github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Shared support for alert filtering

This commit is contained in:
Chuan-kai Lin 2024-09-11 13:18:26 -07:00
Родитель f9e4c0af13
Коммит ff78bebf19
35 изменённых файлов: 452 добавлений и 25 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

8
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl1.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
go/ql/lib/semmle/go/dataflow/internal/DataFlowImpl2.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl1.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl6.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl1.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl2.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl3.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImpl4.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

8
ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I

14
shared/dataflow/codeql/dataflow/DataFlow.qll
Просмотреть файл

@ -431,6 +431,12 @@ module Configs<LocationSig Location, InputSig<Location> Lang> {
* is not visualized (as it is in a `path-problem` query).
*/
default predicate includeHiddenNodes() { none() }
/**
* Holds to filter out data flows whose source and sink are both not in the
* `AlertFiltering` location range.
*/
default predicate filterForSourceOrSinkAlerts() { none() }
}
/** An input configuration for data flow using flow state. */
@ -547,6 +553,12 @@ module Configs<LocationSig Location, InputSig<Location> Lang> {
* is not visualized (as it is in a `path-problem` query).
*/
default predicate includeHiddenNodes() { none() }
/**
* Holds to filter out data flows whose source and sink are both not in the
* `AlertFiltering` location range.
*/
default predicate filterForSourceOrSinkAlerts() { none() }
}
}
@ -625,6 +637,7 @@ module DataFlowMake<LocationSig Location, InputSig<Location> Lang> {
module Global<ConfigSig Config> implements GlobalFlowSig {
private module C implements FullStateConfigSig {
import DefaultState<Config>
import FilteredSourceSink<Config>
import Config
predicate accessPathLimit = Config::accessPathLimit/0;
@ -647,6 +660,7 @@ module DataFlowMake<LocationSig Location, InputSig<Location> Lang> {
*/
module GlobalWithState<StateConfigSig Config> implements GlobalFlowSig {
private module C implements FullStateConfigSig {
import FilteredStateSourceSink<Config>
import Config
predicate accessPathLimit = Config::accessPathLimit/0;

6
shared/dataflow/codeql/dataflow/TaintTracking.qll
Просмотреть файл

@ -60,8 +60,8 @@ module TaintFlowMake<
Config::allowImplicitRead(node, c)
or
(
Config::isSink(node) or
Config::isSink(node, _) or
Config::isFilteredSink(node) or
Config::isFilteredSink(node, _) or
Config::isAdditionalFlowStep(node, _, _) or
Config::isAdditionalFlowStep(node, _, _, _)
) and
@ -75,6 +75,7 @@ module TaintFlowMake<
module Global<DataFlow::ConfigSig Config> implements DataFlow::GlobalFlowSig {
private module Config0 implements DataFlowInternal::FullStateConfigSig {
import DataFlowInternal::DefaultState<Config>
import DataFlowInternal::FilteredSourceSink<Config>
import Config
predicate isAdditionalFlowStep(
@ -101,6 +102,7 @@ module TaintFlowMake<
*/
module GlobalWithState<DataFlow::StateConfigSig Config> implements DataFlow::GlobalFlowSig {
private module Config0 implements DataFlowInternal::FullStateConfigSig {
import DataFlowInternal::FilteredStateSourceSink<Config>
import Config
predicate isAdditionalFlowStep(

