C++: Simplify isSink based on reviewer comments

jketema · jketema · commit 6dbc59d5b5ce · 2022-12-05T23:23:08.000+01:00
diff --git a/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql b/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
@@ -54,8 +54,6 @@ Expr asSourceExpr(DataFlow::Node node) {
 }
 
 Expr asSinkExpr(DataFlow::Node node) {
-  result = node.asConvertedExpr()
-  or
   result =
     node.asOperand()
         .(SideEffectOperand)
@@ -113,14 +111,11 @@ class TaintedPathConfiguration extends TaintTracking::Configuration {
 
   predicate hasFilteredFlowPath(DataFlow::PathNode source, DataFlow::PathNode sink) {
     this.hasFlowPath(source, sink) and
-    not exists(DataFlow::PathNode source2, DataFlow::PathNode sink2 |
-      this.hasFlowPath(source2, sink2) and
-      asSourceExpr(source.getNode()) = asSourceExpr(source2.getNode()) and
-      asSinkExpr(sink.getNode()) = asSinkExpr(sink2.getNode())
+    not exists(DataFlow::PathNode source2 |
+      this.hasFlowPath(source2, sink) and
+      asSourceExpr(source.getNode()) = asSourceExpr(source2.getNode())
     |
       not exists(source.getNode().asConvertedExpr()) and exists(source2.getNode().asConvertedExpr())
-      or
-      not exists(sink.getNode().asConvertedExpr()) and exists(sink2.getNode().asConvertedExpr())
     )
   }
 }
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected
@@ -1,10 +1,8 @@
 edges
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data |
 | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection |
 nodes
 | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | semmle.label | fgets output argument |
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | semmle.label | data |
 | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection | semmle.label | data indirection |
 subpaths
 #select
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | This argument to a file access function is derived from $@ and then passed to fopen(filename). | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | user input (fgets) |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | user input (fgets) |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/TaintedPath.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/TaintedPath.expected
@@ -1,31 +1,24 @@
 edges
-| test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName |
 | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName indirection |
-| test.c:31:22:31:25 | argv | test.c:32:11:32:18 | fileName |
 | test.c:31:22:31:25 | argv | test.c:32:11:32:18 | fileName indirection |
 | test.c:37:17:37:24 | fileName | test.c:38:11:38:18 | fileName indirection |
 | test.c:37:17:37:24 | scanf output argument | test.c:38:11:38:18 | fileName indirection |
-| test.c:43:17:43:24 | fileName | test.c:44:11:44:18 | fileName |
 | test.c:43:17:43:24 | fileName | test.c:44:11:44:18 | fileName indirection |
-| test.c:43:17:43:24 | scanf output argument | test.c:44:11:44:18 | fileName |
 | test.c:43:17:43:24 | scanf output argument | test.c:44:11:44:18 | fileName indirection |
 nodes
 | test.c:9:23:9:26 | argv | semmle.label | argv |
-| test.c:17:11:17:18 | fileName | semmle.label | fileName |
 | test.c:17:11:17:18 | fileName indirection | semmle.label | fileName indirection |
 | test.c:31:22:31:25 | argv | semmle.label | argv |
-| test.c:32:11:32:18 | fileName | semmle.label | fileName |
 | test.c:32:11:32:18 | fileName indirection | semmle.label | fileName indirection |
 | test.c:37:17:37:24 | fileName | semmle.label | fileName |
 | test.c:37:17:37:24 | scanf output argument | semmle.label | scanf output argument |
 | test.c:38:11:38:18 | fileName indirection | semmle.label | fileName indirection |
 | test.c:43:17:43:24 | fileName | semmle.label | fileName |
 | test.c:43:17:43:24 | scanf output argument | semmle.label | scanf output argument |
-| test.c:44:11:44:18 | fileName | semmle.label | fileName |
 | test.c:44:11:44:18 | fileName indirection | semmle.label | fileName indirection |
 subpaths
 #select
-| test.c:17:11:17:18 | fileName | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:9:23:9:26 | argv | user input (argv) |
-| test.c:32:11:32:18 | fileName | test.c:31:22:31:25 | argv | test.c:32:11:32:18 | fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:31:22:31:25 | argv | user input (argv) |
+| test.c:17:11:17:18 | fileName | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:9:23:9:26 | argv | user input (argv) |
+| test.c:32:11:32:18 | fileName | test.c:31:22:31:25 | argv | test.c:32:11:32:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:31:22:31:25 | argv | user input (argv) |
 | test.c:38:11:38:18 | fileName | test.c:37:17:37:24 | fileName | test.c:38:11:38:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:37:17:37:24 | fileName | user input (scanf) |
-| test.c:44:11:44:18 | fileName | test.c:43:17:43:24 | fileName | test.c:44:11:44:18 | fileName | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:43:17:43:24 | fileName | user input (scanf) |
+| test.c:44:11:44:18 | fileName | test.c:43:17:43:24 | fileName | test.c:44:11:44:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:43:17:43:24 | fileName | user input (scanf) |

Original file line number	Diff line number	Diff line change
`@@ -54,8 +54,6 @@ Expr asSourceExpr(DataFlow::Node node) {`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`Expr asSinkExpr(DataFlow::Node node) {`
`57`		`- result = node.asConvertedExpr()`
`58`		`- or`
`59`	`57`	`result =`
`60`	`58`	`node.asOperand()`
`61`	`59`	`.(SideEffectOperand)`
`@@ -113,14 +111,11 @@ class TaintedPathConfiguration extends TaintTracking::Configuration {`
`113`	`111`
`114`	`112`	`predicate hasFilteredFlowPath(DataFlow::PathNode source, DataFlow::PathNode sink) {`
`115`	`113`	`this.hasFlowPath(source, sink) and`
`116`		`- not exists(DataFlow::PathNode source2, DataFlow::PathNode sink2 \|`
`117`		`- this.hasFlowPath(source2, sink2) and`
`118`		`- asSourceExpr(source.getNode()) = asSourceExpr(source2.getNode()) and`
`119`		`- asSinkExpr(sink.getNode()) = asSinkExpr(sink2.getNode())`
	`114`	`+ not exists(DataFlow::PathNode source2 \|`
	`115`	`+ this.hasFlowPath(source2, sink) and`
	`116`	`+ asSourceExpr(source.getNode()) = asSourceExpr(source2.getNode())`
`120`	`117`	`\|`
`121`	`118`	`not exists(source.getNode().asConvertedExpr()) and exists(source2.getNode().asConvertedExpr())`
`122`		`- or`
`123`		`- not exists(sink.getNode().asConvertedExpr()) and exists(sink2.getNode().asConvertedExpr())`
`124`	`119`	`)`
`125`	`120`	`}`
`126`	`121`	`}`