | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | provenance | MaD:48 | -| test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | test.cpp:125:5:125:20 | [summary] to write: ReturnValue in templateFunction | provenance | MaD:54 | -| test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | test.cpp:128:5:128:21 | [summary] to write: ReturnValue in templateFunction2 | provenance | MaD:53 | +| test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | test.cpp:125:5:125:20 | [summary] to write: ReturnValue in templateFunction | provenance | MaD:57 | +| test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | test.cpp:128:5:128:21 | [summary] to write: ReturnValue in templateFunction2 | provenance | MaD:56 | | test.cpp:133:10:133:18 | call to ymlSource | test.cpp:133:10:133:18 | call to ymlSource | provenance | Src:MaD:25 | | test.cpp:133:10:133:18 | call to ymlSource | test.cpp:134:45:134:45 | x | provenance | | | test.cpp:134:13:134:43 | call to templateFunction | test.cpp:134:13:134:43 | call to templateFunction | provenance | | | test.cpp:134:13:134:43 | call to templateFunction | test.cpp:135:10:135:10 | y | provenance | Sink:MaD:1 | | test.cpp:134:45:134:45 | x | test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | provenance | | -| test.cpp:134:45:134:45 | x | test.cpp:134:13:134:43 | call to templateFunction | provenance | MaD:54 | -| test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | provenance | MaD:55 | -| test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | provenance | MaD:55 | +| test.cpp:134:45:134:45 | x | test.cpp:134:13:134:43 | call to templateFunction | provenance | MaD:57 | +| test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | provenance | MaD:58 | +| test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | provenance | MaD:58 | | test.cpp:146:10:146:18 | call to ymlSource | test.cpp:146:10:146:18 | call to ymlSource | provenance | Src:MaD:25 | | test.cpp:146:10:146:18 | call to ymlSource | test.cpp:148:26:148:26 | x | provenance | | | test.cpp:148:10:148:27 | call to function | test.cpp:148:10:148:27 | call to function | provenance | | | test.cpp:148:10:148:27 | call to function | test.cpp:149:10:149:10 | z | provenance | Sink:MaD:1 | | test.cpp:148:26:148:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | provenance | | -| test.cpp:148:26:148:26 | x | test.cpp:148:10:148:27 | call to function | provenance | MaD:55 | +| test.cpp:148:26:148:26 | x | test.cpp:148:10:148:27 | call to function | provenance | MaD:58 | | test.cpp:155:10:155:18 | call to ymlSource | test.cpp:155:10:155:18 | call to ymlSource | provenance | Src:MaD:25 | | test.cpp:155:10:155:18 | call to ymlSource | test.cpp:157:26:157:26 | x | provenance | | | test.cpp:157:13:157:20 | call to function | test.cpp:157:13:157:20 | call to function | provenance | | | test.cpp:157:13:157:20 | call to function | test.cpp:158:10:158:10 | z | provenance | Sink:MaD:1 | | test.cpp:157:26:157:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | provenance | | -| test.cpp:157:26:157:26 | x | test.cpp:157:13:157:20 | call to function | provenance | MaD:55 | +| test.cpp:157:26:157:26 | x | test.cpp:157:13:157:20 | call to function | provenance | MaD:58 | | test.cpp:164:34:164:34 | x | test.cpp:165:69:165:69 | x | provenance | | | test.cpp:165:12:165:64 | call to templateFunction2 | test.cpp:164:7:164:7 | *templateFunction3 | provenance | | | test.cpp:165:12:165:64 | call to templateFunction2 | test.cpp:165:12:165:64 | call to templateFunction2 | provenance | | | test.cpp:165:69:165:69 | x | test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | provenance | | -| test.cpp:165:69:165:69 | x | test.cpp:165:12:165:64 | call to templateFunction2 | provenance | MaD:53 | +| test.cpp:165:69:165:69 | x | test.cpp:165:12:165:64 | call to templateFunction2 | provenance | MaD:56 | | test.cpp:170:10:170:18 | call to ymlSource | test.cpp:170:10:170:18 | call to ymlSource | provenance | Src:MaD:25 | | test.cpp:170:10:170:18 | call to ymlSource | test.cpp:172:51:172:51 | x | provenance | | | test.cpp:172:13:172:44 | call to templateFunction3 | test.cpp:172:13:172:44 | call to templateFunction3 | provenance | | | test.cpp:172:13:172:44 | call to templateFunction3 | test.cpp:173:10:173:10 | y | provenance | Sink:MaD:1 | | test.cpp:172:51:172:51 | x | test.cpp:164:34:164:34 | x | provenance | | -| test.cpp:172:51:172:51 | x | test.cpp:172:13:172:44 | call to templateFunction3 | provenance | MaD:53 | +| test.cpp:172:51:172:51 | x | test.cpp:172:13:172:44 | call to templateFunction3 | provenance | MaD:56 | +| test.cpp:178:7:178:13 | [summary param] write to: indirect return in get_ptr | test.cpp:178:7:178:13 | [summary] to write: Argument[this].Field[value] in get_ptr | provenance | MaD:55 | +| test.cpp:178:7:178:13 | [summary] to write: Argument[this] in get_ptr [value] | test.cpp:178:7:178:13 | [summary param] this in get_ptr [Return] [value] | provenance | | +| test.cpp:178:7:178:13 | [summary] to write: Argument[this].Field[value] in get_ptr | test.cpp:178:7:178:13 | [summary] to write: Argument[this] in get_ptr [value] | provenance | | +| test.cpp:182:8:182:17 | [summary param] this in operator[] | test.cpp:182:8:182:17 | [summary] to write: ReturnValue[*] in operator[] | provenance | MaD:53 | +| test.cpp:182:8:182:17 | [summary param] write to: indirect return in operator[] | test.cpp:182:8:182:17 | [summary param] this in operator[] [Return] | provenance | MaD:54 | +| test.cpp:188:3:188:4 | get_ptr output