C#: Fix potential bug in CaptureOutNode.

lcartey · lcartey · commit 407f6349a351 · 2019-09-18T11:48:29.000+01:00
In theory this bug could associated CaptureOutNodes with the wrong transitively called
callable. However, in practice I could not create a test case that revealed incorrect
behaviour. I've included one such test case in the commit.

I believe that the cause of this is that OutNode::getACall() is not actually used in the
data flow libraries. Instead, DataFlowDispatch::Cached::getAnOutNode is the predicate
which is used to associated OutNode's with DataFlowCall's in practice, and that is always
used in a context that correctly binds the runtime target of the call.
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -953,7 +953,7 @@ private module OutNodes {
         additionalCalls = false and
         call.(ImplicitDelegateDataFlowCall).isArgumentOf(csharpCall(_, cfn), _)
         or
-        additionalCalls = true and call = TTransitiveCapturedCall(cfn, _)
+        additionalCalls = true and call = TTransitiveCapturedCall(cfn, n.getEnclosingCallable())
       )
     }
 
diff --git a/csharp/ql/test/library-tests/dataflow/global/Capture.cs b/csharp/ql/test/library-tests/dataflow/global/Capture.cs
@@ -108,18 +108,18 @@ void M()
         };
         CaptureOut2NotCalled();
         Check(nonSink0);
-        /*string sink40 = "";
+        string sink40 = "";
         void CaptureOutMultipleLambdas()
         {
             RunAction(() => {
                 sink40 = "taint source";
             });
             RunAction(() => {
-                sink40 = "not tainted";
+                nonSink0 = "not tainted";
             });
         };
         CaptureOutMultipleLambdas();
-        Check(sink40);*/
+        Check(sink40); Check(nonSink0);
     }
 
     void Through(string tainted)
diff --git a/csharp/ql/test/library-tests/dataflow/global/DataFlow.expected b/csharp/ql/test/library-tests/dataflow/global/DataFlow.expected
@@ -5,6 +5,7 @@
 | Capture.cs:72:15:72:20 | access to local variable sink30 |
 | Capture.cs:84:15:84:20 | access to local variable sink31 |
 | Capture.cs:93:15:93:20 | access to local variable sink32 |
+| Capture.cs:122:15:122:20 | access to local variable sink40 |
 | Capture.cs:133:15:133:20 | access to local variable sink33 |
 | Capture.cs:145:15:145:20 | access to local variable sink34 |
 | Capture.cs:154:15:154:20 | access to local variable sink35 |
diff --git a/csharp/ql/test/library-tests/dataflow/global/DataFlowEdges.expected b/csharp/ql/test/library-tests/dataflow/global/DataFlowEdges.expected
@@ -337,6 +337,45 @@
 | Capture.cs:109:9:109:30 | call to local function CaptureOut2NotCalled | Capture.cs:109:9:109:30 | call to local function CaptureOut2NotCalled |
 | Capture.cs:110:9:110:23 | call to method Check | Capture.cs:110:9:110:23 | call to method Check |
 | Capture.cs:110:15:110:22 | access to local variable nonSink0 | Capture.cs:110:15:110:22 | access to local variable nonSink0 |
+| Capture.cs:111:16:111:26 | SSA def(sink40) | Capture.cs:111:16:111:26 | SSA def(sink40) |
+| Capture.cs:111:16:111:26 | String sink40 = ... | Capture.cs:111:16:111:26 | String sink40 = ... |
+| Capture.cs:111:25:111:26 | "" | Capture.cs:111:16:111:26 | SSA def(sink40) |
+| Capture.cs:111:25:111:26 | "" | Capture.cs:111:16:111:26 | SSA def(sink40) |
+| Capture.cs:111:25:111:26 | "" | Capture.cs:111:25:111:26 | "" |
+| Capture.cs:114:13:116:14 | call to method RunAction | Capture.cs:114:13:116:14 | call to method RunAction |
+| Capture.cs:114:23:116:13 | (...) => ... | Capture.cs:114:23:116:13 | (...) => ... |
