Type tracking: Allow for a non-standard flowsTo predicate

Author: hvitved

shared/typetracking/codeql/typetracking/TypeTracking.qll

@@ -113,6 +113,12 @@ signature module TypeTrackingInput {
    * themselves.
    */
   predicate hasFeatureBacktrackStoreTarget();
+
+  /**
+   * Holds if a non-standard `flowsTo` predicate is needed, i.e., one that is not
+   * simply `simpleLocalSmallStep*(localSource, dst)`.
+   */
+  default predicate nonStandardFlowsTo(LocalSourceNode localSource, Node dst) { none() }
 }
 
 private import internal.TypeTrackingImpl as Impl

shared/typetracking/codeql/typetracking/internal/TypeTrackingImpl.qll

@@ -249,18 +249,15 @@ module TypeTracking<TypeTrackingInput I> {
     pragma[inline]
     private predicate isLocalSourceNode(LocalSourceNode n) { any() }
 
-    /**
-     * Holds if there is flow from `localSource` to `dst` using zero or more
-     * `simpleLocalSmallStep`s.
-     */
     cached
-    predicate flowsTo(Node localSource, Node dst) {
+    predicate standardFlowsTo(Node localSource, Node dst) {
+      not nonStandardFlowsTo(_, _) and
       // explicit type check in base case to avoid repeated type tests in recursive case
       isLocalSourceNode(localSource) and
       dst = localSource
       or
       exists(Node mid |
-        flowsTo(localSource, mid) and
+        standardFlowsTo(localSource, mid) and
         simpleLocalSmallStep(mid, dst)
       )
     }
@@ -278,6 +275,16 @@ module TypeTracking<TypeTrackingInput I> {
 
   import Cached
 
+  /**
+   * Holds if there is flow from `localSource` to `dst` using zero or more
+   * `simpleLocalSmallStep`s.
+   */
+  predicate flowsTo(LocalSourceNode localSource, Node dst) {
+    nonStandardFlowsTo(localSource, dst)
+    or
+    standardFlowsTo(localSource, dst)
+  }
+
   /**
    * A description of a step on an inter-procedural data flow path.
    */