github
diff --git a/‎cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll‎
Lines changed: 2 additions & 2 deletions b/‎cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/ProductFlow.qll‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎shared/dataflow/codeql/dataflow/DataFlow.qll‎
Lines changed: 21 additions & 0 deletions b/‎shared/dataflow/codeql/dataflow/DataFlow.qll‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎shared/dataflow/codeql/dataflow/TaintTracking.qll‎
Lines changed: 4 additions & 0 deletions b/‎shared/dataflow/codeql/dataflow/TaintTracking.qll‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎shared/dataflow/codeql/dataflow/internal/ContentDataFlowImpl.qll‎
Lines changed: 19 additions & 1 deletion b/‎shared/dataflow/codeql/dataflow/internal/ContentDataFlowImpl.qll‎
Lines changed: 19 additions & 1 deletion
@@ -546,7 +546,7 @@ module ProductFlow {
       Flow1::PathGraph::edges(pred1, succ1, _, _) and
       exists(ReturnKindExt returnKind |
         succ1.getNode() = getAnOutNodeExt(call, returnKind) and
-        returnKind = getParamReturnPosition(_, pred1.asParameterReturnNode()).getKind()
+        returnKind = getParamReturnPosition(pred1.asParameterReturnNode()).getKind()
       )
     }
 
@@ -574,7 +574,7 @@ module ProductFlow {
       Flow2::PathGraph::edges(pred2, succ2, _, _) and
       exists(ReturnKindExt returnKind |
         succ2.getNode() = getAnOutNodeExt(call, returnKind) and
-        returnKind = getParamReturnPosition(_, pred2.asParameterReturnNode()).getKind()
+        returnKind = getParamReturnPosition(pred2.asParameterReturnNode()).getKind()
       )
     }
 
 
@@ -363,6 +363,13 @@ module Configs<LocationSig Location, InputSig<Location> Lang> {
      */
     predicate isSink(Node sink);
 
+    /**
+     * INTERNAL: Do not use.
+     *
+     * Holds if `sink` is a relevant reverse data flow sink.
+     */
+    default predicate isSinkReverse(Node sink) { none() }
+
     /**
      * Holds if data flow through `node` is prohibited. This completely removes
      * `node` from the data flow graph.
@@ -465,6 +472,20 @@ module Configs<LocationSig Location, InputSig<Location> Lang> {
      */
     default predicate isSink(Node sink) { none() }
 
+    /**
+     * INTERNAL: Do not use.
+     *
+     * Holds if `sink` is a relevant reverse data flow sink for any state.
+     */
+    default predicate isSinkReverse(Node sink) { none() }
+
+    /**
+     * INTERNAL: Do not use.
+     *
+     * Holds if `sink` is a relevant reverse data flow sink accepting `state`.
+     */
+    default predicate isSinkReverse(Node sink, FlowState state) { none() }
+
     /**
      * Holds if data flow through `node` is prohibited. This completely removes
      * `node` from the data flow graph.
 
@@ -179,6 +179,10 @@ module TaintFlowMake<
       Config::isSink(sink, state.getState())
     }
 
+    predicate isSinkReverse(DataFlowLang::Node sink, FlowState state) {
+      Config::isSinkReverse(sink, state.getState())
+    }
+
     predicate isBarrier(DataFlowLang::Node node, FlowState state) {
       Config::isBarrier(node, state.getState())
     }
 
@@ -46,6 +46,13 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang> {
      */
     predicate isSink(Node sink);
 
+    /**
+     * INTERNAL: Do not use.
+     *
+     * Holds if `sink` is a relevant reverse data flow sink.
+     */
+    default predicate isSinkReverse(Node sink) { none() }
+
     /**
      * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
      */
@@ -98,6 +105,15 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang> {
         )
       }
 
+      predicate isSinkReverse(Node sink, FlowState state) {
+        ContentConfig::isSinkReverse(sink) and
+        (
+          state instanceof InitState or
+          state instanceof StoreState or
+          state instanceof ReadState
+        )
+      }
+
       predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
         storeStep(node1, state1, _, node2, state2) or
         readStep(node1, state1, _, node2, state2) or
@@ -202,7 +218,7 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang> {
       Node node1, State state1, ContentSet c, Node node2, StoreState state2
     ) {
       exists(boolean preservesValue, int size |
-        storeSet(node1, c, node2, _, _) and
+        storeSet(node1, c, node2) and
         ContentConfig::isRelevantContent(c) and
         state2.decode(size + 1, preservesValue)
       |
@@ -359,6 +375,8 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang> {
           or
           FlowConfig::isSink(node.getNode(), node.getState())
           or
+          FlowConfig::isSinkReverse(node.getNode(), node.getState())
+          or
           excludeStep(node, _)
           or
           Flow::PathGraph::subpaths(_, _, node, _)
Original file line number	Diff line number	Diff line change
`@@ -546,7 +546,7 @@ module ProductFlow {`
`546`	`546`	`Flow1::PathGraph::edges(pred1, succ1, _, _) and`
`547`	`547`	`exists(ReturnKindExt returnKind \|`
`548`	`548`	`succ1.getNode() = getAnOutNodeExt(call, returnKind) and`
`549`		`- returnKind = getParamReturnPosition(_, pred1.asParameterReturnNode()).getKind()`
	`549`	`+ returnKind = getParamReturnPosition(pred1.asParameterReturnNode()).getKind()`
`550`	`550`	`)`
`551`	`551`	`}`
`552`	`552`
`@@ -574,7 +574,7 @@ module ProductFlow {`
`574`	`574`	`Flow2::PathGraph::edges(pred2, succ2, _, _) and`
`575`	`575`	`exists(ReturnKindExt returnKind \|`
`576`	`576`	`succ2.getNode() = getAnOutNodeExt(call, returnKind) and`
`577`		`- returnKind = getParamReturnPosition(_, pred2.asParameterReturnNode()).getKind()`
	`577`	`+ returnKind = getParamReturnPosition(pred2.asParameterReturnNode()).getKind()`
`578`	`578`	`)`
`579`	`579`	`}`
`580`	`580`
Original file line number	Diff line number	Diff line change
`@@ -179,6 +179,10 @@ module TaintFlowMake<`
`179`	`179`	`Config::isSink(sink, state.getState())`
`180`	`180`	`}`
`181`	`181`
	`182`	`+ predicate isSinkReverse(DataFlowLang::Node sink, FlowState state) {`
	`183`	`+ Config::isSinkReverse(sink, state.getState())`
	`184`	`+ }`
	`185`	`+`
`182`	`186`	`predicate isBarrier(DataFlowLang::Node node, FlowState state) {`
`183`	`187`	`Config::isBarrier(node, state.getState())`
`184`	`188`	`}`