argument [value] | test.cpp:189:11:189:12 | *rf [value] | provenance | | +| test.cpp:188:3:188:28 | ... = ... | file://:0:0:0:0 | [summary] value written to indirect return at Call: call to get_ptr | provenance | MaD:55 | +| test.cpp:188:18:188:26 | call to ymlSource | test.cpp:188:3:188:28 | ... = ... | provenance | Src:MaD:25 | +| test.cpp:189:11:189:12 | *rf [value] | test.cpp:189:14:189:18 | value | provenance | | +| test.cpp:189:14:189:18 | value | test.cpp:189:14:189:18 | value | provenance | | +| test.cpp:189:14:189:18 | value | test.cpp:190:11:190:11 | x | provenance | Sink:MaD:1 | +| test.cpp:194:3:194:3 | operator[] output argument | test.cpp:195:12:195:12 | *s | provenance | | +| test.cpp:194:3:194:20 | ... = ... | file://:0:0:0:0 | [summary] value written to indirect return at Call: call to operator[] | provenance | MaD:54 | +| test.cpp:194:10:194:20 | call to ymlSource | test.cpp:194:3:194:20 | ... = ... | provenance | Src:MaD:25 | +| test.cpp:195:12:195:12 | *s | test.cpp:182:8:182:17 | [summary param] this in operator[] | provenance | | +| test.cpp:195:12:195:12 | *s | test.cpp:195:13:195:15 | call to operator[] | provenance | MaD:53 | +| test.cpp:195:13:195:15 | call to operator[] | test.cpp:195:13:195:15 | call to operator[] | provenance | | +| test.cpp:195:13:195:15 | call to operator[] | test.cpp:196:11:196:11 | c | provenance | Sink:MaD:1 | | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | provenance | MaD:33 | | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:22:15:22:29 | *call to GetCommandLineA | provenance | Src:MaD:3 | | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:24:8:24:11 | * ... | provenance | | @@ -451,6 +476,8 @@ nodes | azure.cpp:295:10:295:20 | contentType | semmle.label | contentType | | azure.cpp:295:10:295:20 | contentType | semmle.label | contentType | | azure.cpp:295:10:295:20 | contentType | semmle.label | contentType | +| file://:0:0:0:0 | [summary] value written to indirect return at Call: call to get_ptr | semmle.label | [summary] value written to indirect return at Call: call to get_ptr | +| file://:0:0:0:0 | [summary] value written to indirect return at Call: call to operator[] | semmle.label | [summary] value written to indirect return at Call: call to operator[] | | test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | semmle.label | [summary param] 0 in ymlStepManual | | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | semmle.label | [summary] to write: ReturnValue in ymlStepManual | | test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | semmle.label | [summary param] 0 in ymlStepGenerated | @@ -556,6 +583,28 @@ nodes | test.cpp:172:13:172:44 | call to templateFunction3 | semmle.label | call to templateFunction3 | | test.cpp:172:51:172:51 | x | semmle.label | x | | test.cpp:173:10:173:10 | y | semmle.label | y | +| test.cpp:178:7:178:13 | [summary param] this in get_ptr [Return] [value] | semmle.label | [summary param] this in get_ptr [Return] [value] | +| test.cpp:178:7:178:13 | [summary param] write to: indirect return in get_ptr | semmle.label | [summary param] write to: indirect return in get_ptr | +| test.cpp:178:7:178:13 | [summary] to write: Argument[this] in get_ptr [value] | semmle.label | [summary] to write: Argument[this] in get_ptr [value] | +| test.cpp:178:7:178:13 | [summary] to write: Argument[this].Field[value] in get_ptr | semmle.label | [summary] to write: Argument[this].Field[value] in get_ptr | +| test.cpp:182:8:182:17 | [summary param] this in operator[] | semmle.label | [summary param] this in operator[] | +| test.cpp:182:8:182:17 | [summary param] this in operator[] [Return] | semmle.label | [summary param] this in operator[] [Return] | +| test.cpp:182:8:182:17 | [summary param] write to: indirect return in operator[] | semmle.label | [summary param] write to: indirect return in operator[] | +| test.cpp:182:8:182:17 | [summary] to write: ReturnValue[*] in operator[] | semmle.label | [summary] to write: ReturnValue[*] in operator[] | +| test.cpp:188:3:188:4 | get_ptr output argument [value] | semmle.label | get_ptr output argument [value] | +| test.cpp:188:3:188:28 | ... = ... | semmle.label | ... = ... | +| test.cpp:188:18:188:26 | call to ymlSource | semmle.label | call to ymlSource | +| test.cpp:189:11:189:12 | *rf [value] | semmle.label | *rf [value] | +| test.cpp:189:14:189:18 | value | semmle.label | value | +| test.cpp:189:14:189:18 | value | semmle.label | value | +| test.cpp:190:11:190:11 | x | semmle.label | x | +| test.cpp:194:3:194:3 | operator[] output argument | semmle.label | operator[] output argument | +| test.cpp:194:3:194:20 | ... = ... | semmle.label | ... = ... | +| test.cpp:194:10:194:20 | call to ymlSource | semmle.label | call to ymlSource | +| test.cpp:195:12:195:12 | *s | semmle.label | *s | +| test.cpp:195:13:195:15 | call to operator[] | semmle.label | call to operator[] | +| test.cpp:195:13:195:15 | call to operator[] | semmle.label | call to operator[] | +| test.cpp:196:11:196:11 | c | semmle.label | c | | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | semmle.label | [summary param] *0 in CommandLineToArgvA | | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | semmle.label | [summary] to write: ReturnValue[**] in CommandLineToArgvA | | windows.cpp:22:15:22:29 | *call to GetCommandLineA | semmle.label | *call to GetCommandLineA | @@ -756,6 +805,8 @@ subpaths | azure.cpp:266:38:266:41 | *resp | azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue in ReadToEnd [element] | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | | azure.cpp:282:21:282:23 | *call to get | azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue in ReadToEnd [element] | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | | azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:62:10:62:14 | [summary param] this in Value | azure.cpp:62:10:62:14 | [summary] to write: ReturnValue[*] in Value | azure.cpp:289:63:289:65 | call to Value | +| file://:0:0:0:0 | [summary] value written to indirect return at Call: call to get_ptr | test.cpp:178:7:178:13 | [summary param] write to: indirect return in get_ptr | test.cpp:178:7:178:13 | [summary param] this in get_ptr [Return] [value] | test.cpp:188:3:188:4 | get_ptr output argument [value] | +| file://:0:0:0:0 | [summary] value written to indirect return at Call: call to operator[] | test.cpp:182:8:182:17 | [summary param] write to: indirect return in operator[] | test.cpp:182:8:182:17 | [summary param] this in operator[] [Return] | test.cpp:194:3:194:3 | operator[] output argument | | test.cpp:17:24:17:24 | x | test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | test.cpp:17:10:17:22 | call to ymlStepManual | | test.cpp:21:27:21:27 | x | test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | test.cpp:21:10:21:25 | call to ymlStepGenerated | | test.cpp:25:35:25:35 | x | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | @@ -766,6 +817,7 @@ subpaths | test.cpp:157:26:157:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | test.cpp:157:13:157:20 | call to function | | test.cpp:165:69:165:69 | x | test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | test.cpp:128:5:128:21 | [summary] to write: ReturnValue in templateFunction2 | test.cpp:165:12:165:64 | call to templateFunction2 | | test.cpp:172:51:172:51 | x | test.cpp:164:34:164:34 | x | test.cpp:164:7:164:7 | *templateFunction3 | test.cpp:172:13:172:44 | call to templateFunction3 | +| test.cpp:195:12:195:12 | *s | test.cpp:182:8:182:17 | [summary param] this in operator[] | test.cpp:182:8:182:17 | [summary] to write: ReturnValue[*] in operator[] | test.cpp:195:13:195:15 | call to operator[] | | windows.cpp:27:36:27:38 | *cmd | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | | windows.cpp:537:40:537:41 | *& ... | windows.cpp:473:17:473:37 | [summary param] *1 in RtlCopyVolatileMemory | windows.cpp:473:17:473:37 | [summary param] *0 in RtlCopyVolatileMemory [Return] | windows.cpp:537:27:537:37 | RtlCopyVolatileMemory output argument | | windows.cpp:542:38:542:39 | *& ... | windows.cpp:479:17:479:35 | [summary param] *1 in RtlCopyDeviceMemory | windows.cpp:479:17:479:35 | [summary param] *0 in RtlCopyDeviceMemory [Return] | windows.cpp:542:25:542:35 | RtlCopyDeviceMemory output argument | diff --git a/cpp/ql/test/library-tests/dataflow/external-models/flow.ext.yml b/cpp/ql/test/library-tests/dataflow/external-models/flow.ext.yml index 76d649152bdc..92c76ca25661 100644 --- a/cpp/ql/test/library-tests/dataflow/external-models/flow.ext.yml +++ b/cpp/ql/test/library-tests/dataflow/external-models/flow.ext.yml @@ -21,4 +21,7 @@ extensions: - ["", "", False, "callWithNonTypeTemplate", "(const T &)", "", "Argument[*0]", "ReturnValue", "value", "manual"] - ["", "TemplateClass1", False, "templateFunction", "(T,U)", "", "Argument[0]", "ReturnValue", "value", "manual"] - ["", "TemplateClass1", True, "templateFunction2", "(U,V)", "", "Argument[1]", "ReturnValue", "value", "manual"] - - ["", "TemplateClass2", True, "function", "(U,T)", "", "Argument[1]", "ReturnValue", "value", "manual"] \ No newline at end of file + - ["", "TemplateClass2", True, "function", "(U,T)", "", "Argument[1]", "ReturnValue", "value", "manual"] + - ["", "ReverseFlow", True, "get_ptr", "", "", "ReturnValue[*]", "Argument[-1].Field[value]", "value", "manual"] + - ["", "MyString", True, "operator[]", "", "", "ReturnValue[*]", "Argument[-1]", "taint", "manual"] + - ["", "MyString", True, "operator[]", "", "", "Argument[-1]", "ReturnValue[*]", "taint", "manual"] \ No newline at end of file diff --git a/cpp/ql/test/library-tests/dataflow/external-models/sinks.expected b/cpp/ql/test/library-tests/dataflow/external-models/sinks.expected index 03a0d442c1ce..98b0eff8757f 100644 --- a/cpp/ql/test/library-tests/dataflow/external-models/sinks.expected +++ b/cpp/ql/test/library-tests/dataflow/external-models/sinks.expected @@ -19,3 +19,5 @@ | test.cpp:149:10:149:10 | z | test-sink | | test.cpp:158:10:158:10 | z | test-sink | | test.cpp:173:10:173:10 | y | test-sink | +| test.cpp:190:11:190:11 | x | test-sink | +| test.cpp:196:11:196:11 | c | test-sink | diff --git a/cpp/ql/test/library-tests/dataflow/external-models/sources.expected b/cpp/ql/test/library-tests/dataflow/external-models/sources.expected index 4040cff4fd28..6b6c05e989b2 100644 --- a/cpp/ql/test/library-tests/dataflow/external-models/sources.expected +++ b/cpp/ql/test/library-tests/dataflow/external-models/sources.expected @@ -13,6 +13,8 @@ | test.cpp:146:10:146:18 | call to ymlSource | local | | test.cpp:155:10:155:18 | call to ymlSource | local | | test.cpp:170:10:170:18 | call to ymlSource | local | +| test.cpp:188:18:188:26 | call to ymlSource | local | +| test.cpp:194:10:194:20 | call to ymlSource | local | | windows.cpp:22:15:22:29 | *call to GetCommandLineA | local | | windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | local | | windows.cpp:39:36:39:38 | GetEnvironmentVariableA output argument | local | diff --git a/cpp/ql/test/library-tests/dataflow/external-models/test.cpp