+| Capture.cs:114:23:116:13 | (...) => ... | Capture.cs:202:34:202:34 | a |
+| Capture.cs:114:23:116:13 | (...) => ... | Capture.cs:202:34:202:34 | a |
+| Capture.cs:115:17:115:39 | ... = ... | Capture.cs:115:17:115:39 | ... = ... |
+| Capture.cs:115:17:115:39 | SSA def(sink40) | Capture.cs:115:17:115:39 | SSA def(sink40) |
+| Capture.cs:115:17:115:39 | SSA def(sink40) | Capture.cs:121:9:121:35 | SSA call def(sink40) |
+| Capture.cs:115:17:115:39 | SSA def(sink40) | Capture.cs:121:9:121:35 | SSA call def(sink40) |
+| Capture.cs:115:26:115:39 | "taint source" | Capture.cs:115:17:115:39 | SSA def(sink40) |
+| Capture.cs:115:26:115:39 | "taint source" | Capture.cs:115:17:115:39 | SSA def(sink40) |
+| Capture.cs:115:26:115:39 | "taint source" | Capture.cs:115:26:115:39 | "taint source" |
+| Capture.cs:117:13:119:14 | call to method RunAction | Capture.cs:117:13:119:14 | call to method RunAction |
+| Capture.cs:117:23:119:13 | (...) => ... | Capture.cs:117:23:119:13 | (...) => ... |
+| Capture.cs:117:23:119:13 | (...) => ... | Capture.cs:202:34:202:34 | a |
+| Capture.cs:117:23:119:13 | (...) => ... | Capture.cs:202:34:202:34 | a |
+| Capture.cs:118:17:118:40 | ... = ... | Capture.cs:118:17:118:40 | ... = ... |
+| Capture.cs:118:17:118:40 | SSA def(nonSink0) | Capture.cs:118:17:118:40 | SSA def(nonSink0) |
+| Capture.cs:118:17:118:40 | SSA def(nonSink0) | Capture.cs:121:9:121:35 | SSA call def(nonSink0) |
+| Capture.cs:118:17:118:40 | SSA def(nonSink0) | Capture.cs:121:9:121:35 | SSA call def(nonSink0) |
+| Capture.cs:118:28:118:40 | "not tainted" | Capture.cs:118:17:118:40 | SSA def(nonSink0) |
+| Capture.cs:118:28:118:40 | "not tainted" | Capture.cs:118:17:118:40 | SSA def(nonSink0) |
+| Capture.cs:118:28:118:40 | "not tainted" | Capture.cs:118:28:118:40 | "not tainted" |
+| Capture.cs:121:9:121:33 | access to local function CaptureOutMultipleLambdas | Capture.cs:121:9:121:33 | access to local function CaptureOutMultipleLambdas |
+| Capture.cs:121:9:121:35 | SSA call def(nonSink0) | Capture.cs:121:9:121:35 | SSA call def(nonSink0) |
+| Capture.cs:121:9:121:35 | SSA call def(nonSink0) | Capture.cs:122:30:122:37 | access to local variable nonSink0 |
+| Capture.cs:121:9:121:35 | SSA call def(nonSink0) | Capture.cs:122:30:122:37 | access to local variable nonSink0 |
+| Capture.cs:121:9:121:35 | SSA call def(sink40) | Capture.cs:121:9:121:35 | SSA call def(sink40) |
+| Capture.cs:121:9:121:35 | SSA call def(sink40) | Capture.cs:122:15:122:20 | access to local variable sink40 |
+| Capture.cs:121:9:121:35 | SSA call def(sink40) | Capture.cs:122:15:122:20 | access to local variable sink40 |
+| Capture.cs:121:9:121:35 | call to local function CaptureOutMultipleLambdas | Capture.cs:121:9:121:35 | call to local function CaptureOutMultipleLambdas |
+| Capture.cs:122:9:122:21 | call to method Check | Capture.cs:122:9:122:21 | call to method Check |
+| Capture.cs:122:15:122:20 | access to local variable sink40 | Capture.cs:122:15:122:20 | access to local variable sink40 |
+| Capture.cs:122:24:122:38 | call to method Check | Capture.cs:122:24:122:38 | call to method Check |
+| Capture.cs:122:30:122:37 | access to local variable nonSink0 | Capture.cs:122:30:122:37 | access to local variable nonSink0 |
 | Capture.cs:125:10:125:16 | this | Capture.cs:125:10:125:16 | this |
 | Capture.cs:125:25:125:31 | tainted | Capture.cs:125:25:125:31 | tainted |
 | Capture.cs:125:25:125:31 | tainted | Capture.cs:125:25:125:31 | tainted |
@@ -647,6 +686,10 @@
 | Capture.cs:202:34:202:34 | a | Capture.cs:204:9:204:9 | access to parameter a |
