Do not compress local flow steps

Alvaro Muñoz · Alvaro Muñoz · commit 355ccf42ee38 · 2024-02-05T10:44:37.000+01:00
Use `neverSkipPathGrap` to `any()` so no local flow steps get pruned
and thrown away in order to compress the presented dataflow path.
diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowImplSpecific.qll
@@ -6,6 +6,9 @@
 private import codeql.dataflow.DataFlow
 
 module ActionsDataFlow implements InputSig {
-  import DataFlowPrivate
+  import DataFlowPrivate as Private
   import DataFlowPublic
+  import Private
+
+  predicate neverSkipInPathGraph = Private::neverSkipInPathGraph/1;
 }
diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll
@@ -207,27 +207,6 @@ predicate stepOutputDefToUse(Node nodeFrom, Node nodeTo) {
   )
 }
 
-predicate test1(UsesExpr u, string f, JobStmt j) {
-  u.getLocation().getFile().getBaseName() = "inter1.yml" and
-  f = u.getId() and
-  j = u.getJob()
-}
-
-predicate test2(StepOutputAccessExpr r, string f, JobStmt j) {
-  r.getLocation().getFile().getBaseName() = "inter1.yml" and
-  f = r.getStepId() and
-  j = r.getJob()
-}
-
-predicate test3(UsesExpr u, StepOutputAccessExpr r, Node n) {
-  r.getLocation().getFile().getBaseName() = "inter1.yml" and
-  u.getLocation().getFile().getBaseName() = "inter1.yml" and
-  u.getId() = r.getStepId() and
-  u.getJob() = r.getJob() and
-  // el SOAE has no mapping DF NODE
-  n.asExpr() = r
-}
-
 predicate jobOutputDefToUse(Node nodeFrom, Node nodeTo) {
   // nodeTo is a JobOutputAccessExpr and nodeFrom is the Job output expression
   exists(Expression astFrom, JobOutputAccessExpr astTo |
@@ -310,3 +289,10 @@ predicate lambdaCall(DataFlowCall call, LambdaCallKind kind, Node receiver) { no
 
 /** Extra data-flow steps needed for lambda flow analysis. */
 predicate additionalLambdaFlowStep(Node nodeFrom, Node nodeTo, boolean preservesValue) { none() }
+
+/**
+ * Since our model is so simple, we dont want to compress the local flow steps.
+ * This compression is normally done to not show SSA steps, casts, etc.
+ */
+predicate neverSkipInPathGraph(Node node) { any() }
+
diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql
@@ -24,6 +24,7 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink }
+  //predicate neverSkip(DataFlow::Node node) { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ private module MyConfig implements DataFlow::ConfigSig {`
`24`	`24`	`predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }`
`25`	`25`
`26`	`26`	`predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink }`
	`27`	`+ //predicate neverSkip(DataFlow::Node node) { any() }`
`27`	`28`	`}`
`28`	`29`
`29`	`30`	`module MyFlow = TaintTracking::Global<MyConfig>;`