b/cpp/ql/test/library-tests/dataflow/external-models/test.cpp index 01bf6cc4093f..ebbb3b536746 100644 --- a/cpp/ql/test/library-tests/dataflow/external-models/test.cpp +++ b/cpp/ql/test/library-tests/dataflow/external-models/test.cpp @@ -171,4 +171,28 @@ void test_class1() { Class1 c; auto y = c.templateFunction3(0UL, x); ymlSink(y); // $ ir +} + +struct ReverseFlow { + int value; + int& get_ptr(); +}; + +struct MyString { + char& operator[](unsigned); +}; + +void test_reverse_flow(unsigned i, unsigned j) { + { + ReverseFlow rf; + rf.get_ptr() = ymlSource(); + int x = rf.value; + ymlSink(x); // $ ir + } + { + MyString s; + s[i] = ymlSource(); + char c = s[j]; + ymlSink(c); // $ ir + } } \ No newline at end of file diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll index f0d4bd996214..d12c65c9fffd 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll @@ -714,7 +714,7 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo, string model) { ) and model = "" or - FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(), + FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, nodeTo.(FlowSummaryNode).getSummaryNode(), true, model) } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll index a7ab18a62901..f936a206e2b1 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll @@ -34,6 +34,8 @@ module Input implements InputSig class SinkBase = Void; + class FlowSummaryCallBase = Void; + predicate neutralElement(SummarizedCallableBase c, string kind, string provenance, boolean isExact) { interpretNeutral(c, kind, provenance, isExact) } @@ -201,6 +203,10 @@ private module TypesInput implements Impl::Private::TypesInputSig { } private module StepsInput implements Impl::Private::StepsInputSig { + Impl::Private::SummaryNode getSummaryNode(Node n) { + result = n.(FlowSummaryNode).getSummaryNode() + } + DataFlowCall getACall(Public::SummarizedCallable sc) { sc = viableCallable(result).asSummarizedCallable() } diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll index d3ae19c6d18b..e51eaf4bbcb4 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll @@ -171,7 +171,7 @@ private module Cached { ) and model = "" or - FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(), + FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, nodeTo.(FlowSummaryNode).getSummaryNode(), false, model) } } diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowUtil.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowUtil.qll index b29ff7d5ea88..e207a72727f9 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/DataFlowUtil.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/DataFlowUtil.qll @@ -141,7 +141,7 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo, string model) { any(FunctionModel m).flowStep(nodeFrom, nodeTo) and model = "FunctionModel" or - FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(), + FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, nodeTo.(FlowSummaryNode).getSummaryNode(), true, model) } diff --git a/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll b/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll index ff727286c3b4..868066af1e45 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll @@ -31,6 +31,8 @@ module Input implements InputSig { class SinkBase = Void; + class FlowSummaryCallBase = Void; + predicate callableFromSource(SummarizedCallableBase c) { exists(c.getFuncDef()) } predicate neutralElement( @@ -113,6 +115,10 @@ module Input implements InputSig { private import Make as Impl private module StepsInput implements Impl::Private::StepsInputSig { + Impl::Private::SummaryNode getSummaryNode(Node n) { + result = n.(FlowSummaryNode).getSummaryNode() + } + DataFlowCall getACall(Public::SummarizedCallable sc) { exists(DataFlow::CallNode call | call.asExpr() = result and diff --git a/go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll b/go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll index f9f148744939..de7a1f743c53 100644 --- a/go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll +++ b/go/ql/lib/semmle/go/dataflow/internal/TaintTrackingUtil.qll @@ -109,8 +109,8 @@ private predicate localAdditionalForwardTaintStep( or any(AdditionalTaintStep a).step(pred, succ) and model = "AdditionalTaintStep" or - FlowSummaryImpl::Private::Steps::summaryLocalStep(pred.(DataFlowPrivate::FlowSummaryNode) - .getSummaryNode(), succ.(DataFlowPrivate::FlowSummaryNode).getSummaryNode(), false, model) + FlowSummaryImpl::Private::Steps::summaryLocalStep(pred, + succ.(DataFlowPrivate::FlowSummaryNode).getSummaryNode(), false, model) } /** diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll index 9c2bb13a09f5..d18190ffa1b6 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowUtil.qll @@ -247,8 +247,8 @@ private predicate simpleLocalFlowStep0(Node node1, Node node2, string model) { or cloneStep(node1, node2) and model = "CloneStep" or - FlowSummaryImpl::Private::Steps::summaryLocalStep(node1.(FlowSummaryNode).getSummaryNode(), - node2.(FlowSummaryNode).getSummaryNode(), true, model) + FlowSummaryImpl::Private::Steps::summaryLocalStep(node1, node2.(FlowSummaryNode).getSummaryNode(), + true, model) } /** diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll b/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll index 453b7ccae11c..5ff113db730e 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/FlowSummaryImpl.qll @@ -41,6 +41,8 @@ module Input implements InputSig { class SinkBase = Void; + class FlowSummaryCallBase = Void; + predicate neutralElement( Input::SummarizedCallableBase c, string kind, string provenance, boolean isExact ) { @@ -144,6 +146,10 @@ private module TypesInput implements Impl::Private::TypesInputSig { } private module StepsInput implements Impl::Private::StepsInputSig { + Impl::Private::SummaryNode getSummaryNode(Node n) { + result = n.