 | Capture.cs:202:34:202:34 | a | Capture.cs:204:9:204:9 | access to parameter a |
 | Capture.cs:202:34:202:34 | a | Capture.cs:204:9:204:9 | access to parameter a |
+| Capture.cs:202:34:202:34 | a | Capture.cs:204:9:204:9 | access to parameter a |
+| Capture.cs:202:34:202:34 | a | Capture.cs:204:9:204:9 | access to parameter a |
+| Capture.cs:202:34:202:34 | a | Capture.cs:204:9:204:9 | access to parameter a |
+| Capture.cs:202:34:202:34 | a | Capture.cs:204:9:204:9 | access to parameter a |
 | Capture.cs:204:9:204:9 | access to parameter a | Capture.cs:204:9:204:9 | access to parameter a |
 | Capture.cs:204:9:204:18 | delegate call | Capture.cs:204:9:204:18 | delegate call |
 | GlobalDataFlow.cs:14:17:14:17 | this | GlobalDataFlow.cs:14:17:14:17 | this |
diff --git a/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected b/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected
@@ -22,6 +22,9 @@ edges
 | Capture.cs:89:13:89:35 | SSA def(sink32) | Capture.cs:92:9:92:41 | SSA call def(sink32) |
 | Capture.cs:89:22:89:35 | "taint source" | Capture.cs:89:13:89:35 | SSA def(sink32) |
 | Capture.cs:92:9:92:41 | SSA call def(sink32) | Capture.cs:93:15:93:20 | access to local variable sink32 |
+| Capture.cs:115:17:115:39 | SSA def(sink40) | Capture.cs:121:9:121:35 | SSA call def(sink40) |
+| Capture.cs:115:26:115:39 | "taint source" | Capture.cs:115:17:115:39 | SSA def(sink40) |
+| Capture.cs:121:9:121:35 | SSA call def(sink40) | Capture.cs:122:15:122:20 | access to local variable sink40 |
 | Capture.cs:125:25:125:31 | tainted | Capture.cs:132:9:132:25 | [implicit argument] tainted |
 | Capture.cs:125:25:125:31 | tainted | Capture.cs:144:9:144:25 | [implicit argument] tainted |
 | Capture.cs:125:25:125:31 | tainted | Capture.cs:153:9:153:45 | [implicit argument] tainted |
@@ -225,6 +228,7 @@ edges
 | Capture.cs:169:15:169:20 | access to local variable sink37 | Capture.cs:125:25:125:31 | tainted | Capture.cs:169:15:169:20 | access to local variable sink37 | access to local variable sink37 |
 | Capture.cs:195:15:195:20 | access to local variable sink38 | Capture.cs:125:25:125:31 | tainted | Capture.cs:195:15:195:20 | access to local variable sink38 | access to local variable sink38 |
 | GlobalDataFlow.cs:136:15:136:19 | access to local variable sink4 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:136:15:136:19 | access to local variable sink4 | access to local variable sink4 |
+| Capture.cs:122:15:122:20 | access to local variable sink40 | Capture.cs:115:26:115:39 | "taint source" | Capture.cs:122:15:122:20 | access to local variable sink40 | access to local variable sink40 |
 | GlobalDataFlow.cs:144:15:144:19 | access to local variable sink5 | GlobalDataFlow.cs:17:27:17:40 | "taint source" | GlobalDataFlow.cs:144:15:144:19 | access to local variable sink5 | access to local variable sink5 |
 | GlobalDataFlow.cs:154:15:154:19 | access to local variable sink6 | GlobalDataFlow.cs:318:16:318:29 | "taint source" | GlobalDataFlow.cs:154:15:154:19 | access to local variable sink6 | access to local variable sink6 |
 | GlobalDataFlow.cs:157:15:157:19 | access to local variable sink7 | GlobalDataFlow.cs:323:13:323:26 | "taint source" | GlobalDataFlow.cs:157:15:157:19 | access to local variable sink7 | access to local variable sink7 |
diff --git a/csharp/ql/test/library-tests/dataflow/global/GetAnOutNode.expected b/csharp/ql/test/library-tests/dataflow/global/GetAnOutNode.expected
@@ -11,6 +11,12 @@
 | Capture.cs:92:9:92:51 | call to method ToArray | return | Capture.cs:92:9:92:51 | call to method ToArray |