176
shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
Просмотреть файл

@ -124,6 +124,30 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
* is not visualized (as it is in a `path-problem` query).
*/
predicate includeHiddenNodes();
/**
* Holds to filter out data flows whose source and sink are both not in the
* `AlertFiltering` location range.
*/
predicate filterForSourceOrSinkAlerts();
/**
* Holds if `source` is a relevant data flow source with the given initial
* `state` and passes filtering per `filterForSourceOrSinkAlerts`.
*/
predicate isFilteredSource(Node source, FlowState state);
/**
* Holds if `sink` is a relevant data flow sink accepting `state` and passes
* filtering per `filterForSourceOrSinkAlerts`.
*/
predicate isFilteredSink(Node sink, FlowState state);
/**
* Holds if `sink` is a relevant data flow sink for any state and passes
* filtering per `filterForSourceOrSinkAlerts`.
*/
predicate isFilteredSink(Node sink);
}
/**
@ -147,6 +171,112 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
}
}
/**
* Provide `isFilteredSource` and `isFilteredSink` implementations given a `ConfigSig`.
*/
module FilteredSourceSink<ConfigSig Config> {
private import codeql.util.AlertFiltering
private module AlertFiltering = AlertFilteringImpl<Location>;
private class FlowState = Unit;
pragma[noinline]
private predicate hasFilteredSource() {
exists(Node n | Config::isSource(n) | AlertFiltering::filterByLocation(n.getLocation()))
}
pragma[noinline]
private predicate hasFilteredSink() {
exists(Node n | Config::isSink(n) | AlertFiltering::filterByLocation(n.getLocation()))
}
predicate isFilteredSource(Node source, FlowState state) {
Config::isSource(source) and
exists(state) and
(
not Config::filterForSourceOrSinkAlerts() or
// If there are filtered sinks, we need to pass through all sources to preserve all alerts
// with filtered sinks. Otherwise the only alerts of interest are those with filtered
// sources, so we can perform the source filtering right here.
hasFilteredSink() or
AlertFiltering::filterByLocation(source.getLocation())
)
}
predicate isFilteredSink(Node sink, FlowState state) { isFilteredSink(sink) and exists(state) }
predicate isFilteredSink(Node sink) {
Config::isSink(sink) and
(
// If there are filtered sources, we need to pass through all sinks to preserve all alerts
// with filtered sources. Otherwise the only alerts of interest are those with filtered
// sinks, so we can perform the sink filtering right here.
hasFilteredSource() or
AlertFiltering::filterByLocation(sink.getLocation())
)
}
}
/**
* Provide `isFilteredSource` and `isFilteredSink` implementations given a `StateConfigSig`.
*/
module FilteredStateSourceSink<StateConfigSig Config> {
private import codeql.util.AlertFiltering
private module AlertFiltering = AlertFilteringImpl<Location>;
private class FlowState = Config::FlowState;
pragma[noinline]
private predicate hasFilteredSource() {
exists(Node n | Config::isSource(n, _) | AlertFiltering::filterByLocation(n.getLocation()))
}
pragma[noinline]
private predicate hasFilteredSink() {
exists(Node n |
Config::isSink(n, _) or
Config::isSink(n)
|
AlertFiltering::filterByLocation(n.getLocation())
)
}
predicate isFilteredSource(Node source, FlowState state) {
Config::isSource(source, state) and
(
// If there are filtered sinks, we need to pass through all sources to preserve all alerts
// with filtered sinks. Otherwise the only alerts of interest are those with filtered
// sources, so we can perform the source filtering right here.
hasFilteredSink() or
AlertFiltering::filterByLocation(source.getLocation())
)
}
predicate isFilteredSink(Node sink, FlowState state) {
Config::isSink(sink, state) and
(
// If there are filtered sources, we need to pass through all sinks to preserve all alerts
// with filtered sources. Otherwise the only alerts of interest are those with filtered
// sinks, so we can perform the sink filtering right here.
hasFilteredSource() or
AlertFiltering::filterByLocation(sink.getLocation())
)
}
predicate isFilteredSink(Node sink) {
Config::isSink(sink) and
(
// If there are filtered sources, we need to pass through all sinks to preserve all alerts
// with filtered sources. Otherwise the only alerts of interest are those with filtered
// sinks, so we can perform the sink filtering right here.
hasFilteredSource() or
AlertFiltering::filterByLocation(sink.getLocation())
)
}
}
/**
* Constructs a data flow computation given a full input configuration.
*/
@ -250,7 +380,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
exists(Node n |
node.asNode() = n and
Config::isBarrierIn(n) and
Config::isSource(n, _)
Config::isFilteredSource(n, _)
)
}
@ -259,7 +389,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
exists(Node n |
node.asNode() = n and
Config::isBarrierIn(n, state) and
Config::isSource(n, state)
Config::isFilteredSource(n, state)
)
}
@ -268,9 +398,9 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
node.asNodeOrImplicitRead() = n and
Config::isBarrierOut(n)
|
Config::isSink(n, _)
Config::isFilteredSink(n, _)
or
Config::isSink(n)
Config::isFilteredSink(n)
)
}
@ -280,9 +410,9 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
node.asNodeOrImplicitRead() = n and
Config::isBarrierOut(n, state)
|
Config::isSink(n, state)
Config::isFilteredSink(n, state)
or
Config::isSink(n)
Config::isFilteredSink(n)
)
}
@ -292,11 +422,11 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
Config::isBarrier(n)
or
Config::isBarrierIn(n) and
not Config::isSource(n, _)
not Config::isFilteredSource(n, _)
or
Config::isBarrierOut(n) and
not Config::isSink(n, _) and
not Config::isSink(n)
not Config::isFilteredSink(n, _) and
not Config::isFilteredSink(n)
)
}
@ -306,24 +436,24 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
Config::isBarrier(n, state)
or
Config::isBarrierIn(n, state) and
not Config::isSource(n, state)
not Config::isFilteredSource(n, state)
or
Config::isBarrierOut(n, state) and
not Config::isSink(n, state) and
not Config::isSink(n)
not Config::isFilteredSink(n, state) and
not Config::isFilteredSink(n)
)
}
pragma[nomagic]
private predicate sourceNode(NodeEx node, FlowState state) {
Config::isSource(node.asNode(), state) and
Config::isFilteredSource(node.asNode(), state) and
not fullBarrier(node) and
not stateBarrier(node, state)
}
pragma[nomagic]
private predicate sinkNodeWithState(NodeEx node, FlowState state) {
Config::isSink(node.asNodeOrImplicitRead(), state) and
Config::isFilteredSink(node.asNodeOrImplicitRead(), state) and
not fullBarrier(node) and
not stateBarrier(node, state)
}
@ -729,7 +859,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
additional predicate sinkNode(NodeEx node, FlowState state) {
fwdFlow(node) and
fwdFlowState(state) and
Config::isSink(node.asNodeOrImplicitRead())
Config::isFilteredSink(node.asNodeOrImplicitRead())
or
fwdFlow(node) and
fwdFlowState(state) and
@ -2946,7 +3076,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
NodeEx toNormalSinkNodeEx() {
exists(Node n |
pragma[only_bind_out](node.asNodeOrImplicitRead()) = n and
(Config::isSink(n) or Config::isSink(n, _)) and
(Config::isFilteredSink(n) or Config::isFilteredSink(n, _)) and
result.asNode() = n
)
}
@ -4792,15 +4922,15 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
}
private predicate interestingCallableSrc(DataFlowCallable c) {
exists(Node n | Config::isSource(n, _) and c = getNodeEnclosingCallable(n))
exists(Node n | Config::isFilteredSource(n, _) and c = getNodeEnclosingCallable(n))
or
exists(DataFlowCallable mid | interestingCallableSrc(mid) and callableStep(mid, c))
}
private predicate interestingCallableSink(DataFlowCallable c) {
exists(Node n | c = getNodeEnclosingCallable(n) |
Config::isSink(n, _) or
Config::isSink(n)
Config::isFilteredSink(n, _) or
Config::isFilteredSink(n)
)
or
exists(DataFlowCallable mid | interestingCallableSink(mid) and callableStep(c, mid))
@ -4827,7 +4957,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
or
exists(Node n |
ce1 = TCallableSrc() and
Config::isSource(n, _) and
Config::isFilteredSource(n, _) and
ce2 = TCallable(getNodeEnclosingCallable(n))
)
or
@ -4835,8 +4965,8 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
ce2 = TCallableSink() and
ce1 = TCallable(getNodeEnclosingCallable(n))
|
Config::isSink(n, _) or
Config::isSink(n)
Config::isFilteredSink(n, _) or
Config::isFilteredSink(n)
)
}
@ -4900,7 +5030,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
private predicate revSinkNode(NodeEx node, FlowState state) {
sinkNodeWithState(node, state)
or
Config::isSink(node.asNodeOrImplicitRead()) and
Config::isFilteredSink(node.asNodeOrImplicitRead()) and
relevantState(state) and
not fullBarrier(node) and
not stateBarrier(node, state)