(FlowSummaryNode).getSummaryNode() + } + DataFlowCall getACall(Public::SummarizedCallable sc) { sc = viableCallable(result).asSummarizedCallable() } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll index 5f1d6b66af56..dc6b075aed31 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll @@ -145,8 +145,8 @@ private module Cached { ) ) or - FlowSummaryImpl::Private::Steps::summaryLocalStep(src.(DataFlowPrivate::FlowSummaryNode) - .getSummaryNode(), sink.(DataFlowPrivate::FlowSummaryNode).getSummaryNode(), false, model) + FlowSummaryImpl::Private::Steps::summaryLocalStep(src, + sink.(DataFlowPrivate::FlowSummaryNode).getSummaryNode(), false, model) } /** diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll index f8836e51ad91..922dd5acc869 100644 --- a/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll +++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/DataFlowPrivate.qll @@ -1212,8 +1212,8 @@ private predicate valuePreservingStep(Node node1, Node node2) { or node2 = FlowSteps::getThrowTarget(node1) or - FlowSummaryPrivate::Steps::summaryLocalStep(node1.(FlowSummaryNode).getSummaryNode(), - node2.(FlowSummaryNode).getSummaryNode(), true, _) // TODO: preserve 'model' + FlowSummaryPrivate::Steps::summaryLocalStep(node1, node2.(FlowSummaryNode).getSummaryNode(), true, + _) // TODO: preserve 'model' } predicate knownSourceModel(Node sink, string model) { none() } diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/FlowSummaryPrivate.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/FlowSummaryPrivate.qll index fe7bab98341a..a7519f4180b4 100644 --- a/javascript/ql/lib/semmle/javascript/dataflow/internal/FlowSummaryPrivate.qll +++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/FlowSummaryPrivate.qll @@ -142,6 +142,10 @@ string encodeArgumentPosition(ArgumentPosition pos) { ReturnKind getStandardReturnValueKind() { result = MkNormalReturnKind() and Stage::ref() } private module FlowSummaryStepInput implements Private::StepsInputSig { + Private::SummaryNode getSummaryNode(DataFlow::Node n) { + result = n.(FlowSummaryNode).getSummaryNode() + } + overlay[global] DataFlowCall getACall(SummarizedCallable sc) { exists(LibraryCallable callable | callable = sc | diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll index 548d06ef64f5..e7b3a6e5658a 100644 --- a/javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll +++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/TaintTrackingPrivate.qll @@ -12,8 +12,8 @@ cached predicate defaultAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { TaintTracking::AdditionalTaintStep::step(node1, node2) or - FlowSummaryPrivate::Steps::summaryLocalStep(node1.(FlowSummaryNode).getSummaryNode(), - node2.(FlowSummaryNode).getSummaryNode(), false, _) // TODO: preserve 'model' parameter + FlowSummaryPrivate::Steps::summaryLocalStep(node1, node2.(FlowSummaryNode).getSummaryNode(), + false, _) // TODO: preserve 'model' parameter or // Convert steps out of array elements to plain taint steps FlowSummaryPrivate::Steps::summaryReadStep(node1.(FlowSummaryNode).getSummaryNode(), diff --git a/javascript/ql/lib/semmle/javascript/dataflow/internal/sharedlib/DataFlowArg.qll b/javascript/ql/lib/semmle/javascript/dataflow/internal/sharedlib/DataFlowArg.qll index 76992ed02cf8..0f0966cb27c9 100644 --- a/javascript/ql/lib/semmle/javascript/dataflow/internal/sharedlib/DataFlowArg.qll +++ b/javascript/ql/lib/semmle/javascript/dataflow/internal/sharedlib/DataFlowArg.qll @@ -3,6 +3,7 @@ private import DataFlowImplSpecific private import codeql.dataflow.DataFlow as SharedDataFlow private import codeql.dataflow.TaintTracking as SharedTaintTracking private import codeql.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl +private import codeql.util.Void module JSDataFlow implements SharedDataFlow::InputSig { import Private @@ -28,6 +29,8 @@ module JSFlowSummary implements FlowSummaryImpl::InputSig private import semmle.javascript.dataflow.internal.FlowSummaryPrivate as FlowSummaryPrivate import FlowSummaryPrivate + class FlowSummaryCallBase = Void; + overlay[local] predicate callableFromSource(SummarizedCallableBase c) { none() } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll index 04e8ad0587f6..f74d91d13ab0 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll @@ -529,7 +529,7 @@ predicate simpleLocalFlowStepForTypetracking(Node nodeFrom, Node nodeTo) { } private predicate summaryLocalStep(Node nodeFrom, Node nodeTo, string model) { - FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(), + FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, nodeTo.(FlowSummaryNode).getSummaryNode(), true, model) } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll b/python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll index 0931fcca0dc8..64d996e43611 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/FlowSummaryImpl.qll @@ -20,6 +20,8 @@ module Input implements InputSig class SinkBase = Void; + class FlowSummaryCallBase = Void; + predicate callableFromSource(SummarizedCallableBase c) { none() } ArgumentPosition callbackSelfParameterPosition() { result.isLambdaSelf() } @@ -109,6 +111,10 @@ module Input implements InputSig private import Make as Impl private module StepsInput implements Impl::Private::StepsInputSig { + Impl::Private::SummaryNode getSummaryNode(Node n) { + result = n.