Java: Explicitly tie ReturnNode to TargetApi before calling returnNodeAsOutput.

michaelnebel · michaelnebel · commit 4a0b2b64b3c8 · 2022-02-28T16:48:23.000+01:00
diff --git a/java/ql/src/utils/model-generator/CaptureSourceModels.ql b/java/ql/src/utils/model-generator/CaptureSourceModels.ql
@@ -44,7 +44,8 @@ string captureSource(TargetAPI api) {
     config.hasFlow(source, sink) and
     sourceNode(source, kind) and
     api = source.getEnclosingCallable() and
-    result = asSourceModel(api, returnNodeAsOutput(api, sink), kind)
+    api = sink.getEnclosingCallable() and
+    result = asSourceModel(api, returnNodeAsOutput(sink), kind)
   )
 }
 
diff --git a/java/ql/src/utils/model-generator/CaptureSummaryModels.ql b/java/ql/src/utils/model-generator/CaptureSummaryModels.ql
@@ -153,7 +153,7 @@ string captureThroughFlow(TargetAPI api) {
     config.hasFlow(p, returnNodeExt) and
     returnNodeExt.getEnclosingCallable() = api and
     input = parameterNodeAsInput(p) and
-    output = returnNodeAsOutput(api, returnNodeExt) and
+    output = returnNodeAsOutput(returnNodeExt) and
     input != output and
     result = asTaintModel(api, input, output)
   )
diff --git a/java/ql/src/utils/model-generator/ModelGeneratorUtils.qll b/java/ql/src/utils/model-generator/ModelGeneratorUtils.qll
@@ -165,13 +165,12 @@ string parameterNodeAsInput(DataFlow::ParameterNode p) {
   result = "Argument[-1]" and p instanceof DataFlow::InstanceParameterNode
 }
 
-bindingset[api]
-string returnNodeAsOutput(TargetAPI api, ReturnNodeExt node) {
+string returnNodeAsOutput(ReturnNodeExt node) {
   if node.getKind() instanceof ValueReturnKind
   then result = "ReturnValue"
   else
     exists(int pos | pos = node.getKind().(ParamUpdateReturnKind).getPosition() |
-      result = parameterAccess(api.getParameter(pos))
+      result = parameterAccess(node.getEnclosingCallable().getParameter(pos))
       or
       result = "Argument[-1]" and pos = -1
     )

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,8 @@ string captureSource(TargetAPI api) {`
`44`	`44`	`config.hasFlow(source, sink) and`
`45`	`45`	`sourceNode(source, kind) and`
`46`	`46`	`api = source.getEnclosingCallable() and`
`47`		`- result = asSourceModel(api, returnNodeAsOutput(api, sink), kind)`
	`47`	`+ api = sink.getEnclosingCallable() and`
	`48`	`+ result = asSourceModel(api, returnNodeAsOutput(sink), kind)`
`48`	`49`	`)`
`49`	`50`	`}`
`50`	`51`
Original file line number	Diff line number	Diff line change
`@@ -153,7 +153,7 @@ string captureThroughFlow(TargetAPI api) {`
`153`	`153`	`config.hasFlow(p, returnNodeExt) and`
`154`	`154`	`returnNodeExt.getEnclosingCallable() = api and`
`155`	`155`	`input = parameterNodeAsInput(p) and`
`156`		`- output = returnNodeAsOutput(api, returnNodeExt) and`
	`156`	`+ output = returnNodeAsOutput(returnNodeExt) and`
`157`	`157`	`input != output and`
`158`	`158`	`result = asTaintModel(api, input, output)`
`159`	`159`	`)`