Use hasFlow where path is not needed

edvraa · edvraa · commit 773556e5e035 · 2021-04-15T16:27:09.000+03:00
diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql
@@ -19,10 +19,10 @@ where
   (
     sink instanceof InstanceMethodSink and
     not exists(
-      SafeConstructorTrackingConfig safeConstructorTracking, DataFlow::PathNode safeTypeUsage
+      SafeConstructorTrackingConfig safeConstructorTracking, DataFlow::Node safeTypeUsage
     |
-      safeConstructorTracking.hasFlowPath(_, safeTypeUsage) and
-      safeTypeUsage.getNode().asExpr().getParent() = deserializeCall
+      safeConstructorTracking.hasFlow(_, safeTypeUsage) and
+      safeTypeUsage.asExpr().getParent() = deserializeCall
     )
     or
     sink instanceof ConstructorOrStaticMethodSink
diff --git a/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql b/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql
@@ -33,30 +33,28 @@ where
   // intersect with strong types, but user controlled or weak types deserialization usages
   (
     exists(
-      DataFlow::PathNode weakTypeCreation, DataFlow::PathNode weakTypeUsage,
+      DataFlow::Node weakTypeCreation, DataFlow::Node weakTypeUsage,
       WeakTypeCreationToUsageTrackingConfig weakTypeDeserializerTracking
     |
-      weakTypeDeserializerTracking.hasFlowPath(weakTypeCreation, weakTypeUsage) and
-      weakTypeUsage.getNode().asExpr().getParent() =
-        deserializeCallArg.getNode().asExpr().getParent()
+      weakTypeDeserializerTracking.hasFlow(weakTypeCreation, weakTypeUsage) and
+      weakTypeUsage.asExpr().getParent() = deserializeCallArg.getNode().asExpr().getParent()
     )
     or
     exists(
-      TaintToObjectTypeTrackingConfig userControlledTypeTracking,
-      DataFlow::PathNode taintedTypeUsage, DataFlow::PathNode userInput2
+      TaintToObjectTypeTrackingConfig userControlledTypeTracking, DataFlow::Node taintedTypeUsage,
+      DataFlow::Node userInput2
     |
-      userControlledTypeTracking.hasFlowPath(userInput2, taintedTypeUsage) and
-      taintedTypeUsage.getNode().asExpr().getParent() =
-        deserializeCallArg.getNode().asExpr().getParent()
+      userControlledTypeTracking.hasFlow(userInput2, taintedTypeUsage) and
+      taintedTypeUsage.asExpr().getParent() = deserializeCallArg.getNode().asExpr().getParent()
     )
   ) and
   // exclude deserialization flows with safe instances (i.e. JavaScriptSerializer without resolver)
   not exists(
-    SafeConstructorTrackingConfig safeConstructorTracking, DataFlow::PathNode safeCreation,
-    DataFlow::PathNode safeTypeUsage
+    SafeConstructorTrackingConfig safeConstructorTracking, DataFlow::Node safeCreation,
+    DataFlow::Node safeTypeUsage
   |
-    safeConstructorTracking.hasFlowPath(safeCreation, safeTypeUsage) and
-    safeTypeUsage.getNode().asExpr().getParent() = deserializeCallArg.getNode().asExpr().getParent()
+    safeConstructorTracking.hasFlow(safeCreation, safeTypeUsage) and
+    safeTypeUsage.asExpr().getParent() = deserializeCallArg.getNode().asExpr().getParent()
   )
   or
   // no type check needed - straightforward taint -> sink

Original file line number	Diff line number	Diff line change
`@@ -19,10 +19,10 @@ where`
`19`	`19`	`(`
`20`	`20`	`sink instanceof InstanceMethodSink and`
`21`	`21`	`not exists(`
`22`		`- SafeConstructorTrackingConfig safeConstructorTracking, DataFlow::PathNode safeTypeUsage`
	`22`	`+ SafeConstructorTrackingConfig safeConstructorTracking, DataFlow::Node safeTypeUsage`
`23`	`23`	`\|`
`24`		`- safeConstructorTracking.hasFlowPath(_, safeTypeUsage) and`
`25`		`- safeTypeUsage.getNode().asExpr().getParent() = deserializeCall`
	`24`	`+ safeConstructorTracking.hasFlow(_, safeTypeUsage) and`
	`25`	`+ safeTypeUsage.asExpr().getParent() = deserializeCall`
`26`	`26`	`)`
`27`	`27`	`or`
`28`	`28`	`sink instanceof ConstructorOrStaticMethodSink`