Partial revert: only introduce inferred taint edges from callsite-crossing value edges if an original taint edge targets the *start* of the value edge.

smowton · smowton · commit fa90655dd0a9 · 2021-03-23T14:35:03.000Z
Previously we would also take a taint edge targeting a result and a value-preserving edge propagating another argument to the result to imply a taint edge targeting that argument.
diff --git a/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll b/java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll
@@ -67,25 +67,19 @@ private predicate localAdditionalBasicTaintStep(DataFlow::Node src, DataFlow::No
  * Holds if an additional step from `src` to `sink` through a call can be inferred from the
  * combination of a value-preserving step providing an alias between an input and the output
  * and a taint step from `src` to one the aliased nodes. For example, if we know that `f(a, b)` returns
- * the exact value of `a` and also propagates taint from `b` to its result, then we also know that
- * `a` is tainted after `f` completes, and vice versa.
+ * the exact value of `a` and also propagates taint from `b` to `a`, then we also know that
+ * the return value is tainted after `f` completes.
  */
 private predicate composedValueAndTaintModelStep(ArgumentNode src, DataFlow::Node sink) {
   exists(Call call, ArgumentNode valueSource, DataFlow::PostUpdateNode valueSourcePost |
     src.argumentOf(call, _) and
     valueSource.argumentOf(call, _) and
     src != valueSource and
     valueSourcePost.getPreUpdateNode() = valueSource and
+    // in-x -value-> out-y and in-z -taint-> in-x ==> in-z -taint-> out-y
+    localAdditionalBasicTaintStep(src, valueSourcePost) and
     DataFlow::localFlowStep(valueSource, DataFlow::exprNode(call)) and
-    (
-      // in-x -value-> out-y and in-z -taint-> out-y ==> in-z -taint-> in-x
-      localAdditionalBasicTaintStep(src, DataFlow::exprNode(call)) and
-      sink = valueSourcePost
-      or
-      // in-x -value-> out-y and in-z -taint-> in-x ==> in-z -taint-> out-y
-      localAdditionalBasicTaintStep(src, valueSourcePost) and
-      sink = DataFlow::exprNode(call)
-    )
+    sink = DataFlow::exprNode(call)
   )
 }
 