 | Capture.cs:92:30:92:40 | [implicit call] access to local variable captureOut3 | captured sink32 | Capture.cs:92:9:92:41 | SSA call def(sink32) |
 | Capture.cs:92:30:92:40 | [implicit call] access to local variable captureOut3 | return | Capture.cs:92:30:92:40 | [output] access to local variable captureOut3 |
+| Capture.cs:121:9:121:35 | [transitive] call to local function CaptureOutMultipleLambdas | captured nonSink0 | Capture.cs:121:9:121:35 | SSA call def(nonSink0) |
+| Capture.cs:121:9:121:35 | [transitive] call to local function CaptureOutMultipleLambdas | captured nonSink0 | Capture.cs:121:9:121:35 | SSA call def(nonSink0) |
+| Capture.cs:121:9:121:35 | [transitive] call to local function CaptureOutMultipleLambdas | captured sink40 | Capture.cs:121:9:121:35 | SSA call def(sink40) |
+| Capture.cs:121:9:121:35 | [transitive] call to local function CaptureOutMultipleLambdas | captured sink40 | Capture.cs:121:9:121:35 | SSA call def(sink40) |
+| Capture.cs:121:9:121:35 | call to local function CaptureOutMultipleLambdas | captured nonSink0 | Capture.cs:121:9:121:35 | SSA call def(nonSink0) |
+| Capture.cs:121:9:121:35 | call to local function CaptureOutMultipleLambdas | captured sink40 | Capture.cs:121:9:121:35 | SSA call def(sink40) |
 | Capture.cs:132:9:132:25 | call to local function CaptureThrough1 | captured sink33 | Capture.cs:132:9:132:25 | SSA call def(sink33) |
 | Capture.cs:144:9:144:25 | [transitive] call to local function CaptureThrough2 | captured sink34 | Capture.cs:144:9:144:25 | SSA call def(sink34) |
 | Capture.cs:144:9:144:25 | call to local function CaptureThrough2 | captured sink34 | Capture.cs:144:9:144:25 | SSA call def(sink34) |
diff --git a/csharp/ql/test/library-tests/dataflow/global/TaintTracking.expected b/csharp/ql/test/library-tests/dataflow/global/TaintTracking.expected
@@ -5,6 +5,7 @@
 | Capture.cs:72:15:72:20 | access to local variable sink30 |
 | Capture.cs:84:15:84:20 | access to local variable sink31 |
 | Capture.cs:93:15:93:20 | access to local variable sink32 |
+| Capture.cs:122:15:122:20 | access to local variable sink40 |
 | Capture.cs:133:15:133:20 | access to local variable sink33 |
 | Capture.cs:145:15:145:20 | access to local variable sink34 |
 | Capture.cs:154:15:154:20 | access to local variable sink35 |
diff --git a/csharp/ql/test/library-tests/dataflow/global/TaintTrackingEdges.expected b/csharp/ql/test/library-tests/dataflow/global/TaintTrackingEdges.expected
@@ -395,6 +395,45 @@
 | Capture.cs:109:9:109:30 | call to local function CaptureOut2NotCalled | Capture.cs:109:9:109:30 | call to local function CaptureOut2NotCalled |
 | Capture.cs:110:9:110:23 | call to method Check | Capture.cs:110:9:110:23 | call to method Check |
 | Capture.cs:110:15:110:22 | access to local variable nonSink0 | Capture.cs:110:15:110:22 | access to local variable nonSink0 |
+| Capture.cs:111:16:111:26 | SSA def(sink40) | Capture.cs:111:16:111:26 | SSA def(sink40) |
+| Capture.cs:111:16:111:26 | String sink40 = ... | Capture.cs:111:16:111:26 | String sink40 = ... |
+| Capture.cs:111:25:111:26 | "" | Capture.cs:111:16:111:26 | SSA def(sink40) |
+| Capture.cs:111:25:111:26 | "" | Capture.cs:111:16:111:26 | SSA def(sink40) |
+| Capture.cs:111:25:111:26 | "" | Capture.cs:111:25:111:26 | "" |
+| Capture.cs:114:13:116:14 | call to method RunAction | Capture.cs:114:13:116:14 | call to method RunAction |
+| Capture.cs:114:23:116:13 | (...) => ... | Capture.cs:114:23:116:13 | (...) => ... |
+| Capture.cs:114:23:116:13 | (...) => ... | Capture.cs:202:34:202:34 | a |
