Refactor: Create writesFieldOnSsaWithFields

owen-mc · owen-mc · commit 714e1d6c3ac0 · 2025-09-19T07:23:40.000+01:00
diff --git a/go/ql/lib/semmle/go/controlflow/ControlFlowGraph.qll b/go/ql/lib/semmle/go/controlflow/ControlFlowGraph.qll
@@ -152,6 +152,15 @@ module ControlFlow {
       )
     }
 
+    /**
+     * Holds if this node sets the value of field `f` on `v` to `rhs`.
+     */
+    predicate writesFieldOnSsaWithFields(SsaWithFields v, Field f, DataFlow::Node rhs) {
+      exists(IR::Instruction insn | this.writesFieldInsn(insn, f, rhs.asInstruction()) |
+        v.getAUse().asInstruction() = insn
+      )
+    }
+
     private predicate writesFieldInsn(IR::Instruction base, Field f, IR::Instruction rhs) {
       exists(IR::FieldTarget trg | trg = super.getLhs() |
         (
diff --git a/go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll b/go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll
@@ -90,10 +90,9 @@ module OpenUrlRedirect {
    */
   class PathAssignmentBarrier extends Barrier, Read {
     PathAssignmentBarrier() {
-      exists(Write w, DataFlow::Node base, SsaWithFields var |
+      exists(Write w, SsaWithFields var |
         hasHostnameSanitizingSubstring(w.getRhs()) and
-        w.writesField(base, any(Field f | f.getName() = "Path"), _) and
-        [base, base.(DataFlow::PostUpdateNode).getPreUpdateNode()] = var.getAUse() and
+        w.writesFieldOnSsaWithFields(var, any(Field f | f.getName() = "Path"), _) and
         useIsDominated(var, w, this)
       )
     }
diff --git a/go/ql/lib/semmle/go/security/RequestForgery.qll b/go/ql/lib/semmle/go/security/RequestForgery.qll
@@ -27,11 +27,8 @@ module RequestForgery {
 
     predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
       // propagate to a URL when its host is assigned to
-      exists(Write w, DataFlow::Node base, Field f, SsaWithFields v |
-        f.hasQualifiedName("net/url", "URL", "Host")
-      |
-        w.writesField(base, f, pred) and
-        [base, base.(DataFlow::PostUpdateNode).getPreUpdateNode()] = v.getAUse() and
+      exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
+        w.writesFieldOnSsaWithFields(v, f, pred) and
         succ = v.getAUse()
       )
     }
diff --git a/go/ql/lib/semmle/go/security/SafeUrlFlow.qll b/go/ql/lib/semmle/go/security/SafeUrlFlow.qll
@@ -23,11 +23,8 @@ module SafeUrlFlow {
 
     predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
       // propagate to a URL when its host is assigned to
-      exists(Write w, DataFlow::Node base, Field f, SsaWithFields v |
-        f.hasQualifiedName("net/url", "URL", "Host")
-      |
-        w.writesField(base, f, node1) and
-        [base, base.(DataFlow::PostUpdateNode).getPreUpdateNode()] = v.getAUse() and
+      exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
+        w.writesFieldOnSsaWithFields(v, f, node1) and
         node2 = v.getAUse()
       )
     }
diff --git a/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql b/go/ql/src/Security/CWE-322/InsecureHostKeyCallback.ql
@@ -98,15 +98,8 @@ predicate hostCheckReachesSink(Flow::PathNode sink) {
         Flow::flowPath(source, otherSink) and
         Config::writeIsSink(sink.getNode(), sinkWrite) and
         Config::writeIsSink(otherSink.getNode(), otherSinkWrite) and
-        exists(DataFlow::Node base1 |
-          sinkWrite.writesField(base1, _, sink.getNode()) and
-          [base1, base1.(DataFlow::PostUpdateNode).getPreUpdateNode()] = sinkAccessPath.getAUse()
-        ) and
-        exists(DataFlow::Node base2 |
-          otherSinkWrite.writesField(base2, _, otherSink.getNode()) and
-          [base2, base2.(DataFlow::PostUpdateNode).getPreUpdateNode()] =
-            otherSinkAccessPath.getAUse()
-        ) and
+        sinkWrite.writesFieldOnSsaWithFields(sinkAccessPath, _, sink.getNode()) and
+        otherSinkWrite.writesFieldOnSsaWithFields(otherSinkAccessPath, _, otherSink.getNode()) and
         otherSinkAccessPath = sinkAccessPath.similar()
       )
     )
diff --git a/go/ql/src/experimental/CWE-918/SSRF.qll b/go/ql/src/experimental/CWE-918/SSRF.qll
@@ -22,11 +22,8 @@ module ServerSideRequestForgery {
 
     predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
       // propagate to a URL when its host is assigned to
-      exists(Write w, DataFlow::Node base, Field f, SsaWithFields v |
-        f.hasQualifiedName("net/url", "URL", "Host")
-      |
-        w.writesField(base, f, node1) and
-        [base, base.(DataFlow::PostUpdateNode).getPreUpdateNode()] = v.getAUse() and
+      exists(Write w, Field f, SsaWithFields v | f.hasQualifiedName("net/url", "URL", "Host") |
+        w.writesFieldOnSsaWithFields(v, f, node1) and
         node2 = v.getAUse()
       )
     }

