From e4e9a2e1f92a586816e7fb9edd3864d9fc60c77b Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Wed, 21 Sep 2022 10:24:04 +0200 Subject: [PATCH 1/5] Data flow: Guard against `viableImplInCallContext` not being a subset of`viableCallable` --- .../dataflow/internal/DataFlowImplCommon.qll | 3 ++- .../dataflow/internal/DataFlowImplConsistency.qll | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll index 95b34f15dad..ae9c6f3f12e 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll @@ -709,7 +709,8 @@ private module Cached { */ pragma[nomagic] private DataFlowCallable viableImplInCallContextExt(DataFlowCall call, DataFlowCall ctx) { - result = viableImplInCallContext(call, ctx) + result = viableImplInCallContext(call, ctx) and + result = viableCallable(call) or result = viableCallableLambda(call, TDataFlowCallSome(ctx)) or diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll index da828337e56..dde16ab5a2a 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplConsistency.qll @@ -38,6 +38,13 @@ module Consistency { /** Holds if `n` should be excluded from the consistency test `uniquePostUpdate`. */ predicate uniquePostUpdateExclude(Node n) { none() } + + /** Holds if `(call, ctx)` should be excluded from the consistency test `viableImplInCallContextTooLargeExclude`. */ + predicate viableImplInCallContextTooLargeExclude( + DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable + ) { + none() + } } private class RelevantNode extends Node { @@ -217,4 +224,12 @@ module Consistency { not any(ConsistencyConfiguration c).postWithInFlowExclude(n) and msg = "PostUpdateNode should not be the target of local flow." } + + query predicate viableImplInCallContextTooLarge( + DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable + ) { + callable = viableImplInCallContext(call, ctx) and + not callable = viableCallable(call) and + not any(ConsistencyConfiguration c).viableImplInCallContextTooLargeExclude(call, ctx, callable) + } } From ad6b870f9433aeba311c592aba40926b6d50ca59 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Thu, 22 Sep 2022 15:01:33 +0200 Subject: [PATCH 2/5] Data flow: Sync files --- .../ir/dataflow/internal/DataFlowImplCommon.qll | 3 ++- .../dataflow/internal/DataFlowImplConsistency.qll | 15 +++++++++++++++ .../cpp/dataflow/internal/DataFlowImplCommon.qll | 3 ++- .../dataflow/internal/DataFlowImplConsistency.qll | 15 +++++++++++++++ .../ir/dataflow/internal/DataFlowImplCommon.qll | 3 ++- .../dataflow/internal/DataFlowImplConsistency.qll | 15 +++++++++++++++ .../java/dataflow/internal/DataFlowImplCommon.qll | 3 ++- .../dataflow/internal/DataFlowImplConsistency.qll | 15 +++++++++++++++ .../dataflow/new/internal/DataFlowImplCommon.qll | 3 ++- .../new/internal/DataFlowImplConsistency.qll | 15 +++++++++++++++ .../ruby/dataflow/internal/DataFlowImplCommon.qll | 3 ++- .../dataflow/internal/DataFlowImplConsistency.qll | 15 +++++++++++++++ .../dataflow/internal/DataFlowImplCommon.qll | 3 ++- .../dataflow/internal/DataFlowImplConsistency.qll | 15 +++++++++++++++ 14 files changed, 119 insertions(+), 7 deletions(-) diff --git a/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll b/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll index 95b34f15dad..ae9c6f3f12e 100644 --- a/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll +++ b/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll @@ -709,7 +709,8 @@ private module Cached { */ pragma[nomagic] private DataFlowCallable viableImplInCallContextExt(DataFlowCall call, DataFlowCall ctx) { - result = viableImplInCallContext(call, ctx) + result = viableImplInCallContext(call, ctx) and + result = viableCallable(call) or result = viableCallableLambda(call, TDataFlowCallSome(ctx)) or diff --git a/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll b/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll index da828337e56..dde16ab5a2a 100644 --- a/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll +++ b/cpp/ql/lib/experimental/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll @@ -38,6 +38,13 @@ module Consistency { /** Holds if `n` should be excluded from