Introduce and use writeComponent

smowton · smowton · commit 3635d7d007b5 · 2020-09-04T17:03:52.000+01:00
diff --git a/ql/src/semmle/go/controlflow/ControlFlowGraph.qll b/ql/src/semmle/go/controlflow/ControlFlowGraph.qll
@@ -165,6 +165,13 @@ module ControlFlow {
         self.getRhs() = rhs.asInstruction()
       )
     }
+
+    /**
+     * Holds if this node sets any field or element of `base` to `rhs`.
+     */
+    predicate writesComponent(DataFlow::Node base, DataFlow::Node rhs) {
+      writesElement(base, _, rhs) or writesField(base, _, rhs)
+    }
   }
 
   /**
diff --git a/ql/src/semmle/go/frameworks/Protobuf.qll b/ql/src/semmle/go/frameworks/Protobuf.qll
@@ -139,15 +139,6 @@ module Protobuf {
     }
   }
 
-  /**
-   * Gets a field of a Message type.
-   */
-  private Field getAMessageField() {
-    result = any(MessageType msg).getField(_)
-    or
-    exists(Type base | base.getPointerType() instanceof MessageType | result = base.getField(_))
-  }
-
   /**
    * Gets the data-flow node representing the bottom of a stack of zero or more `ComponentReadNode`s.
    *
@@ -163,13 +154,9 @@ module Protobuf {
    */
   private class WriteMessageFieldStep extends TaintTracking::AdditionalTaintStep {
     override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
+      [succ.getType(), succ.getType().getPointerType()] instanceof MessageType and
       exists(DataFlow::ReadNode base | succ = getUnderlyingNode(base) |
-        any(DataFlow::Write w).writesField(base, getAMessageField(), pred)
-      )
-      or
-      exists(DataFlow::ReadNode base | succ = getUnderlyingNode(base) |
-        any(DataFlow::Write w).writesElement(base, _, pred) and
-        [succ.getType(), succ.getType().getPointerType()] instanceof MessageType
+        any(DataFlow::Write w).writesComponent(base, pred)
       )
     }
   }

Original file line number	Diff line number	Diff line change
`@@ -165,6 +165,13 @@ module ControlFlow {`
`165`	`165`	`self.getRhs() = rhs.asInstruction()`
`166`	`166`	`)`
`167`	`167`	`}`
	`168`	`+`
	`169`	`+ /**`
	`170`	+ * Holds if this node sets any field or element of `base` to `rhs`.
	`171`	`+ */`
	`172`	`+ predicate writesComponent(DataFlow::Node base, DataFlow::Node rhs) {`
	`173`	`+ writesElement(base, _, rhs) or writesField(base, _, rhs)`
	`174`	`+ }`
`168`	`175`	`}`
`169`	`176`
`170`	`177`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -139,15 +139,6 @@ module Protobuf {`
`139`	`139`	`}`
`140`	`140`	`}`
`141`	`141`
`142`		`- /**`
`143`		`- * Gets a field of a Message type.`
`144`		`- */`
`145`		`- private Field getAMessageField() {`
`146`		`- result = any(MessageType msg).getField(_)`
`147`		`- or`
`148`		`- exists(Type base \| base.getPointerType() instanceof MessageType \| result = base.getField(_))`
`149`		`- }`
`150`		`-`
`151`	`142`	`/**`
`152`	`143`	* Gets the data-flow node representing the bottom of a stack of zero or more `ComponentReadNode`s.
`153`	`144`	`*`
`@@ -163,13 +154,9 @@ module Protobuf {`
`163`	`154`	`*/`
`164`	`155`	`private class WriteMessageFieldStep extends TaintTracking::AdditionalTaintStep {`
`165`	`156`	`override predicate step(DataFlow::Node pred, DataFlow::Node succ) {`
	`157`	`+ [succ.getType(), succ.getType().getPointerType()] instanceof MessageType and`
`166`	`158`	`exists(DataFlow::ReadNode base \| succ = getUnderlyingNode(base) \|`
`167`		`- any(DataFlow::Write w).writesField(base, getAMessageField(), pred)`
`168`		`- )`
`169`		`- or`
`170`		`- exists(DataFlow::ReadNode base \| succ = getUnderlyingNode(base) \|`
`171`		`- any(DataFlow::Write w).writesElement(base, _, pred) and`
`172`		`- [succ.getType(), succ.getType().getPointerType()] instanceof MessageType`
	`159`	`+ any(DataFlow::Write w).writesComponent(base, pred)`
`173`	`160`	`)`
`174`	`161`	`}`
`175`	`162`	`}`