Original file line number	Diff line number	Diff line change
`@@ -152,6 +152,15 @@ module ControlFlow {`
`152`	`152`	`)`
`153`	`153`	`}`
`154`	`154`
	`155`	`+ /**`
	`156`	+ * Holds if this node sets the value of field `f` on `v` to `rhs`.
	`157`	`+ */`
	`158`	`+ predicate writesFieldOnSsaWithFields(SsaWithFields v, Field f, DataFlow::Node rhs) {`
	`159`	`+ exists(IR::Instruction insn \| this.writesFieldInsn(insn, f, rhs.asInstruction()) \|`
	`160`	`+ v.getAUse().asInstruction() = insn`
	`161`	`+ )`
	`162`	`+ }`
	`163`	`+`
`155`	`164`	`private predicate writesFieldInsn(IR::Instruction base, Field f, IR::Instruction rhs) {`
`156`	`165`	`exists(IR::FieldTarget trg \| trg = super.getLhs() \|`
`157`	`166`	`(`
Original file line number	Diff line number	Diff line change
`@@ -90,10 +90,9 @@ module OpenUrlRedirect {`
`90`	`90`	`*/`
`91`	`91`	`class PathAssignmentBarrier extends Barrier, Read {`
`92`	`92`	`PathAssignmentBarrier() {`
`93`		`- exists(Write w, DataFlow::Node base, SsaWithFields var \|`
	`93`	`+ exists(Write w, SsaWithFields var \|`
`94`	`94`	`hasHostnameSanitizingSubstring(w.getRhs()) and`
`95`		`- w.writesField(base, any(Field f \| f.getName() = "Path"), _) and`
`96`		`- [base, base.(DataFlow::PostUpdateNode).getPreUpdateNode()] = var.getAUse() and`
	`95`	`+ w.writesFieldOnSsaWithFields(var, any(Field f \| f.getName() = "Path"), _) and`
`97`	`96`	`useIsDominated(var, w, this)`
`98`	`97`	`)`
`99`	`98`	`}`
Original file line number	Diff line number	Diff line change
`@@ -27,11 +27,8 @@ module RequestForgery {`
`27`	`27`
`28`	`28`	`predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {`
`29`	`29`	`// propagate to a URL when its host is assigned to`
`30`		`- exists(Write w, DataFlow::Node base, Field f, SsaWithFields v \|`
`31`		`- f.hasQualifiedName("net/url", "URL", "Host")`
`32`		`- \|`
`33`		`- w.writesField(base, f, pred) and`
`34`		`- [base, base.(DataFlow::PostUpdateNode).getPreUpdateNode()] = v.getAUse() and`
	`30`	`+ exists(Write w, Field f, SsaWithFields v \| f.hasQualifiedName("net/url", "URL", "Host") \|`
	`31`	`+ w.writesFieldOnSsaWithFields(v, f, pred) and`
`35`	`32`	`succ = v.getAUse()`
`36`	`33`	`)`
`37`	`34`	`}`
Original file line number	Diff line number	Diff line change
`@@ -23,11 +23,8 @@ module SafeUrlFlow {`
`23`	`23`
`24`	`24`	`predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {`
`25`	`25`	`// propagate to a URL when its host is assigned to`
`26`		`- exists(Write w, DataFlow::Node base, Field f, SsaWithFields v \|`
`27`		`- f.hasQualifiedName("net/url", "URL", "Host")`
`28`		`- \|`
`29`		`- w.writesField(base, f, node1) and`
`30`		`- [base, base.(DataFlow::PostUpdateNode).getPreUpdateNode()] = v.getAUse() and`
	`26`	`+ exists(Write w, Field f, SsaWithFields v \| f.hasQualifiedName("net/url", "URL", "Host") \|`
	`27`	`+ w.writesFieldOnSsaWithFields(v, f, node1) and`
`31`	`28`	`node2 = v.getAUse()`
`32`	`29`	`)`
`33`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -22,11 +22,8 @@ module ServerSideRequestForgery {`
`22`	`22`
`23`	`23`	`predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {`
`24`	`24`	`// propagate to a URL when its host is assigned to`
`25`		`- exists(Write w, DataFlow::Node base, Field f, SsaWithFields v \|`
`26`		`- f.hasQualifiedName("net/url", "URL", "Host")`
`27`		`- \|`
`28`		`- w.writesField(base, f, node1) and`
`29`		`- [base, base.(DataFlow::PostUpdateNode).getPreUpdateNode()] = v.getAUse() and`
	`25`	`+ exists(Write w, Field f, SsaWithFields v \| f.hasQualifiedName("net/url", "URL", "Host") \|`
	`26`	`+ w.writesFieldOnSsaWithFields(v, f, node1) and`
`30`	`27`	`node2 = v.getAUse()`
`31`	`28`	`)`
`32`	`29`	`}`