Merge pull request github#14108 from hvitved/dataflow/more-consistency-checks

Data flow: Add `ArgumentNode` consistency checks

Author: hvitved

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected

@@ -4,7 +4,6 @@ uniqueType
 uniqueNodeLocation
 missingLocation
 uniqueNodeToString
-missingToString
 parameterCallable
 localFlowIsLocal
 readStepIsLocal
@@ -139,3 +138,5 @@ uniqueParameterNodeAtPosition
 uniqueParameterNodePosition
 uniqueContentApprox
 identityLocalStep
+missingArgumentCall
+multipleArgumentCall

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected

@@ -4,7 +4,6 @@ uniqueType
 uniqueNodeLocation
 missingLocation
 uniqueNodeToString
-missingToString
 parameterCallable
 localFlowIsLocal
 readStepIsLocal
@@ -32,3 +31,5 @@ uniqueParameterNodeAtPosition
 uniqueParameterNodePosition
 uniqueContentApprox
 identityLocalStep
+missingArgumentCall
+multipleArgumentCall

cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected

@@ -10,7 +10,6 @@ uniqueType
 uniqueNodeLocation
 missingLocation
 uniqueNodeToString
-missingToString
 parameterCallable
 localFlowIsLocal
 readStepIsLocal
@@ -192,3 +191,5 @@ uniqueParameterNodeAtPosition
 uniqueParameterNodePosition
 uniqueContentApprox
 identityLocalStep
+missingArgumentCall
+multipleArgumentCall

cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected

@@ -4,7 +4,6 @@ uniqueType
 uniqueNodeLocation
 missingLocation
 uniqueNodeToString
-missingToString
 parameterCallable
 localFlowIsLocal
 readStepIsLocal
@@ -53,3 +52,5 @@ uniqueParameterNodeAtPosition
 uniqueParameterNodePosition
 uniqueContentApprox
 identityLocalStep
+missingArgumentCall
+multipleArgumentCall

cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected

@@ -16,7 +16,6 @@ uniqueNodeLocation
 missingLocation
 | Nodes without location: 2 |
 uniqueNodeToString
-missingToString
 parameterCallable
 localFlowIsLocal
 readStepIsLocal
@@ -98,3 +97,5 @@ uniqueParameterNodeAtPosition
 uniqueParameterNodePosition
 uniqueContentApprox
 identityLocalStep
+missingArgumentCall
+multipleArgumentCall

cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected

@@ -5,8 +5,6 @@ uniqueNodeLocation
 missingLocation
 uniqueNodeToString
 | cpp11.cpp:50:15:50:16 | (no string representation) | Node should have one toString but has 0. |
-missingToString
-| Nodes without toString: 1 |
 parameterCallable
 localFlowIsLocal
 readStepIsLocal
@@ -54,3 +52,5 @@ uniqueParameterNodeAtPosition
 uniqueParameterNodePosition
 uniqueContentApprox
 identityLocalStep
+missingArgumentCall
+multipleArgumentCall

csharp/ql/consistency-queries/DataFlowConsistency.ql

@@ -72,11 +72,44 @@ private module Input implements InputSig<CsharpDataFlow> {
   }
 
   predicate reverseReadExclude(Node n) { n.asExpr() = any(AwaitExpr ae).getExpr() }
-}
 
-import MakeConsistency<CsharpDataFlow, CsharpTaintTracking, Input>
+  predicate missingArgumentCallExclude(ArgumentNode arg) {
+    // TODO: Remove once object initializers are modeled properly
+    arg.(Private::PostUpdateNodes::ObjectInitializerNode).getInitializer() instanceof
+      ObjectInitializer
+    or
+    // TODO: Remove once underlying issue is fixed
+    exists(QualifiableExpr qe |
+      qe.isConditional() and
+      qe.getQualifier() = arg.asExpr()
+    )
+  }
 
-query predicate multipleToString(DataFlow::Node n, string s) {
-  s = strictconcat(n.toString(), ",") and
-  strictcount(n.toString()) > 1
+  predicate multipleArgumentCallExclude(ArgumentNode arg, DataFlowCall call) {
+    isArgumentNode(arg, call, _) and
+    (
+      // TODO: Remove once object initializers are modeled properly
+      arg =
+        any(Private::PostUpdateNodes::ObjectInitializerNode init |
+          init.argumentOf(call, _) and
+          init.getInitializer().getNumberOfChildren() > 1
+        )
+      or
+      exists(ControlFlow::Nodes::ElementNode cfn, ControlFlow::Nodes::Split split |
+        exists(arg.asExprAtNode(cfn))
+      |
+        split = cfn.getASplit() and
+        not split = call.getControlFlowNode().getASplit()
+        or
+        split = call.getControlFlowNode().getASplit() and
+        not split = cfn.getASplit()
+      )
+      or
+      call instanceof TransitiveCapturedDataFlowCall
+      or
+      call.(NonDelegateDataFlowCall).getDispatchCall().isReflection()
+    )
+  }
 }
+
+import MakeConsistency<CsharpDataFlow, CsharpTaintTracking, Input>

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -2032,7 +2032,7 @@ abstract class PostUpdateNode extends Node {
   abstract Node getPreUpdateNode();
 }
 
-private module PostUpdateNodes {
+module PostUpdateNodes {
   class ObjectCreationNode extends PostUpdateNode, ExprNode, TExprNode {
     private ObjectCreation oc;
 

csharp/ql/lib/semmle/code/csharp/dispatch/Dispatch.qll

@@ -50,6 +50,9 @@ class DispatchCall extends Internal::TDispatchCall {
   RuntimeCallable getADynamicTargetInCallContext(DispatchCall ctx) {
     result = Internal::getADynamicTargetInCallContext(this, ctx)
   }
+
+  /** Holds if this call uses reflection. */
+  predicate isReflection() { this instanceof Internal::TDispatchReflectionCall }
 }
 
 /** Internal implementation details. */

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplConsistency.qll

@@ -47,6 +47,10 @@ private module Input implements InputSig<PythonDataFlow> {
   predicate identityLocalStepExclude(Node n) {
     not exists(n.getLocation().getFile().getRelativePath())
   }
+
+  predicate multipleArgumentCallExclude(ArgumentNode arg, DataFlowCall call) {
+    isArgumentNode(arg, call, _)
+  }
 }
 
 module Consistency = MakeConsistency<PythonDataFlow, PythonTaintTracking, Input>;