(FlowSummaryNode).getSummaryNode() + } + overlay[global] DataFlowCall getACall(Public::SummarizedCallable sc) { result = diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll b/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll index 2213ff35b1b9..50a6be72d9b5 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/TaintTrackingPrivate.qll @@ -80,10 +80,8 @@ private module Cached { ) and model = "" or - FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom - .(DataFlowPrivate::FlowSummaryNode) - .getSummaryNode(), nodeTo.(DataFlowPrivate::FlowSummaryNode).getSummaryNode(), false, - model) + FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, + nodeTo.(DataFlowPrivate::FlowSummaryNode).getSummaryNode(), false, model) } } diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll index 9646592c0c23..9f3042ebb5b7 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll @@ -198,8 +198,7 @@ module LocalFlow { FlowSummaryNode nodeFrom, FlowSummaryNode nodeTo, FlowSummaryImpl::Public::SummarizedCallable c, string model ) { - FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.getSummaryNode(), - nodeTo.getSummaryNode(), true, model) and + FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, nodeTo.getSummaryNode(), true, model) and c = nodeFrom.getSummarizedCallable() } diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll index d7326d9594b5..d94bba89bf5a 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll @@ -18,6 +18,8 @@ module Input implements InputSig { class SinkBase = Void; + class FlowSummaryCallBase = Void; + predicate callableFromSource(SummarizedCallableBase c) { none() } ArgumentPosition callbackSelfParameterPosition() { result.isLambdaSelf() } @@ -157,6 +159,10 @@ module Input implements InputSig { private import Make as Impl private module StepsInput implements Impl::Private::StepsInputSig { + Impl::Private::SummaryNode getSummaryNode(Node n) { + result = n.(FlowSummaryNode).getSummaryNode() + } + DataFlowCall getACall(Public::SummarizedCallable sc) { result.asCall().getAstNode() = sc.(LibraryCallable).getACall() or diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/TaintTrackingPrivate.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/TaintTrackingPrivate.qll index 104ef68c2677..a41f7c924820 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/TaintTrackingPrivate.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/TaintTrackingPrivate.qll @@ -109,7 +109,7 @@ private module Cached { ) and model = "" or - FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(), + FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, nodeTo.(FlowSummaryNode).getSummaryNode(), false, model) or any(FlowSteps::AdditionalTaintStep s).step(nodeFrom, nodeTo) and model = "AdditionalTaintStep" diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll index a7e2e2e4c6bc..c18ac5e026b1 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll @@ -180,7 +180,7 @@ Expr getPostUpdateReverseStep(Expr e, boolean preservesValue) { module LocalFlow { predicate flowSummaryLocalStep(Node nodeFrom, Node nodeTo, string model) { exists(FlowSummaryImpl::Public::SummarizedCallable c | - FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(), + FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, nodeTo.(FlowSummaryNode).getSummaryNode(), true, model) and c = nodeFrom.(FlowSummaryNode).getSummarizedCallable() ) diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll index 850328146518..d9104da11ad5 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll @@ -11,6 +11,7 @@ private import codeql.rust.dataflow.FlowSummary private import codeql.rust.dataflow.Ssa private import codeql.rust.dataflow.internal.ModelsAsData private import Content +private import Node predicate encodeContentTupleField(TupleFieldContent c, string arg) { exists(Addressable a, int pos, string prefix | @@ -28,9 +29,12 @@ predicate encodeContentStructField(StructFieldContent c, string arg) { module Input implements InputSig { private import codeql.rust.frameworks.stdlib.Stdlib + private import codeql.util.Void class SummarizedCallableBase = Function; + class FlowSummaryCallBase = Void; + predicate callableFromSource(SummarizedCallableBase c) { c.fromSource() } abstract private class SourceSinkBase extends AstNode { @@ -144,6 +148,10 @@ module Input implements InputSig { private import Make as Impl module StepsInput implements Impl::Private::StepsInputSig { + Impl::Private::SummaryNode getSummaryNode(RustDataFlow::Node n) { + result = n.(FlowSummaryNode).getSummaryNode() + } + DataFlowCall getACall(Public::SummarizedCallable sc) { result.asCall().getStaticTarget() = sc } /** Gets the argument of `source` described by `sc`, if any. */ diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll index f75c0166762c..7e5af70911d7 100644 --- a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll +++ b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll @@ -83,7 +83,7 @@ module RustTaintTrackingGen implements pred.(Node::PostUpdateNode).getPreUpdateNode().asExpr(), _, succ, _) ) or - FlowSummaryImpl::Private::Steps::summaryLocalStep(pred.(Node::FlowSummaryNode).getSummaryNode(), + FlowSummaryImpl::Private::Steps::summaryLocalStep(pred, succ.