the consistency test `uniquePostUpdate`. */ predicate uniquePostUpdateExclude(Node n) { none() } + + /** Holds if `(call, ctx)` should be excluded from the consistency test `viableImplInCallContextTooLargeExclude`. */ + predicate viableImplInCallContextTooLargeExclude( + DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable + ) { + none() + } } private class RelevantNode extends Node { @@ -217,4 +224,12 @@ module Consistency { not any(ConsistencyConfiguration c).postWithInFlowExclude(n) and msg = "PostUpdateNode should not be the target of local flow." } + + query predicate viableImplInCallContextTooLarge( + DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable + ) { + callable = viableImplInCallContext(call, ctx) and + not callable = viableCallable(call) and + not any(ConsistencyConfiguration c).viableImplInCallContextTooLargeExclude(call, ctx, callable) + } } diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll index 95b34f15dad..ae9c6f3f12e 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll @@ -709,7 +709,8 @@ private module Cached { */ pragma[nomagic] private DataFlowCallable viableImplInCallContextExt(DataFlowCall call, DataFlowCall ctx) { - result = viableImplInCallContext(call, ctx) + result = viableImplInCallContext(call, ctx) and + result = viableCallable(call) or result = viableCallableLambda(call, TDataFlowCallSome(ctx)) or diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll index da828337e56..dde16ab5a2a 100644 --- a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll +++ b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll @@ -38,6 +38,13 @@ module Consistency { /** Holds if `n` should be excluded from the consistency test `uniquePostUpdate`. */ predicate uniquePostUpdateExclude(Node n) { none() } + + /** Holds if `(call, ctx)` should be excluded from the consistency test `viableImplInCallContextTooLargeExclude`. */ + predicate viableImplInCallContextTooLargeExclude( + DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable + ) { + none() + } } private class RelevantNode extends Node { @@ -217,4 +224,12 @@ module Consistency { not any(ConsistencyConfiguration c).postWithInFlowExclude(n) and msg = "PostUpdateNode should not be the target of local flow." } + + query predicate viableImplInCallContextTooLarge( + DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable + ) { + callable = viableImplInCallContext(call, ctx) and + not callable = viableCallable(call) and + not any(ConsistencyConfiguration c).viableImplInCallContextTooLargeExclude(call, ctx, callable) + } } diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll index 95b34f15dad..ae9c6f3f12e 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll @@ -709,7 +709,8 @@ private module Cached { */ pragma[nomagic] private DataFlowCallable viableImplInCallContextExt(DataFlowCall call, DataFlowCall ctx) { - result = viableImplInCallContext(call, ctx) + result = viableImplInCallContext(call, ctx) and + result = viableCallable(call) or result = viableCallableLambda(call, TDataFlowCallSome(ctx)) or diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll index da828337e56..dde16ab5a2a 100644 --- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll +++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplConsistency.qll @@ -38,6 +38,13 @@ module Consistency { /** Holds if `n` should be excluded from the consistency test `uniquePostUpdate`. */ predicate uniquePostUpdateExclude(Node n) { none() } + + /** Holds if `(call, ctx)` should be excluded from the consistency test `viableImplInCallContextTooLargeExclude`. */ + predicate viableImplInCallContextTooLargeExclude( + DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable + ) { + none() + } } private class RelevantNode extends Node { @@ -217,4 +224,12 @@ module Consistency { not any(ConsistencyConfiguration c).postWithInFlowExclude(n) and msg = "PostUpdateNode should not be the target of local flow." } + + query predicate viableImplInCallContextTooLarge( + DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable + ) { + callable = viableImplInCallContext(call, ctx) and + not callable = viableCallable(call) and + not any(ConsistencyConfiguration c).viableImplInCallContextTooLargeExclude(call, ctx, callable) + } } diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll index 95b34f15dad..ae9c6f3f12e 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll @@ -709,7 +709,8 @@ private module Cached { */ pragma[nomagic] private DataFlowCallable viableImplInCallContextExt(DataFlowCall call, DataFlowCall ctx) { - result = viableImplInCallContext(call, ctx) + result = viableImplInCallContext(call, ctx) and + result = viableCallable(call) or result = viableCallableLambda(call, TDataFlowCallSome(ctx)) or diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll index da828337e56..dde16ab5a2a 100644 --- a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll +++ b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplConsistency.qll @@ -38,6 +38,13 @@ module Consistency { /** Holds if `n` should be excluded from the consistency test `uniquePostUpdate`. */ predicate uniquePostUpdateExclude(Node n) { none() } + + /** Holds if `(call, ctx)` should be excluded from the consistency test `viableImplInCallContextTooLargeExclude`. */ + predicate viableImplInCallContextTooLargeExclude( + DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable + ) { + none() + } } private class RelevantNode extends Node { @@ -217,4 +224,12 @@ module Consistency { not any(ConsistencyConfiguration c).postWithInFlowExclude(n) and msg = "PostUpdateNode should not be the target of local flow." } + + query predicate viableImplInCallContextTooLarge( + DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable + ) { + callable = viableImplInCallContext(call, ctx) and + not callable = viableCallable(call) and + not any(ConsistencyConfiguration c).viableImplInCallContextTooLargeExclude(call, ctx, callable) + } } diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll index 95b34f15dad..ae9c6f3f12e 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll @@ -709,7 +709,8 @@ private module Cached { */ pragma[nomagic] private DataFlowCallable viableImplInCallContextExt(DataFlowCall call, DataFlowCall ctx) { - result = viableImplInCallContext(call, ctx) + result = viableImplInCallContext(call, ctx) and + result = viableCallable(call) or result = viableCallableLambda(call, TDataFlowCallSome(ctx)) or diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll index da828337e56..dde16ab5a2a 100644 --- a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll +++ b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll @@ -38,6 +38,13 @@ module Consistency { /** Holds if `n` should be excluded from the consistency test `uniquePostUpdate`. */ predicate uniquePostUpdateExclude(Node n) { none() } + + /** Holds if `(call, ctx)` should be excluded from the consistency test `viableImplInCallContextTooLargeExclude`. */ + predicate viableImplInCallContextTooLargeExclude( + DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable + ) { + none() + } } private class RelevantNode extends Node { @@ -217,4 +224,12 @@ module Consistency { not any(ConsistencyConfiguration c).postWithInFlowExclude(n) and msg = "PostUpdateNode should not be the target of local flow." } + + query predicate viableImplInCallContextTooLarge( + DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable + ) { + callable = viableImplInCallContext(call, ctx) and + not callable = viableCallable(call) and + not any(ConsistencyConfiguration c).viableImplInCallContextTooLargeExclude(call, ctx, callable) + } } diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplCommon.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplCommon.qll index 95b34f15dad..ae9c6f3f12e 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplCommon.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplCommon.qll @@ -709,7 +709,8 @@ private module Cached { */ pragma[nomagic] private DataFlowCallable viableImplInCallContextExt(DataFlowCall call, DataFlowCall ctx) { - result = viableImplInCallContext(call, ctx) + result = viableImplInCallContext(call, ctx) and + result = viableCallable(call) or result = viableCallableLambda(call, TDataFlowCallSome(ctx)) or diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplConsistency.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplConsistency.qll index da828337e56..dde16ab5a2a 100644 --- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplConsistency.qll +++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplConsistency.qll @@ -38,6 +38,13 @@ module Consistency { /** Holds if `n` should be excluded from the consistency test `uniquePostUpdate`. */ predicate uniquePostUpdateExclude(Node n) { none() } + + /** Holds if `(call, ctx)` should be excluded from the consistency test `viableImplInCallContextTooLargeExclude`. */ + predicate viableImplInCallContextTooLargeExclude( + DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable + ) { + none() + } } private class RelevantNode extends Node { @@ -217,4 +224,12 @@ module Consistency { not any(ConsistencyConfiguration c).postWithInFlowExclude(n) and msg = "PostUpdateNode should not be the target of local flow." } + + query predicate viableImplInCallContextTooLarge( + DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable + ) { + callable = viableImplInCallContext(call, ctx) and + not callable = viableCallable(call) and + not any(ConsistencyConfiguration c).viableImplInCallContextTooLargeExclude(call, ctx, callable) + } } diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplCommon.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplCommon.qll index 95b34f15dad..ae9c6f3f12e 100644 --- a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplCommon.qll +++ b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplCommon.qll @@ -709,7 +709,8 @@ private module Cached { */ pragma[nomagic] private DataFlowCallable viableImplInCallContextExt(DataFlowCall call, DataFlowCall ctx) { - result = viableImplInCallContext(call, ctx) + result = viableImplInCallContext(call, ctx) and + result = viableCallable(call) or result = viableCallableLambda(call, TDataFlowCallSome(ctx)) or diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplConsistency.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplConsistency.qll index da828337e56..dde16ab5a2a 100644 --- a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplConsistency.qll +++ b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplConsistency.qll @@ -38,6 +38,13 @@ module Consistency { /** Holds if `n` should be excluded from the consistency test `uniquePostUpdate`. */ predicate uniquePostUpdateExclude(Node n) { none() } + + /** Holds if `(call, ctx)` should be excluded from the consistency test `viableImplInCallContextTooLargeExclude`. */ + predicate viableImplInCallContextTooLargeExclude( + DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable + ) { + none() + } } private class RelevantNode extends Node { @@ -217,4 +224,12 @@ module Consistency { not any(ConsistencyConfiguration c).postWithInFlowExclude(n) and msg = "PostUpdateNode should not be the target of local flow." } + + query predicate viableImplInCallContextTooLarge( + DataFlowCall call, DataFlowCall ctx, DataFlowCallable callable + ) { + callable = viableImplInCallContext(call, ctx) and + not callable = viableCallable(call) and + not any(ConsistencyConfiguration c).viableImplInCallContextTooLargeExclude(call, ctx, callable) + } } From 7a694d5da5e4f58b5ed040e0f72c80ef0bb2279d Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Wed, 21 Sep 2022 11:29:06 +0200 Subject: [PATCH 3/5] C++: Update expected test output --- .../dataflow/dataflow-tests/dataflow-consistency.expected | 1 + .../dataflow/dataflow-tests/dataflow-ir-consistency.expected | 1 + .../library-tests/dataflow/fields/dataflow-consistency.expected | 1 + .../dataflow/fields/dataflow-ir-consistency.expected | 1 + .../test/library-tests/syntax-zoo/dataflow-consistency.expected | 1 + .../library-tests/syntax-zoo/dataflow-ir-consistency.expected | 1 + 6 files changed, 6 insertions(+) diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected index 901339c4f38..6b24d8bdbc6 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected @@ -87,3 +87,4 @@ postWithInFlow | test.cpp:465:3:465:4 | * ... [post