The Wayback Machine - https://web.archive.org/web/20211003213731/https://github.com/github/codeql/pull/6780/files
Skip to content

/ codeql Public

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Data flow: Prevent "fluent summary flow" when it will result in a flow loop #6780

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
+993 −313
Draft

Data flow: Prevent "fluent summary flow" when it will result in a flow loop #6780

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
07374c1
C#: Rework `SummarizedCallable::clearsContent/2`
hvitved Sep 29, 2021
542835a
Data flow: Sync files
hvitved Sep 29, 2021
6a4e2a6
Java: Restrict use-use flow
hvitved Sep 29, 2021
fbaf4e7
Data flow: Prevent "fluent summary flow" when it will result in a flo…
hvitved Sep 30, 2021
606ce7d
Data flow: Sync files
hvitved Sep 30, 2021
File filter
Filter file types
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.

Always

Just for now

38 cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
View file
Open in desktop
@@ -743,9 +743,12 @@ private module Stage1 {
throughFlowNodeCand(p, config) and
returnFlowCallableNodeCand(c, kind, config) and
p.getEnclosingCallable() = c and
exists(ap) and
// we don't expect a parameter to return stored in itself
not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then allowFlowThroughParameterCached(p.asNode())
else any()
) and
exists(ap)
)
}

@@ -1394,8 +1397,11 @@ private module Stage2 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself
not kind.(ParamUpdateReturnKind).getPosition() = pos
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then allowFlowThroughParameterCached(p.asNode())
else any()
)
)
}

@@ -2083,8 +2089,11 @@ private module Stage3 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself
not kind.(ParamUpdateReturnKind).getPosition() = pos
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then allowFlowThroughParameterCached(p.asNode())
else any()
)
)
}

@@ -2842,8 +2851,11 @@ private module Stage4 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself
not kind.(ParamUpdateReturnKind).getPosition() = pos
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then allowFlowThroughParameterCached(p.asNode())
else any()
)
)
}

@@ -2916,6 +2928,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

int getParameterPos() { p.isParameterOf(_, result) }

ParameterNode getParameterNode() { result = p.asNode() }

override string toString() { result = p + ": " + ap }

predicate hasLocationInfo(
@@ -3606,7 +3620,11 @@ private predicate paramFlowsThrough(
ap = mid.getAp() and
apa = ap.getApprox() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
(
if kind.(ParamUpdateReturnKind).getPosition() = pos
then allowFlowThroughParameterCached(sc.getParameterNode())
else any()
)
)
}

38 cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
View file
Open in desktop
@@ -743,9 +743,12 @@ private module Stage1 {
throughFlowNodeCand(p, config) and
returnFlowCallableNodeCand(c, kind, config) and
p.getEnclosingCallable() = c and
exists(ap) and
// we don't expect a parameter to return stored in itself
not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then allowFlowThroughParameterCached(p.asNode())
else any()
) and
exists(ap)
)
}

@@ -1394,8 +1397,11 @@ private module Stage2 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself
not kind.(ParamUpdateReturnKind).getPosition() = pos
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then allowFlowThroughParameterCached(p.asNode())
else any()
)
)
}

@@ -2083,8 +2089,11 @@ private module Stage3 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself
not kind.(ParamUpdateReturnKind).getPosition() = pos
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then allowFlowThroughParameterCached(p.asNode())
else any()
)
)
}

@@ -2842,8 +2851,11 @@ private module Stage4 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself
not kind.(ParamUpdateReturnKind).getPosition() = pos
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then allowFlowThroughParameterCached(p.asNode())
else any()
)
)
}

@@ -2916,6 +2928,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

int getParameterPos() { p.isParameterOf(_, result) }

ParameterNode getParameterNode() { result = p.asNode() }

override string toString() { result = p + ": " + ap }

predicate hasLocationInfo(
@@ -3606,7 +3620,11 @@ private predicate paramFlowsThrough(
ap = mid.getAp() and
apa = ap.getApprox() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
(
if kind.(ParamUpdateReturnKind).getPosition() = pos
then allowFlowThroughParameterCached(sc.getParameterNode())
else any()
)
)
}

