Only consider true return statements as sinks

Benjamin Muskalla · Benjamin Muskalla · commit 8040d9cfcf0b · 2021-11-15T15:29:01.000+01:00
diff --git a/java/ql/src/utils/model-generator/CaptureSummaryModels.ql b/java/ql/src/utils/model-generator/CaptureSummaryModels.ql
@@ -186,8 +186,9 @@ class ParameterToReturnValueTaintConfig extends TaintTracking::Configuration {
     )
   }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof ReturnNodeExt }
+  override predicate isSink(DataFlow::Node sink) { sink instanceof ReturnNode }
 
+  // track taint across objects so we consider factory methods returning newly tainted objects
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
     node2.asExpr().(ConstructorCall).getAnArgument() = node1.asExpr()
   }

Original file line number	Diff line number	Diff line change
`@@ -186,8 +186,9 @@ class ParameterToReturnValueTaintConfig extends TaintTracking::Configuration {`
`186`	`186`	`)`
`187`	`187`	`}`
`188`	`188`
`189`		`- override predicate isSink(DataFlow::Node sink) { sink instanceof ReturnNodeExt }`
	`189`	`+ override predicate isSink(DataFlow::Node sink) { sink instanceof ReturnNode }`
`190`	`190`
	`191`	`+ // track taint across objects so we consider factory methods returning newly tainted objects`
`191`	`192`	`override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {`
`192`	`193`	`node2.asExpr().(ConstructorCall).getAnArgument() = node1.asExpr()`
`193`	`194`	`}`