Dataflow: Add empty provenance column to PathGraph.

aschackmull · aschackmull · commit b7d4a6926f41 · 2024-02-09T11:27:30.000+01:00
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll
@@ -507,13 +507,13 @@ module ProductFlow {
     private predicate pathSuccPlus(TNodePair n1, TNodePair n2) = fastTC(pathSucc/2)(n1, n2)
 
     private predicate localPathStep1(Flow1::PathNode pred, Flow1::PathNode succ) {
-      Flow1::PathGraph::edges(pred, succ) and
+      Flow1::PathGraph::edges(pred, succ, _, _) and
       pragma[only_bind_out](pred.getNode().getEnclosingCallable()) =
         pragma[only_bind_out](succ.getNode().getEnclosingCallable())
     }
 
     private predicate localPathStep2(Flow2::PathNode pred, Flow2::PathNode succ) {
-      Flow2::PathGraph::edges(pred, succ) and
+      Flow2::PathGraph::edges(pred, succ, _, _) and
       pragma[only_bind_out](pred.getNode().getEnclosingCallable()) =
         pragma[only_bind_out](succ.getNode().getEnclosingCallable())
     }
@@ -530,7 +530,7 @@ module ProductFlow {
       TJump()
 
     private predicate intoImpl1(Flow1::PathNode pred1, Flow1::PathNode succ1, DataFlowCall call) {
-      Flow1::PathGraph::edges(pred1, succ1) and
+      Flow1::PathGraph::edges(pred1, succ1, _, _) and
       pred1.getNode().(ArgumentNode).getCall() = call and
       succ1.getNode() instanceof ParameterNode
     }
@@ -543,7 +543,7 @@ module ProductFlow {
     }
 
     private predicate outImpl1(Flow1::PathNode pred1, Flow1::PathNode succ1, DataFlowCall call) {
-      Flow1::PathGraph::edges(pred1, succ1) and
+      Flow1::PathGraph::edges(pred1, succ1, _, _) and
       exists(ReturnKindExt returnKind |
         succ1.getNode() = returnKind.getAnOutNode(call) and
         pred1.getNode().(ReturnNodeExt).getKind() = returnKind
@@ -558,7 +558,7 @@ module ProductFlow {
     }
 
     private predicate intoImpl2(Flow2::PathNode pred2, Flow2::PathNode succ2, DataFlowCall call) {
-      Flow2::PathGraph::edges(pred2, succ2) and
+      Flow2::PathGraph::edges(pred2, succ2, _, _) and
       pred2.getNode().(ArgumentNode).getCall() = call and
       succ2.getNode() instanceof ParameterNode
     }
@@ -571,7 +571,7 @@ module ProductFlow {
     }
 
     private predicate outImpl2(Flow2::PathNode pred2, Flow2::PathNode succ2, DataFlowCall call) {
-      Flow2::PathGraph::edges(pred2, succ2) and
+      Flow2::PathGraph::edges(pred2, succ2, _, _) and
       exists(ReturnKindExt returnKind |
         succ2.getNode() = returnKind.getAnOutNode(call) and
         pred2.getNode().(ReturnNodeExt).getKind() = returnKind
@@ -590,7 +590,7 @@ module ProductFlow {
       Declaration predDecl, Declaration succDecl, Flow1::PathNode pred1, Flow1::PathNode succ1,
       TKind kind
     ) {
-      Flow1::PathGraph::edges(pred1, succ1) and
+      Flow1::PathGraph::edges(pred1, succ1, _, _) and
       predDecl != succDecl and
       pred1.getNode().getEnclosingCallable() = predDecl and
       succ1.getNode().getEnclosingCallable() = succDecl and
@@ -610,7 +610,7 @@ module ProductFlow {
       Declaration predDecl, Declaration succDecl, Flow2::PathNode pred2, Flow2::PathNode succ2,
       TKind kind
     ) {
-      Flow2::PathGraph::edges(pred2, succ2) and
+      Flow2::PathGraph::edges(pred2, succ2, _, _) and
       predDecl != succDecl and
       pred2.getNode().getEnclosingCallable() = predDecl and
       succ2.getNode().getEnclosingCallable() = succDecl and
diff --git a/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll b/csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll
@@ -42,14 +42,18 @@ predicate xssFlow(XssNode source, XssNode sink, string message) {
  */
 module PathGraph {
   /** Holds if `(pred,succ)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(XssNode pred, XssNode succ) {
-    exists(XssTracking::PathNode a, XssTracking::PathNode b | XssTracking::PathGraph::edges(a, b) |
+  query predicate edges(XssNode pred, XssNode succ, string key, string val) {
+    exists(XssTracking::PathNode a, XssTracking::PathNode b |
+      XssTracking::PathGraph::edges(a, b, key, val)
+    |
       pred.asDataFlowNode() = a and
       succ.asDataFlowNode() = b
     )
     or
     xssFlow(pred, succ, _) and
-    pred instanceof XssAspNode
+    pred instanceof XssAspNode and
+    key = "provenance" and
+    val = ""
   }
 
   /** Holds if `n` is a node in the graph of data flow path explanations. */
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql
@@ -13,14 +13,18 @@
 import csharp
 import Flow::PathGraph
 
