Data flow: Add ConfigSig::accessPathLimit

Author: hvitved

csharp/ql/lib/semmle/code/csharp/dataflow/internal/ContentDataFlow.qll

@@ -109,6 +109,8 @@ module Global<ConfigSig ContentConfig> {
 
     DataFlow::FlowFeature getAFeature() { result = ContentConfig::getAFeature() }
 
+    predicate accessPathLimit = ContentConfig::accessPathLimit/0;
+
     // needed to record reads/stores inside summarized callables
     predicate includeHiddenNodes() { any() }
   }

csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll

@@ -72,11 +72,11 @@ string captureQualifierFlow(TargetApiSpecific api) {
   result = ModelPrinting::asValueModel(api, qualifierString(), "ReturnValue")
 }
 
-private int accessPathLimit() { result = 2 }
+private int accessPathLimit0() { result = 2 }
 
 private newtype TTaintState =
-  TTaintRead(int n) { n in [0 .. accessPathLimit()] } or
-  TTaintStore(int n) { n in [1 .. accessPathLimit()] }
+  TTaintRead(int n) { n in [0 .. accessPathLimit0()] } or
+  TTaintStore(int n) { n in [1 .. accessPathLimit0()] }
 
 abstract private class TaintState extends TTaintState {
   abstract string toString();

java/ql/src/utils/modelgenerator/internal/CaptureModels.qll

@@ -72,11 +72,11 @@ string captureQualifierFlow(TargetApiSpecific api) {
   result = ModelPrinting::asValueModel(api, qualifierString(), "ReturnValue")
 }
 
-private int accessPathLimit() { result = 2 }
+private int accessPathLimit0() { result = 2 }
 
 private newtype TTaintState =
-  TTaintRead(int n) { n in [0 .. accessPathLimit()] } or
-  TTaintStore(int n) { n in [1 .. accessPathLimit()] }
+  TTaintRead(int n) { n in [0 .. accessPathLimit0()] } or
+  TTaintStore(int n) { n in [1 .. accessPathLimit0()] }
 
 abstract private class TaintState extends TTaintState {
   abstract string toString();

ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll

@@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
+  int accessPathLimit() { result = 5 }
+
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

shared/dataflow/codeql/dataflow/DataFlow.qll

@@ -376,6 +376,9 @@ module Configs<InputSig Lang> {
      */
     default int fieldFlowBranchLimit() { result = 2 }
 
+    /** Gets the access path limit. */
+    default int accessPathLimit() { result = Lang::accessPathLimit() }
+
     /**
      * Gets a data flow configuration feature to add restrictions to the set of
      * valid flow paths.
@@ -495,6 +498,9 @@ module Configs<InputSig Lang> {
      */
     default int fieldFlowBranchLimit() { result = 2 }
 
+    /** Gets the access path limit. */
+    default int accessPathLimit() { result = Lang::accessPathLimit() }
+
     /**
      * Gets a data flow configuration feature to add restrictions to the set of
      * valid flow paths.
@@ -583,6 +589,8 @@ module DataFlowMake<InputSig Lang> {
     private module C implements FullStateConfigSig {
       import DefaultState<Config>
       import Config
+
+      predicate accessPathLimit = Config::accessPathLimit/0;
     }
 
     import Impl<C>
@@ -599,6 +607,8 @@ module DataFlowMake<InputSig Lang> {
   module GlobalWithState<StateConfigSig Config> implements GlobalFlowSig {
     private module C implements FullStateConfigSig {
       import Config
+
+      predicate accessPathLimit = Config::accessPathLimit/0;
     }
 
     import Impl<C>

shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll

@@ -93,6 +93,9 @@ module MakeImpl<InputSig Lang> {
      */
     int fieldFlowBranchLimit();
 
+    /** Gets the access path limit. */
+    int accessPathLimit();
+
     /**
      * Gets a data flow configuration feature to add restrictions to the set of
      * valid flow paths.
@@ -1328,6 +1331,13 @@ module MakeImpl<InputSig Lang> {
           fwdFlow1(_, _, _, _, _, _, t0, t, ap, _) and t0 != t
         }
 
+        bindingset[c, t, tail]
+        additional Ap apCons(Content c, Typ t, Ap tail) {
+          result = Param::apCons(c, t, tail) and
+          Config::accessPathLimit() > 0 and
+          if tail instanceof ApNil then any() else Config::accessPathLimit() > 1
+        }
+
         pragma[nomagic]
         private predicate fwdFlow0(
           NodeEx node, FlowState state, Cc cc, ParamNodeOption summaryCtx, TypOption argT,
@@ -3026,11 +3036,11 @@ module MakeImpl<InputSig Lang> {
       } or
       TConsCons(Content c1, DataFlowType t, Content c2, int len) {
         Stage4::consCand(c1, t, TFrontHead(c2)) and
-        len in [2 .. accessPathLimit()] and
+        len in [2 .. Config::accessPathLimit()] and
         not expensiveLen2unfolding(c1)
       } or
       TCons1(Content c, int len) {
-        len in [1 .. accessPathLimit()] and
+        len in [1 .. Config::accessPathLimit()] and
         expensiveLen2unfolding(c)
       }
 
@@ -3189,7 +3199,10 @@ module MakeImpl<InputSig Lang> {
       Typ getTyp(DataFlowType t) { result = t }
 
       bindingset[c, t, tail]
-      Ap apCons(Content c, Typ t, Ap tail) { result.isCons(c, t, tail) }
+      Ap apCons(Content c, Typ t, Ap tail) {
+        result.isCons(c, t, tail) and
+        Config::accessPathLimit() > tail.len()
+      }
 
       class ApHeadContent = Content;