+| Capture.cs:114:23:116:13 | (...) => ... | Capture.cs:202:34:202:34 | a |
+| Capture.cs:115:17:115:39 | ... = ... | Capture.cs:115:17:115:39 | ... = ... |
+| Capture.cs:115:17:115:39 | SSA def(sink40) | Capture.cs:115:17:115:39 | SSA def(sink40) |
+| Capture.cs:115:17:115:39 | SSA def(sink40) | Capture.cs:121:9:121:35 | SSA call def(sink40) |
+| Capture.cs:115:17:115:39 | SSA def(sink40) | Capture.cs:121:9:121:35 | SSA call def(sink40) |
+| Capture.cs:115:26:115:39 | "taint source" | Capture.cs:115:17:115:39 | SSA def(sink40) |
+| Capture.cs:115:26:115:39 | "taint source" | Capture.cs:115:17:115:39 | SSA def(sink40) |
+| Capture.cs:115:26:115:39 | "taint source" | Capture.cs:115:26:115:39 | "taint source" |
+| Capture.cs:117:13:119:14 | call to method RunAction | Capture.cs:117:13:119:14 | call to method RunAction |
+| Capture.cs:117:23:119:13 | (...) => ... | Capture.cs:117:23:119:13 | (...) => ... |
+| Capture.cs:117:23:119:13 | (...) => ... | Capture.cs:202:34:202:34 | a |
+| Capture.cs:117:23:119:13 | (...) => ... | Capture.cs:202:34:202:34 | a |
+| Capture.cs:118:17:118:40 | ... = ... | Capture.cs:118:17:118:40 | ... = ... |
+| Capture.cs:118:17:118:40 | SSA def(nonSink0) | Capture.cs:118:17:118:40 | SSA def(nonSink0) |
+| Capture.cs:118:17:118:40 | SSA def(nonSink0) | Capture.cs:121:9:121:35 | SSA call def(nonSink0) |
+| Capture.cs:118:17:118:40 | SSA def(nonSink0) | Capture.cs:121:9:121:35 | SSA call def(nonSink0) |
+| Capture.cs:118:28:118:40 | "not tainted" | Capture.cs:118:17:118:40 | SSA def(nonSink0) |
+| Capture.cs:118:28:118:40 | "not tainted" | Capture.cs:118:17:118:40 | SSA def(nonSink0) |
+| Capture.cs:118:28:118:40 | "not tainted" | Capture.cs:118:28:118:40 | "not tainted" |
+| Capture.cs:121:9:121:33 | access to local function CaptureOutMultipleLambdas | Capture.cs:121:9:121:33 | access to local function CaptureOutMultipleLambdas |
+| Capture.cs:121:9:121:35 | SSA call def(nonSink0) | Capture.cs:121:9:121:35 | SSA call def(nonSink0) |
+| Capture.cs:121:9:121:35 | SSA call def(nonSink0) | Capture.cs:122:30:122:37 | access to local variable nonSink0 |
+| Capture.cs:121:9:121:35 | SSA call def(nonSink0) | Capture.cs:122:30:122:37 | access to local variable nonSink0 |
+| Capture.cs:121:9:121:35 | SSA call def(sink40) | Capture.cs:121:9:121:35 | SSA call def(sink40) |
+| Capture.cs:121:9:121:35 | SSA call def(sink40) | Capture.cs:122:15:122:20 | access to local variable sink40 |
+| Capture.cs:121:9:121:35 | SSA call def(sink40) | Capture.cs:122:15:122:20 | access to local variable sink40 |
+| Capture.cs:121:9:121:35 | call to local function CaptureOutMultipleLambdas | Capture.cs:121:9:121:35 | call to local function CaptureOutMultipleLambdas |
+| Capture.cs:122:9:122:21 | call to method Check | Capture.cs:122:9:122:21 | call to method Check |
+| Capture.cs:122:15:122:20 | access to local variable sink40 | Capture.cs:122:15:122:20 | access to local variable sink40 |
+| Capture.cs:122:24:122:38 | call to method Check | Capture.cs:122:24:122:38 | call to method Check |
+| Capture.cs:122:30:122:37 | access to local variable nonSink0 | Capture.cs:122:30:122:37 | access to local variable nonSink0 |
 | Capture.cs:125:10:125:16 | this | Capture.cs:125:10:125:16 | this |
 | Capture.cs:125:25:125:31 | tainted | Capture.cs:125:25:125:31 | tainted |
 | Capture.cs:125:25:125:31 | tainted | Capture.cs:125:25:125:31 | tainted |
@@ -753,6 +792,10 @@
 | Capture.cs:202:34:202:34 | a | Capture.cs:204:9:204:9 | access to parameter a |
 | Capture.cs:202:34:202:34 | a | Capture.cs:204:9:204:9 | access to parameter a |
