Simplify handling of tainting fields

Benjamin Muskalla · Benjamin Muskalla · commit fd9199c0c09a · 2021-11-15T16:40:09.000+01:00
diff --git a/java/ql/src/utils/model-generator/CaptureSummaryModels.ql b/java/ql/src/utils/model-generator/CaptureSummaryModels.ql
@@ -95,10 +95,6 @@ string captureFieldFlow(TargetAPI api) {
   )
 }
 
-class FieldAssignment extends AssignExpr {
-  FieldAssignment() { exists(Field f | f.getAnAccess() = this.getDest()) }
-}
-
 class ParameterToFieldConfig extends TaintTracking::Configuration {
   ParameterToFieldConfig() { this = "ParameterToFieldConfig" }
 
@@ -112,11 +108,7 @@ class ParameterToFieldConfig extends TaintTracking::Configuration {
   }
 
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(FieldAssignment a |
-      a.getSource() = node1.asExpr() and
-      DataFlow::getFieldQualifier(a.getDest()) = node2.(DataFlow::PostUpdateNode).getPreUpdateNode() and
-      isRelevantType(a.getDest().(FieldAccess).getField().getType())
-    )
+    store(node1, _, node2, _)
   }
 
   override DataFlow::FlowFeature getAFeature() {
@@ -128,8 +120,6 @@ private predicate thisAccess(DataFlow::Node n) {
   n.asExpr().(InstanceAccess).isOwnInstanceAccess()
   or
   n.(DataFlow::ImplicitInstanceAccess).getInstanceAccess() instanceof OwnInstanceAccess
-  or
-  n.asExpr().(FieldAccess).isOwnFieldAccess()
 }
 
 /**

Original file line number	Diff line number	Diff line change
`@@ -95,10 +95,6 @@ string captureFieldFlow(TargetAPI api) {`
`95`	`95`	`)`
`96`	`96`	`}`
`97`	`97`
`98`		`-class FieldAssignment extends AssignExpr {`
`99`		`- FieldAssignment() { exists(Field f \| f.getAnAccess() = this.getDest()) }`
`100`		`-}`
`101`		`-`
`102`	`98`	`class ParameterToFieldConfig extends TaintTracking::Configuration {`
`103`	`99`	`ParameterToFieldConfig() { this = "ParameterToFieldConfig" }`
`104`	`100`
`@@ -112,11 +108,7 @@ class ParameterToFieldConfig extends TaintTracking::Configuration {`
`112`	`108`	`}`
`113`	`109`
`114`	`110`	`override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {`
`115`		`- exists(FieldAssignment a \|`
`116`		`- a.getSource() = node1.asExpr() and`
`117`		`- DataFlow::getFieldQualifier(a.getDest()) = node2.(DataFlow::PostUpdateNode).getPreUpdateNode() and`
`118`		`- isRelevantType(a.getDest().(FieldAccess).getField().getType())`
`119`		`- )`
	`111`	`+ store(node1, _, node2, _)`
`120`	`112`	`}`
`121`	`113`
`122`	`114`	`override DataFlow::FlowFeature getAFeature() {`
`@@ -128,8 +120,6 @@ private predicate thisAccess(DataFlow::Node n) {`
`128`	`120`	`n.asExpr().(InstanceAccess).isOwnInstanceAccess()`
`129`	`121`	`or`
`130`	`122`	`n.(DataFlow::ImplicitInstanceAccess).getInstanceAccess() instanceof OwnInstanceAccess`
`131`		`- or`
`132`		`- n.asExpr().(FieldAccess).isOwnFieldAccess()`
`133`	`123`	`}`
`134`	`124`
`135`	`125`	`/**`