Merge pull request github#11188 from aschackmull/java/mad-gen-sinks-precision

aschackmull · web-flow · commit a8ed6bad3496 · 2022-11-10T10:49:56.000+01:00
Java: Improve sink model generation precision by excluding variable capture.
diff --git a/csharp/ql/src/utils/model-generator/internal/CaptureModels.qll b/csharp/ql/src/utils/model-generator/internal/CaptureModels.qll
@@ -272,6 +272,8 @@ private class PropagateToSinkConfiguration extends TaintTracking::Configuration
 
   override predicate isSink(DataFlow::Node sink) { ExternalFlow::sinkNode(sink, _) }
 
+  override predicate isSanitizer(DataFlow::Node node) { sinkModelSanitizer(node) }
+
   override DataFlow::FlowFeature getAFeature() {
     result instanceof DataFlow::FeatureHasSourceCallContext
   }
diff --git a/csharp/ql/src/utils/model-generator/internal/CaptureModelsSpecific.qll b/csharp/ql/src/utils/model-generator/internal/CaptureModelsSpecific.qll
@@ -175,6 +175,8 @@ private predicate isRelevantMemberAccess(DataFlow::Node node) {
   )
 }
 
+predicate sinkModelSanitizer(DataFlow::Node node) { none() }
+
 /**
  * Holds if `source` is an api entrypoint relevant for creating sink models.
  */
diff --git a/java/ql/src/utils/model-generator/internal/CaptureModels.qll b/java/ql/src/utils/model-generator/internal/CaptureModels.qll
@@ -272,6 +272,8 @@ private class PropagateToSinkConfiguration extends TaintTracking::Configuration
 
   override predicate isSink(DataFlow::Node sink) { ExternalFlow::sinkNode(sink, _) }
 
+  override predicate isSanitizer(DataFlow::Node node) { sinkModelSanitizer(node) }
+
   override DataFlow::FlowFeature getAFeature() {
     result instanceof DataFlow::FeatureHasSourceCallContext
   }
diff --git a/java/ql/src/utils/model-generator/internal/CaptureModelsSpecific.qll b/java/ql/src/utils/model-generator/internal/CaptureModelsSpecific.qll
@@ -7,6 +7,7 @@ private import semmle.code.java.dataflow.internal.DataFlowNodes
 private import semmle.code.java.dataflow.internal.DataFlowPrivate
 private import semmle.code.java.dataflow.internal.ContainerFlow as ContainerFlow
 private import semmle.code.java.dataflow.DataFlow as Df
+private import semmle.code.java.dataflow.SSA as Ssa
 private import semmle.code.java.dataflow.TaintTracking as Tt
 import semmle.code.java.dataflow.ExternalFlow as ExternalFlow
 import semmle.code.java.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
@@ -224,6 +225,14 @@ predicate isOwnInstanceAccessNode(ReturnNode node) {
   node.asExpr().(J::ThisAccess).isOwnInstanceAccess()
 }
 
+predicate sinkModelSanitizer(DataFlow::Node node) {
+  // exclude variable capture jump steps
+  exists(Ssa::SsaImplicitInit closure |
+    closure.captures(_) and
+    node.asExpr() = closure.getAFirstUse()
+  )
+}
+
 /**
  * Holds if `source` is an api entrypoint relevant for creating sink models.
  */

Original file line number	Diff line number	Diff line change
`@@ -272,6 +272,8 @@ private class PropagateToSinkConfiguration extends TaintTracking::Configuration`
`272`	`272`
`273`	`273`	`override predicate isSink(DataFlow::Node sink) { ExternalFlow::sinkNode(sink, _) }`
`274`	`274`
	`275`	`+ override predicate isSanitizer(DataFlow::Node node) { sinkModelSanitizer(node) }`
	`276`	`+`
`275`	`277`	`override DataFlow::FlowFeature getAFeature() {`
`276`	`278`	`result instanceof DataFlow::FeatureHasSourceCallContext`
`277`	`279`	`}`
Original file line number	Diff line number	Diff line change
`@@ -175,6 +175,8 @@ private predicate isRelevantMemberAccess(DataFlow::Node node) {`
`175`	`175`	`)`
`176`	`176`	`}`
`177`	`177`
	`178`	`+predicate sinkModelSanitizer(DataFlow::Node node) { none() }`
	`179`	`+`
`178`	`180`	`/**`
`179`	`181`	* Holds if `source` is an api entrypoint relevant for creating sink models.
`180`	`182`	`*/`