Don't require a PathCreation for every tainted-path sink

smowton · web-flow · commit 81f3bcd80249 · 2022-08-02T21:30:06.000+01:00
diff --git a/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql b/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
@@ -49,9 +49,7 @@ class TaintedPathConfig extends TaintTracking::Configuration {
   }
 }
 
-from DataFlow::PathNode source, DataFlow::PathNode sink, PathCreation p, TaintedPathConfig conf
-where
-  sink.getNode().asExpr() = p.getAnInput() and
-  conf.hasFlowPath(source, sink)
-select p, source, sink, "$@ flows to here and is used in a path.", source.getNode(),
+from DataFlow::PathNode source, DataFlow::PathNode sink, TaintedPathConfig conf
+where conf.hasFlowPath(source, sink)
+select sink, source, sink, "$@ flows to here and is used in a path.", source.getNode(),
   "User-provided value"

Original file line number	Diff line number	Diff line change
`@@ -49,9 +49,7 @@ class TaintedPathConfig extends TaintTracking::Configuration {`
`49`	`49`	`}`
`50`	`50`	`}`
`51`	`51`
`52`		`-from DataFlow::PathNode source, DataFlow::PathNode sink, PathCreation p, TaintedPathConfig conf`
`53`		`-where`
`54`		`- sink.getNode().asExpr() = p.getAnInput() and`
`55`		`- conf.hasFlowPath(source, sink)`
`56`		`-select p, source, sink, "$@ flows to here and is used in a path.", source.getNode(),`
	`52`	`+from DataFlow::PathNode source, DataFlow::PathNode sink, TaintedPathConfig conf`
	`53`	`+where conf.hasFlowPath(source, sink)`
	`54`	`+select sink, source, sink, "$@ flows to here and is used in a path.", source.getNode(),`
`57`	`55`	`"User-provided value"`