 | Capture.cs:202:34:202:34 | a | Capture.cs:204:9:204:9 | access to parameter a |
+| Capture.cs:202:34:202:34 | a | Capture.cs:204:9:204:9 | access to parameter a |
+| Capture.cs:202:34:202:34 | a | Capture.cs:204:9:204:9 | access to parameter a |
+| Capture.cs:202:34:202:34 | a | Capture.cs:204:9:204:9 | access to parameter a |
+| Capture.cs:202:34:202:34 | a | Capture.cs:204:9:204:9 | access to parameter a |
 | Capture.cs:204:9:204:9 | access to parameter a | Capture.cs:204:9:204:9 | access to parameter a |
 | Capture.cs:204:9:204:18 | delegate call | Capture.cs:204:9:204:18 | delegate call |
 | GlobalDataFlow.cs:14:17:14:17 | this | GlobalDataFlow.cs:14:17:14:17 | this |
diff --git a/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected b/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected
@@ -22,6 +22,9 @@ edges
 | Capture.cs:89:13:89:35 | SSA def(sink32) | Capture.cs:92:9:92:41 | SSA call def(sink32) |
 | Capture.cs:89:22:89:35 | "taint source" | Capture.cs:89:13:89:35 | SSA def(sink32) |
 | Capture.cs:92:9:92:41 | SSA call def(sink32) | Capture.cs:93:15:93:20 | access to local variable sink32 |
+| Capture.cs:115:17:115:39 | SSA def(sink40) | Capture.cs:121:9:121:35 | SSA call def(sink40) |
+| Capture.cs:115:26:115:39 | "taint source" | Capture.cs:115:17:115:39 | SSA def(sink40) |
+| Capture.cs:121:9:121:35 | SSA call def(sink40) | Capture.cs:122:15:122:20 | access to local variable sink40 |
 | Capture.cs:125:25:125:31 | tainted | Capture.cs:132:9:132:25 | [implicit argument] tainted |
 | Capture.cs:125:25:125:31 | tainted | Capture.cs:144:9:144:25 | [implicit argument] tainted |
 | Capture.cs:125:25:125:31 | tainted | Capture.cs:153:9:153:45 | [implicit argument] tainted |
@@ -252,6 +255,7 @@ edges
 | Capture.cs:72:15:72:20 | access to local variable sink30 | Capture.cs:69:22:69:35 | "taint source" | Capture.cs:72:15:72:20 | access to local variable sink30 | access to local variable sink30 |
 | Capture.cs:84:15:84:20 | access to local variable sink31 | Capture.cs:79:26:79:39 | "taint source" | Capture.cs:84:15:84:20 | access to local variable sink31 | access to local variable sink31 |
 | Capture.cs:93:15:93:20 | access to local variable sink32 | Capture.cs:89:22:89:35 | "taint source" | Capture.cs:93:15:93:20 | access to local variable sink32 | access to local variable sink32 |
+| Capture.cs:122:15:122:20 | access to local variable sink40 | Capture.cs:115:26:115:39 | "taint source" | Capture.cs:122:15:122:20 | access to local variable sink40 | access to local variable sink40 |
 | Capture.cs:133:15:133:20 | access to local variable sink33 | Capture.cs:125:25:125:31 | tainted | Capture.cs:133:15:133:20 | access to local variable sink33 | access to local variable sink33 |
 | Capture.cs:145:15:145:20 | access to local variable sink34 | Capture.cs:125:25:125:31 | tainted | Capture.cs:145:15:145:20 | access to local variable sink34 | access to local variable sink34 |
 | Capture.cs:154:15:154:20 | access to local variable sink35 | Capture.cs:125:25:125:31 | tainted | Capture.cs:154:15:154:20 | access to local variable sink35 | access to local variable sink35 |

Original file line number	Diff line number	Diff line change
`@@ -953,7 +953,7 @@ private module OutNodes {`
`953`	`953`	`additionalCalls = false and`
`954`	`954`	`call.(ImplicitDelegateDataFlowCall).isArgumentOf(csharpCall(_, cfn), _)`
`955`	`955`	`or`
`956`		`- additionalCalls = true and call = TTransitiveCapturedCall(cfn, _)`
	`956`	`+ additionalCalls = true and call = TTransitiveCapturedCall(cfn, n.getEnclosingCallable())`
`957`	`957`	`)`
`958`	`958`	`}`
`959`	`959`