(Node::FlowSummaryNode).getSummaryNode(), false, model) } diff --git a/shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll b/shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll index ce980724778b..b0828c3384bb 100644 --- a/shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll +++ b/shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll @@ -54,6 +54,24 @@ signature module InputSig Lang> { none() } + /** + * A base class of calls that are candidates for flow summary modeling. + */ + class FlowSummaryCallBase { + string toString(); + } + + /** Gets a call that targets summarized callable `sc`. */ + default FlowSummaryCallBase getASourceCall(SummarizedCallableBase sc) { none() } + + /** Gets the callable corresponding to summarized callable `c`. */ + default Lang::DataFlowCallable getSummarizedCallableAsDataFlowCallable(SummarizedCallableBase c) { + none() + } + + /** Gets the enclosing callable of `call`. */ + default Lang::DataFlowCallable getSourceCallEnclosingCallable(FlowSummaryCallBase call) { none() } + /** Gets the parameter position representing a callback itself, if any. */ default Lang::ArgumentPosition callbackSelfParameterPosition() { none() } @@ -74,6 +92,9 @@ signature module InputSig Lang> { result = getStandardReturnValueKind() } + /** Gets the parameter position corresponding to a flow-summary return kind `rk`, if any. */ + default Lang::ParameterPosition getFlowSummaryParameterPosition(Lang::ReturnKind rk) { none() } + /** Gets the textual representation of parameter position `pos` used in MaD. */ string encodeParameterPosition(Lang::ParameterPosition pos); @@ -660,6 +681,10 @@ module Make< s.length() = 1 and s.head() instanceof TArgumentSummaryComponent or + // ReturnValue.* + s.length() = 1 and + s.head() instanceof TReturnSummaryComponent + or // Argument[n].ReturnValue.* s.length() = 2 and s.head() instanceof TReturnSummaryComponent and @@ -1137,6 +1162,13 @@ module Make< outputState(c, s) and s = SummaryComponentStack::argument(_) } + private predicate relevantFlowSummaryPosition(SummarizedCallable c, ReturnKind rk) { + exists(SummaryComponentStack input | + summary(c, input, _, _, _) and + input = TSingletonSummaryComponentStack(TReturnSummaryComponent(rk)) + ) + } + pragma[nomagic] private predicate sourceOutputStateEntry( SourceElement source, SummaryComponentStack s, string kind, string model @@ -1272,6 +1304,12 @@ module Make< TSummaryParameterNode(SummarizedCallable c, ParameterPosition pos) { summaryParameterNodeRange(c, pos) } or + TSummaryReturnArgumentNode(FlowSummaryCallBase call, ReturnKind rk) { + exists(SummarizedCallable sc | + call = getASourceCall(sc) and + relevantFlowSummaryPosition(sc, rk) + ) + } or TSourceOutputNode(SourceElement source, SummaryNodeState state, string kind, string model) { state.isSourceOutputState(source, _, kind, model) } or @@ -1321,6 +1359,40 @@ module Make< override SinkElement getSinkElement() { none() } } + private class SummaryReturnArgumentNode extends SummaryNode, TSummaryReturnArgumentNode { + private FlowSummaryCallBase call; + private ReturnKind rk; + + SummaryReturnArgumentNode() { this = TSummaryReturnArgumentNode(call, rk) } + + override string toString() { result = "[summary] value written to " + rk + " at " + call } + + override SummarizedCallable getSummarizedCallable() { none() } + + override SourceElement getSourceElement() { none() } + + override SinkElement getSinkElement() { none() } + } + + /** + * Gets the summary node that represents the argument node used to transfer + * flow into the caller when a value is written to the value returned by + * `call` with kind `rk`. + */ + SummaryNode summaryArgumentNode(FlowSummaryCallBase call, ReturnKind rk) { + result = TSummaryReturnArgumentNode(call, rk) + } + + /** Gets the enclosing callable for summary node `sn`. */ + DataFlowCallable getEnclosingCallable(SummaryNode sn) { + result = getSummarizedCallableAsDataFlowCallable(sn.getSummarizedCallable()) + or + exists(FlowSummaryCallBase call | + sn = TSummaryReturnArgumentNode(call, _) and + result = getSourceCallEnclosingCallable(call) + ) + } + class SourceOutputNode extends SummaryNode, TSourceOutputNode { private SourceElement source_; private SummaryNodeState state_; @@ -1427,6 +1499,12 @@ module Make< SummarizedCallable c, SummaryNodeState state, ParameterPosition pos ) { state.isInputState(c, SummaryComponentStack::argument(pos)) + or + exists(ReturnKind rk | + relevantFlowSummaryPosition(c, rk) and + state.isInputState(c, SummaryComponentStack::return(rk)) and + pos = getFlowSummaryParameterPosition(rk) + ) } /** @@ -1560,6 +1638,9 @@ module Make< ) } + /** Holds if return kind `rk` is a relevant return kind for flow summary modeling. */ + predicate relevantFlowSummaryPosition(ReturnKind rk) { relevantFlowSummaryPosition(_, rk) } + /** * Holds if flow is allowed to pass from the parameter at position `pos` of `c`, * to a return node, and back out to the parameter. @@ -1736,9 +1817,15 @@ module Make< } signature module StepsInputSig { + /** Gets the summary node represented by data-flow node `n`, if any. */ + SummaryNode getSummaryNode(Node n); + /** Gets a call that targets summarized callable `sc`. */ DataFlowCall getACall(SummarizedCallable sc); + /** Gets the out node of kind `rk` for `call`, if any. */ + default Node getSourceOutNode(FlowSummaryCallBase call, ReturnKind rk) { none() } + /** Gets the enclosing callable of `source`. */ DataFlowCallable getSourceNodeEnclosingCallable(SourceBase source); @@ -1765,7 +1852,7 @@ module Make< * Holds if there is a local step from `pred` to `succ`, which is synthesized * from a flow summary. */ - predicate