update] | PostUpdateNode should not be the target of local flow. | | test.cpp:465:4:465:4 | p [inner post update] | PostUpdateNode should not be the target of local flow. | | test.cpp:470:22:470:22 | x [inner post update] | PostUpdateNode should not be the target of local flow. | +viableImplInCallContextTooLarge diff --git a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected index 1c802f3eeec..929b5b69bc4 100644 --- a/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected @@ -627,3 +627,4 @@ postWithInFlow | true_upon_entry.cpp:98:7:98:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. | | true_upon_entry.cpp:101:18:101:18 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. | | true_upon_entry.cpp:102:5:102:5 | x [post update] | PostUpdateNode should not be the target of local flow. | +viableImplInCallContextTooLarge diff --git a/cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected b/cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected index 82ad497f1ec..f66ef23ba74 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected @@ -155,3 +155,4 @@ postWithInFlow | simple.cpp:92:7:92:7 | i [post update] | PostUpdateNode should not be the target of local flow. | | struct_init.c:24:11:24:12 | ab [inner post update] | PostUpdateNode should not be the target of local flow. | | struct_init.c:36:17:36:24 | nestedAB [inner post update] | PostUpdateNode should not be the target of local flow. | +viableImplInCallContextTooLarge diff --git a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected index c007a61ec02..4dee8fb627f 100644 --- a/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected +++ b/cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected @@ -1323,3 +1323,4 @@ postWithInFlow | struct_init.c:46:16:46:24 | FieldAddress [post update] | PostUpdateNode should not be the target of local flow. | | struct_init.c:46:16:46:24 | pointerAB [post update] | PostUpdateNode should not be the target of local flow. | | struct_init.c:46:16:46:24 | pointerAB [post update] | PostUpdateNode should not be the target of local flow. | +viableImplInCallContextTooLarge diff --git a/cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected b/cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected index 3cd449300e5..086fa0415b7 100644 --- a/cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected +++ b/cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected @@ -124,3 +124,4 @@ postWithInFlow | static_init_templates.cpp:3:2:3:4 | ref [post update] | PostUpdateNode should not be the target of local flow. | | static_init_templates.cpp:21:2:21:4 | val [post update] | PostUpdateNode should not be the target of local flow. | | try_catch.cpp:7:8:7:8 | call to exception | PostUpdateNode should not be the target of local flow. | +viableImplInCallContextTooLarge diff --git a/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected b/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected index b4035e32b18..70f8446ec5a 100644 --- a/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected +++ b/cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected @@ -2710,3 +2710,4 @@ postWithInFlow | whilestmt.c:11:5:11:8 | done [post update] | PostUpdateNode should not be the target of local flow. | | whilestmt.c:40:7:40:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. | | whilestmt.c:42:7:42:7 | VariableAddress [post update] | PostUpdateNode should not be the target of local flow. | +viableImplInCallContextTooLarge From f4b82cb2e8cc7e6bdb001ffb8ab2a62314590567 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Wed, 21 Sep 2022 13:14:37 +0200 Subject: [PATCH 4/5] Python: Update expected test output --- .../experimental/dataflow/basic/dataflow-consistency.expected | 1 + .../experimental/dataflow/calls/dataflow-consistency.expected | 1 + .../dataflow/consistency/dataflow-consistency.expected | 1 + .../experimental/dataflow/coverage/dataflow-consistency.expected | 1 + .../dataflow/fieldflow/dataflow-consistency.expected | 1 + .../dataflow/global-flow/dataflow-consistency.expected | 1 + .../experimental/dataflow/match/dataflow-consistency.expected | 1 + .../experimental/dataflow/pep_328/dataflow-consistency.expected | 1 + .../dataflow/regression/dataflow-consistency.expected | 1 + .../dataflow/strange-essaflow/dataflow-consistency.expected | 1 + .../dataflow/tainttracking/basic/dataflow-consistency.expected | 1 + .../tainttracking/commonSanitizer/dataflow-consistency.expected | 1 + .../tainttracking/customSanitizer/dataflow-consistency.expected | 1 + .../defaultAdditionalTaintStep-py3/dataflow-consistency.expected | 1 + .../defaultAdditionalTaintStep/dataflow-consistency.expected | 1 + .../unwanted-global-flow/dataflow-consistency.expected | 1 + .../dataflow/typetracking/dataflow-consistency.expected | 1 + .../dataflow/variable-capture/dataflow-consistency.expected | 1 + .../library-tests/ApiGraphs/py3/dataflow-consistency.expected | 1 + .../frameworks/django-orm/dataflow-consistency.expected | 1 + 20 files changed, 20 insertions(+) diff --git a/python/ql/test/experimental/dataflow/basic/dataflow-consistency.expected b/python/ql/test/experimental/dataflow/basic/dataflow-consistency.expected index 6f03f2f621e..9fedaf9f663 100644 --- a/python/ql/test/experimental/dataflow/basic/dataflow-consistency.expected +++ b/python/ql/test/experimental/dataflow/basic/dataflow-consistency.expected @@ -16,3 +16,4 @@ postIsInSameCallable reverseRead argHasPostUpdate postWithInFlow +viableImplInCallContextTooLarge diff --git a/python/ql/test/experimental/dataflow/calls/dataflow-consistency.expected b/python/ql/test/experimental/dataflow/calls/dataflow-consistency.expected index 6f03f2f621e..9fedaf9f663 100644 --- a/python/ql/test/experimental/dataflow/calls/dataflow-consistency.expected +++ b/python/ql/test/experimental/dataflow/calls/dataflow-consistency.expected @@ -16,3 +16,4 @@ postIsInSameCallable reverseRead argHasPostUpdate postWithInFlow +viableImplInCallContextTooLarge diff --git a/python/ql/test/experimental/dataflow/consistency/dataflow-consistency.expected b/python/ql/test/experimental/dataflow/consistency/dataflow-consistency.expected index 6f03f2f621e..9fedaf9f663 100644 --- a/python/ql/test/experimental/dataflow/consistency/dataflow-consistency.expected +++ b/python/ql/test/experimental/dataflow/consistency/dataflow-consistency.expected @@ -16,3 +16,4 @@ postIsInSameCallable reverseRead argHasPostUpdate postWithInFlow +viableImplInCallContextTooLarge diff --git a/python/ql/test/experimental/dataflow/coverage/dataflow-consistency.expected b/python/ql/test/experimental/dataflow/coverage/dataflow-consistency.expected index 6f03f2f621e..9fedaf9f663 100644 --- a/python/ql/test/experimental/dataflow/coverage/dataflow-consistency.expected +++ b/python/ql/test/experimental/dataflow/coverage/dataflow-consistency.expected @@ -16,3 +16,4 @@ postIsInSameCallable reverseRead argHasPostUpdate postWithInFlow +viableImplInCallContextTooLarge diff --git a/python/ql/test/experimental/dataflow/fieldflow/dataflow-consistency.expected b/python/ql/test/experimental/dataflow/fieldflow/dataflow-consistency.expected index 6f03f2f621e..9fedaf9f663 100644 --- a/python/ql/test/experimental/dataflow/fieldflow/dataflow-consistency.expected +++ b/python/ql/test/experimental/dataflow/fieldflow/dataflow-consistency.expected @@ -16,3 +16,4 @@ postIsInSameCallable reverseRead argHasPostUpdate postWithInFlow +viableImplInCallContextTooLarge diff --git a/python/ql/test/experimental/dataflow/global-flow/dataflow-consistency.expected b/python/ql/test/experimental/dataflow/global-flow/dataflow-consistency.expected index 6f03f2f621e..9fedaf9f663 100644 --- a/python/ql/test/experimental/dataflow/global-flow/dataflow-consistency.expected +++ b/python/ql/test/experimental/dataflow/global-flow/dataflow-consistency.expected @@ -16,3 +16,4 @@ postIsInSameCallable reverseRead argHasPostUpdate postWithInFlow +viableImplInCallContextTooLarge diff --git a/python/ql/test/experimental/dataflow/match/dataflow-consistency.expected b/python/ql/test/experimental/dataflow/match/dataflow-consistency.expected index 6f03f2f621e..9fedaf9f663 100644 --- a/python/ql/test/experimental/dataflow/match/dataflow-consistency.expected +++ b/python/ql/test/experimental/dataflow/match/dataflow-consistency.expected @@ -16,3 +16,4 @@ postIsInSameCallable reverseRead argHasPostUpdate postWithInFlow +viableImplInCallContextTooLarge diff --git a/python/ql/test/experimental/dataflow/pep_328/dataflow-consistency.expected b/python/ql/test/experimental/dataflow/pep_328/dataflow-consistency.expected index 6f03f2f621e..9fedaf9f663 100644 --- a/python/ql/test/experimental/dataflow/pep_328/dataflow-consistency.expected +++ b/python/ql/test/experimental/dataflow/pep_328/dataflow-consistency.expected @@ -16,3 +16,4 @@ postIsInSameCallable reverseRead argHasPostUpdate postWithInFlow +viableImplInCallContextTooLarge diff --git a/python/ql/test/experimental/dataflow/regression/dataflow-consistency.expected b/python/ql/test/experimental/dataflow/regression/dataflow-consistency.expected index 6f03f2f621e..9fedaf9f663 100644 --- a/python/ql/test/experimental/dataflow/regression/dataflow-consistency.expected +++ b/python/ql/test/experimental/dataflow/regression/dataflow-consistency.expected @@ -16,3 +16,4 @@ postIsInSameCallable reverseRead argHasPostUpdate postWithInFlow +viableImplInCallContextTooLarge diff --git a/python/ql/test/experimental/dataflow/strange-essaflow/dataflow-consistency.expected b/python/ql/test/experimental/dataflow/strange-essaflow/dataflow-consistency.expected index 6f03f2f621e..9fedaf9f663 100644 --- a/python/ql/test/experimental/dataflow/strange-essaflow/dataflow-consistency.expected +++ b/python/ql/test/experimental/dataflow/strange-essaflow/dataflow-consistency.expected @@ -16,3 +16,4 @@ postIsInSameCallable reverseRead argHasPostUpdate postWithInFlow +viableImplInCallContextTooLarge diff --git a/python/ql/test/experimental/dataflow/tainttracking/basic/dataflow-consistency.expected b/python/ql/test/experimental/dataflow/tainttracking/basic/dataflow-consistency.expected index 6f03f2f621e..9fedaf9f663 100644 --- a/python/ql/test/experimental/dataflow/tainttracking/basic/dataflow-consistency.expected +++ b/python/ql/test/experimental/dataflow/tainttracking/basic/dataflow-consistency.expected @@ -16,3 +16,4 @@ postIsInSameCallable reverseRead argHasPostUpdate postWithInFlow +viableImplInCallContextTooLarge diff --git a/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/dataflow-consistency.expected b/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/dataflow-consistency.expected index 6f03f2f621e..9fedaf9f663 100644 --- a/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/dataflow-consistency.expected +++ b/python/ql/test/experimental/dataflow/tainttracking/commonSanitizer/dataflow-consistency.expected @@ -16,3 +16,4 @@ postIsInSameCallable reverseRead argHasPostUpdate postWithInFlow +viableImplInCallContextTooLarge diff --git a/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/dataflow-consistency.expected b/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/dataflow-consistency.expected index 6f03f2f621e..9fedaf9f663 100644 --- a/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/dataflow-consistency.expected +++ b/python/ql/test/experimental/dataflow/tainttracking/customSanitizer/dataflow-consistency.expected @@ -16,3 +16,4 @@ postIsInSameCallable reverseRead argHasPostUpdate postWithInFlow +viableImplInCallContextTooLarge diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/dataflow-consistency.expected b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/dataflow-consistency.expected index 6f03f2f621e..9fedaf9f663 100644 --- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/dataflow-consistency.expected +++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep-py3/dataflow-consistency.expected @@ -16,3 +16,4 @@ postIsInSameCallable reverseRead argHasPostUpdate postWithInFlow +viableImplInCallContextTooLarge diff --git a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/dataflow-consistency.expected b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/dataflow-consistency.expected index 6f03f2f621e..9fedaf9f663 100644 --- a/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/dataflow-consistency.expected +++ b/python/ql/test/experimental/dataflow/tainttracking/defaultAdditionalTaintStep/dataflow-consistency.expected @@ -16,3 +16,4 @@ postIsInSameCallable reverseRead argHasPostUpdate postWithInFlow +viableImplInCallContextTooLarge diff --git a/python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/dataflow-consistency.expected b/python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/dataflow-consistency.expected index 6f03f2f621e..9fedaf9f663 100644 --- a/python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/dataflow-consistency.expected +++ b/python/ql/test/experimental/dataflow/tainttracking/unwanted-global-flow/dataflow-consistency.expected @@ -16,3 +16,4 @@ postIsInSameCallable reverseRead argHasPostUpdate postWithInFlow +viableImplInCallContextTooLarge diff --git a/python/ql/test/experimental/dataflow/typetracking/dataflow-consistency.expected b/python/ql/test/experimental/dataflow/typetracking/dataflow-consistency.expected index 6f03f2f621e..9fedaf9f663 100644 --- a/python/ql/test/experimental/dataflow/typetracking/dataflow-consistency.expected +++ b/python/ql/test/experimental/dataflow/typetracking/dataflow-consistency.expected @@ -16,3 +16,4 @@ postIsInSameCallable reverseRead argHasPostUpdate postWithInFlow +viableImplInCallContextTooLarge diff --git a/python/ql/test/experimental/dataflow/variable-capture/dataflow-consistency.expected b/python/ql/test/experimental/dataflow/variable-capture/dataflow-consistency.expected index 6f03f2f621e..9fedaf9f663 100644 --- a/python/ql/test/experimental/dataflow/variable-capture/dataflow-consistency.expected +++ b/python/ql/test/experimental/dataflow/variable-capture/dataflow-consistency.expected @@ -16,3 +16,4 @@ postIsInSameCallable reverseRead argHasPostUpdate postWithInFlow +viableImplInCallContextTooLarge diff --git a/python/ql/test/library-tests/ApiGraphs/py3/dataflow-consistency.expected b/python/ql/test/library-tests/ApiGraphs/py3/dataflow-consistency.expected index 6f03f2f621e..9fedaf9f663 100644 --- a/python/ql/test/library-tests/ApiGraphs/py3/dataflow-consistency.expected +++ b/python/ql/test/library-tests/ApiGraphs/py3/dataflow-consistency.expected @@ -16,3 +16,4 @@ postIsInSameCallable reverseRead argHasPostUpdate postWithInFlow +viableImplInCallContextTooLarge diff --git a/python/ql/test/library-tests/frameworks/django-orm/dataflow-consistency.expected b/python/ql/test/library-tests/frameworks/django-orm/dataflow-consistency.expected index 6f03f2f621e..9fedaf9f663 100644 --- a/python/ql/test/library-tests/frameworks/django-orm/dataflow-consistency.expected +++ b/python/ql/test/library-tests/frameworks/django-orm/dataflow-consistency.expected @@ -16,3 +16,4 @@ postIsInSameCallable reverseRead argHasPostUpdate postWithInFlow +viableImplInCallContextTooLarge From 914c7119401fb1a3f984ea7ad28b64db88d66770 Mon Sep 17 00:00:00 2001 From: Tom Hvitved Date: Wed, 21 Sep 2022 14:49:08 +0200 Subject: [PATCH 5/5] C#: Fix broken `viableImplInCallContext` implementation --- .../dataflow/internal/DataFlowDispatch.qll | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll index 3b55d19456a..594cbe20865 100644 --- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll +++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll @@ -175,10 +175,19 @@ private module DispatchImpl { * restricted to those `call`s for which a context might make a difference. */ DataFlowCallable viableImplInCallContext(NonDelegateDataFlowCall call, DataFlowCall ctx) { - result.getUnderlyingCallable() = - call.getDispatchCall() - .getADynamicTargetInCallContext(ctx.(NonDelegateDataFlowCall).getDispatchCall()) - .getUnboundDeclaration() + exists(DispatchCall dc | dc = call.getDispatchCall() | + result.getUnderlyingCallable() = + getCallableForDataFlow(dc.getADynamicTargetInCallContext(ctx.(NonDelegateDataFlowCall) + .getDispatchCall()).getUnboundDeclaration()) + or + exists(Callable c, DataFlowCallable encl | + result.asSummarizedCallable() = c and + mayBenefitFromCallContext(call, encl) and + encl = ctx.getARuntimeTarget() and + c = dc.getAStaticTarget().getUnboundDeclaration() and + not c instanceof RuntimeCallable + ) + ) } }