-query predicate edges(Flow::PathNode a, Flow::PathNode b) {
-  Flow::PathGraph::edges(a, b)
+query predicate edges(Flow::PathNode a, Flow::PathNode b, string key, string val) {
+  Flow::PathGraph::edges(a, b, key, val)
   or
   FlowsFromGetLastWriteTimeConfigToTimeSpanArithmeticCallableConfig::isSink(a.getNode()) and
-  FlowsFromTimeSpanArithmeticToTimeComparisonCallableConfig::isSource(b.getNode())
+  FlowsFromTimeSpanArithmeticToTimeComparisonCallableConfig::isSource(b.getNode()) and
+  key = "provenance" and
+  val = ""
   or
   FlowsFromTimeSpanArithmeticToTimeComparisonCallableConfig::isSink(a.getNode()) and
-  FlowsFromTimeComparisonCallableToSelectionStatementConditionConfig::isSource(b.getNode())
+  FlowsFromTimeComparisonCallableToSelectionStatementConditionConfig::isSource(b.getNode()) and
+  key = "provenance" and
+  val = ""
 }
 
 /**
diff --git a/csharp/ql/test/library-tests/cil/dataflow/DataFlow.ql b/csharp/ql/test/library-tests/cil/dataflow/DataFlow.ql
@@ -13,8 +13,8 @@ private predicate relevantPathNode(Flow::PathNode n) {
   )
 }
 
-query predicate edges(Flow::PathNode a, Flow::PathNode b) {
-  Flow::PathGraph::edges(a, b) and
+query predicate edges(Flow::PathNode a, Flow::PathNode b, string key, string val) {
+  Flow::PathGraph::edges(a, b, key, val) and
   relevantPathNode(a) and
   relevantPathNode(b)
 }
diff --git a/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql b/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql
@@ -25,7 +25,11 @@ import semmle.code.java.security.TempDirLocalInformationDisclosureQuery
  * resulting in a zero-length paths.
  */
 module InsecureMethodPathGraph implements DataFlow::PathGraphSig<MethodCallInsecureFileCreation> {
-  predicate edges(MethodCallInsecureFileCreation n1, MethodCallInsecureFileCreation n2) { none() }
+  predicate edges(
+    MethodCallInsecureFileCreation n1, MethodCallInsecureFileCreation n2, string key, string value
+  ) {
+    none()
+  }
 
   predicate nodes(MethodCallInsecureFileCreation n, string key, string val) {
     key = "semmle.label" and val = n.toString()
diff --git a/shared/dataflow/codeql/dataflow/DataFlow.qll b/shared/dataflow/codeql/dataflow/DataFlow.qll
@@ -584,7 +584,7 @@ module DataFlowMake<InputSig Lang> {
 
   signature module PathGraphSig<PathNodeSig PathNode> {
     /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-    predicate edges(PathNode a, PathNode b);
+    predicate edges(PathNode a, PathNode b, string key, string val);
 
     /** Holds if `n` is a node in the graph of data flow path explanations. */
     predicate nodes(PathNode n, string key, string val);
@@ -648,9 +648,9 @@ module DataFlowMake<InputSig Lang> {
      */
     module PathGraph implements PathGraphSig<PathNode> {
       /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-      query predicate edges(PathNode a, PathNode b) {
-        Graph1::edges(a.asPathNode1(), b.asPathNode1()) or
-        Graph2::edges(a.asPathNode2(), b.asPathNode2())
+      query predicate edges(PathNode a, PathNode b, string key, string val) {
+        Graph1::edges(a.asPathNode1(), b.asPathNode1(), key, val) or
+        Graph2::edges(a.asPathNode2(), b.asPathNode2(), key, val)
       }
 
       /** Holds if `n` is a node in the graph of data flow path explanations. */
@@ -719,7 +719,9 @@ module DataFlowMake<InputSig Lang> {
      */
     module PathGraph implements PathGraphSig<PathNode> {
       /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-      query predicate edges(PathNode a, PathNode b) { Merged::PathGraph::edges(a, b) }
+      query predicate edges(PathNode a, PathNode b, string key, string val) {
+        Merged::PathGraph::edges(a, b, key, val)
+      }
 
       /** Holds if `n` is a node in the graph of data flow path explanations. */
       query predicate nodes(PathNode n, string key, string val) {
diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
@@ -3724,7 +3724,11 @@ module MakeImpl<InputSig Lang> {
      */
     module PathGraph implements PathGraphSig<PathNode> {
       /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-      query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b }
+      query predicate edges(PathNode a, PathNode b, string key, string val) {
+        a.getASuccessor() = b and
+        key = "provenance" and
+        val = ""
+      }
 
       /** Holds if `n` is a node in the graph of data flow path explanations. */
       query predicate nodes(PathNode n, string key, string val) {

Original file line number	Diff line number	Diff line change
`@@ -13,8 +13,8 @@ private predicate relevantPathNode(Flow::PathNode n) {`
`13`	`13`	`)`
`14`	`14`	`}`
`15`	`15`
`16`		`-query predicate edges(Flow::PathNode a, Flow::PathNode b) {`
`17`		`- Flow::PathGraph::edges(a, b) and`
	`16`	`+query predicate edges(Flow::PathNode a, Flow::PathNode b, string key, string val) {`
	`17`	`+ Flow::PathGraph::edges(a, b, key, val) and`
`18`	`18`	`relevantPathNode(a) and`
`19`	`19`	`relevantPathNode(b)`
`20`	`20`	`}`