Skip to content

Commit 6d346db

Browse files
michaelnebelmichaelnebel
committed
DataFlow: Bugfix in flow state for value preservation.
1 parent 3a864d3 commit 6d346db

File tree

1 file changed

+15
-6
lines changed

1 file changed

+15
-6
lines changed

shared/dataflow/codeql/dataflow/internal/ContentDataFlowImpl.qll

Lines changed: 15 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,11 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang> {
5151
*/
5252
default predicate isAdditionalFlowStep(Node node1, Node node2) { none() }
5353

54+
/**
55+
* Holds if taint may propagate from `node1` to `node2` in addition to the normal data-flow steps.
56+
*/
57+
default predicate isAdditionalTaintStep(Node node1, Node node2) { none() }
58+
5459
/** Holds if data flow into `node` is prohibited. */
5560
default predicate isBarrier(Node node) { none() }
5661

@@ -101,7 +106,7 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang> {
101106
predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
102107
storeStep(node1, state1, _, node2, state2) or
103108
readStep(node1, state1, _, node2, state2) or
104-
additionalStep(node1, state1, node2, state2)
109+
additionalTaintStep(node1, state1, node2, state2)
105110
}
106111

107112
predicate isAdditionalFlowStep = ContentConfig::isAdditionalFlowStep/2;
@@ -229,8 +234,8 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang> {
229234
)
230235
}
231236

232-
private predicate additionalStep(Node node1, State state1, Node node2, State state2) {
233-
ContentConfig::isAdditionalFlowStep(node1, node2) and
237+
private predicate additionalTaintStep(Node node1, State state1, Node node2, State state2) {
238+
ContentConfig::isAdditionalTaintStep(node1, node2) and
234239
(
235240
state1 instanceof InitState and
236241
state2.(InitState).decode(false)
@@ -302,12 +307,16 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang> {
302307
// relation, when flow can reach a sink without going back out
303308
Flow::PathGraph::subpaths(pred, succ, _, _) and
304309
not reachesSink(succ)
305-
or
310+
)
311+
or
312+
exists(Node predNode, State predState, Node succNode, State succState |
313+
succNodeAndState(pred, predNode, predState, succ, succNode, succState)
314+
|
306315
// needed to record store steps
307-
storeStep(pred.getNode(), pred.getState(), _, succ.getNode(), succ.getState())
316+
storeStep(predNode, predState, _, succNode, succState)
308317
or
309318
// needed to record read steps
310-
readStep(pred.getNode(), pred.getState(), _, succ.getNode(), succ.getState())
319+
readStep(predNode, predState, _, succNode, succState)
311320
)
312321
}
313322

0 commit comments

Comments
 (0)