40
shared/util/codeql/util/AlertFiltering.qll Normal file
Просмотреть файл

@ -0,0 +1,40 @@
/**
* Provides the `restrictAlertsTo` extensible predicate to restrict alerts to specific source
* locations, and the `AlertFilteringImpl` parameterized module to apply the filtering.
*/
private import codeql.util.Location
/**
* Restricts alerts to a specific location in specific files.
*
* If this predicate is empty, accept all alerts. Otherwise, accept alerts only at the specified
* locations. Note that alert restrictions apply only to the start line of an alert (even if the
* alert location spans multiple lines) because alerts are displayed on their start lines.
*
* - filePath: Absolute path of the file to restrict alerts to.
* - startLine: Start line number (starting with 1, inclusive) to restrict alerts to.
* - endLine: End line number (starting with 1, inclusive) to restrict alerts to.
*
* If startLine and endLine are both 0, accept alerts anywhere in the file.
*/
extensible predicate restrictAlertsTo(string filePath, int startLine, int endLine);
/** Module for applying alert location filtering. */
module AlertFilteringImpl<LocationSig Location> {
/** Applies alert filtering to the given location. */
bindingset[location]
predicate filterByLocation(Location location) {
not restrictAlertsTo(_, _, _)
or
exists(string filePath, int startLine, int endLine |
restrictAlertsTo(filePath, startLine, endLine)
|
startLine = 0 and
endLine = 0 and
location.hasLocationInfo(filePath, _, _, _, _)
or
location.hasLocationInfo(filePath, [startLine .. endLine], _, _, _)
)
}
}

7
shared/util/ext/default-alert-filter.yml Normal file
Просмотреть файл

@ -0,0 +1,7 @@
extensions:
- addsTo:
pack: codeql/util
extensible: restrictAlertsTo
# Empty predicate means no restrictions on alert locations
data: []

2
shared/util/qlpack.yml
Просмотреть файл

@ -3,4 +3,6 @@ version: 1.0.7-dev
groups: shared
library: true
dependencies: null
dataExtensions:
- ext/*.yml
warnOnImplicitThis: true

8
swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImpl1.qll
Просмотреть файл

@ -283,6 +283,14 @@ deprecated private module Config implements FullStateConfigSig {
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate includeHiddenNodes() { any(Configuration config).includeHiddenNodes() }
predicate filterForSourceOrSinkAlerts() { none() }
predicate isFilteredSource(Node source, FlowState state) { isSource(source, state) }
predicate isFilteredSink(Node sink, FlowState state) { isSink(sink, state) }
predicate isFilteredSink(Node sink) { isSink(sink) }
}
deprecated private import Impl<Config> as I