summaryLocalStep( + private predicate summaryLocalStepImpl( SummaryNode pred, SummaryNode succ, boolean preservesValue, string model ) { exists( @@ -1811,9 +1898,24 @@ module Make< ) } + /** Holds if there is a local step between data-flow nodes synthesized from a flow summary. */ + predicate summaryLocalStep(Node pred, SummaryNode succ, boolean preservesValue, string model) { + exists(SummaryNode predSummary | + predSummary = StepsInput::getSummaryNode(pred) and + summaryLocalStepImpl(predSummary, succ, preservesValue, model) + ) + or + exists(FlowSummaryCallBase summaryCall, ReturnKind rk, SummarizedCallable sc | + pred = StepsInput::getSourceOutNode(summaryCall, rk) and + summaryCall = getASourceCall(sc) and + summary(sc, SummaryComponentStack::return(rk), _, preservesValue, model) and + succ = TSummaryReturnArgumentNode(summaryCall, rk) + ) + } + /** Holds if the value of `succ` is uniquely determined by the value of `pred`. */ predicate summaryLocalMustFlowStep(SummaryNode pred, SummaryNode succ) { - pred = unique(SummaryNode n1 | summaryLocalStep(n1, succ, true, _)) + pred = unique(SummaryNode n1 | summaryLocalStepImpl(n1, succ, true, _)) } /** @@ -1935,7 +2037,7 @@ module Make< or exists(SummaryNode mid, boolean clearsOrExpectsMid | paramReachesLocal(p, mid, clearsOrExpectsMid) and - summaryLocalStep(mid, n, true, _) and + summaryLocalStepImpl(mid, n, true, _) and if summaryClearsContent(n, _) or summaryExpectsContent(n, _) @@ -1993,7 +2095,7 @@ module Make< */ predicate summaryThroughStepValue(ArgNode arg, Node out, SummarizedCallable sc) { exists(SummaryNode ret | - summaryLocalStep(summaryArgParamRetOut(arg, ret, out, sc), ret, true, _) + summaryLocalStepImpl(summaryArgParamRetOut(arg, ret, out, sc), ret, true, _) ) } @@ -2006,7 +2108,7 @@ module Make< */ predicate summaryThroughStepTaint(ArgNode arg, Node out, SummarizedCallable sc) { exists(SummaryNode ret | - summaryLocalStep(summaryArgParamRetOut(arg, ret, out, sc), ret, false, _) + summaryLocalStepImpl(summaryArgParamRetOut(arg, ret, out, sc), ret, false, _) ) } @@ -2020,7 +2122,7 @@ module Make< predicate summaryGetterStep(ArgNode arg, ContentSet c, Node out, SummarizedCallable sc) { exists(SummaryNode mid, SummaryNode ret | summaryReadStep(summaryArgParamRetOut(arg, ret, out, sc), c, mid) and - summaryLocalStep(mid, ret, _, _) + summaryLocalStepImpl(mid, ret, _, _) ) } @@ -2033,7 +2135,7 @@ module Make< */ predicate summarySetterStep(ArgNode arg, ContentSet c, Node out, SummarizedCallable sc) { exists(SummaryNode mid, SummaryNode ret | - summaryLocalStep(summaryArgParamRetOut(arg, ret, out, sc), mid, _, _) and + summaryLocalStepImpl(summaryArgParamRetOut(arg, ret, out, sc), mid, _, _) and summaryStoreStep(mid, c, ret) ) } @@ -2749,9 +2851,11 @@ module Make< key = "semmle.label" and val = n.toString() } + private Node getNode(SummaryNode sn) { sn = StepsInput::getSummaryNode(result) } + private predicate edgesComponent(NodeOrCall a, NodeOrCall b, string value) { exists(boolean preservesValue | - PrivateSteps::summaryLocalStep(a.asNode(), b.asNode(), preservesValue, _) and + PrivateSteps::summaryLocalStep(getNode(a.asNode()), b.asNode(), preservesValue, _) and if preservesValue = true then value = "value" else value = "taint" ) or diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll index 9ea57c1ff062..135924c0eb72 100644 --- a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll +++ b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowPrivate.qll @@ -305,7 +305,7 @@ private module Cached { model = "" or // flow through a flow summary (extension of `SummaryModelCsv`) - FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(), + FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, nodeTo.(FlowSummaryNode).getSummaryNode(), true, model) } diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll b/swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll index 3a096fe3d576..6ca8e12ef6b6 100644 --- a/swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll +++ b/swift/ql/lib/codeql/swift/dataflow/internal/FlowSummaryImpl.qll @@ -20,6 +20,8 @@ module Input implements InputSig class SinkBase = Void; + class FlowSummaryCallBase = Void; + predicate callableFromSource(SummarizedCallableBase c) { c.hasBody() } ArgumentPosition callbackSelfParameterPosition() { result instanceof ThisArgumentPosition } @@ -113,6 +115,10 @@ module Input implements InputSig private import Make as Impl private module StepsInput implements Impl::Private::StepsInputSig { + Impl::Private::SummaryNode getSummaryNode(Node n) { + result = n.(FlowSummaryNode).getSummaryNode() + } + DataFlowCall getACall(Public::SummarizedCallable sc) { result.asCall().getStaticTarget() = sc } DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) { none() } diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPrivate.qll b/swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPrivate.qll index c3f14b03f835..6960dcf6177f 100644 --- a/swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPrivate.qll +++ b/swift/ql/lib/codeql/swift/dataflow/internal/TaintTrackingPrivate.qll @@ -76,7 +76,7 @@ private module Cached { model = "" or // flow through a flow summary (extension of `SummaryModelCsv`) - FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.(FlowSummaryNode).getSummaryNode(), + FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom, nodeTo.(FlowSummaryNode).getSummaryNode(), false, model) or any(AdditionalTaintStep a).step(nodeFrom, nodeTo) and model = "AdditionalTaintStep"