38 cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
View file
Open in desktop
@@ -743,9 +743,12 @@ private module Stage1 {
throughFlowNodeCand(p, config) and
returnFlowCallableNodeCand(c, kind, config) and
p.getEnclosingCallable() = c and
exists(ap) and
// we don't expect a parameter to return stored in itself
not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then allowFlowThroughParameterCached(p.asNode())
else any()
) and
exists(ap)
)
}

@@ -1394,8 +1397,11 @@ private module Stage2 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself
not kind.(ParamUpdateReturnKind).getPosition() = pos
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then allowFlowThroughParameterCached(p.asNode())
else any()
)
)
}

@@ -2083,8 +2089,11 @@ private module Stage3 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself
not kind.(ParamUpdateReturnKind).getPosition() = pos
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then allowFlowThroughParameterCached(p.asNode())
else any()
)
)
}

@@ -2842,8 +2851,11 @@ private module Stage4 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself
not kind.(ParamUpdateReturnKind).getPosition() = pos
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then allowFlowThroughParameterCached(p.asNode())
else any()
)
)
}

@@ -2916,6 +2928,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

int getParameterPos() { p.isParameterOf(_, result) }

ParameterNode getParameterNode() { result = p.asNode() }

override string toString() { result = p + ": " + ap }

predicate hasLocationInfo(
@@ -3606,7 +3620,11 @@ private predicate paramFlowsThrough(
ap = mid.getAp() and
apa = ap.getApprox() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
(
if kind.(ParamUpdateReturnKind).getPosition() = pos
then allowFlowThroughParameterCached(sc.getParameterNode())
else any()
)
)
}

38 cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
View file
Open in desktop
@@ -743,9 +743,12 @@ private module Stage1 {
throughFlowNodeCand(p, config) and
returnFlowCallableNodeCand(c, kind, config) and
p.getEnclosingCallable() = c and
exists(ap) and
// we don't expect a parameter to return stored in itself
not kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then allowFlowThroughParameterCached(p.asNode())
else any()
) and
exists(ap)
)
}

@@ -1394,8 +1397,11 @@ private module Stage2 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself
not kind.(ParamUpdateReturnKind).getPosition() = pos
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then allowFlowThroughParameterCached(p.asNode())
else any()
)
)
}

@@ -2083,8 +2089,11 @@ private module Stage3 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself
not kind.(ParamUpdateReturnKind).getPosition() = pos
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then allowFlowThroughParameterCached(p.asNode())
else any()
)
)
}

@@ -2842,8 +2851,11 @@ private module Stage4 {
fwdFlow(ret, any(CcCall ccc), apSome(ap), ap0, config) and
kind = ret.getKind() and
p.getPosition() = pos and
// we don't expect a parameter to return stored in itself
not kind.(ParamUpdateReturnKind).getPosition() = pos
(
if kind.(ParamUpdateReturnKind).getPosition() = p.getPosition()
then allowFlowThroughParameterCached(p.asNode())
else any()
)
)
}

@@ -2916,6 +2928,8 @@ private class SummaryCtxSome extends SummaryCtx, TSummaryCtxSome {

int getParameterPos() { p.isParameterOf(_, result) }

ParameterNode getParameterNode() { result = p.asNode() }

override string toString() { result = p + ": " + ap }

predicate hasLocationInfo(
@@ -3606,7 +3620,11 @@ private predicate paramFlowsThrough(
ap = mid.getAp() and
apa = ap.getApprox() and
pos = sc.getParameterPos() and
not kind.(ParamUpdateReturnKind).getPosition() = pos
(
if kind.(ParamUpdateReturnKind).getPosition() = pos
then allowFlowThroughParameterCached(sc.getParameterNode())
else any()
)
)
}

3 cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
View file
Open in desktop
@@ -801,6 +801,9 @@ private module Cached {
exists(Node n | getNodeEnclosingCallable(n) = callable | isUnreachableInCallCached(n, call))
}

cached
predicate allowFlowThroughParameterCached(ParameterNode p) { allowFlowThroughParameter(p) }

cached
newtype TCallContext =
TAnyCallContext() or
1 cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll
View file
Open in desktop
@@ -175,6 +175,7 @@ module Consistency {

query predicate postWithInFlow(Node n, string msg) {
isPostUpdateNode(n) and
not clearsContent(n, _) and
simpleLocalFlowStep(_, n) and
msg = "PostUpdateNode should not be the target of local flow."
}