Use flow path in alerts

joefarebrother · joefarebrother · commit 5b7200a0418c · 2025-04-02T09:35:32.000+01:00
diff --git a/python/ql/src/Variables/LoopVariableCapture.ql b/python/ql/src/Variables/LoopVariableCapture.ql
@@ -1,7 +1,7 @@
 /**
  * @name Loop variable capture
  * @description Capture of a loop variable is not the same as capturing the value of a loop variable, and may be erroneous.
- * @kind problem
+ * @kind path-problem
  * @tags correctness
  * @problem.severity error
  * @sub-severity low
@@ -60,13 +60,23 @@ module EscapingCaptureFlowSig implements DataFlow::ConfigSig {
 
 module EscapingCaptureFlow = DataFlow::Global<EscapingCaptureFlowSig>;
 
-predicate escapingCapture(CallableExpr capturing, Loop loop, Variable var) {
+import EscapingCaptureFlow::PathGraph
+
+predicate escapingCapture(
+  CallableExpr capturing, Loop loop, Variable var, EscapingCaptureFlow::PathNode source,
+  EscapingCaptureFlow::PathNode sink
+) {
   capturesLoopVariable(capturing, loop, var) and
-  EscapingCaptureFlow::flow(DataFlow::exprNode(capturing), _)
+  capturing = source.getNode().asExpr() and
+  EscapingCaptureFlow::flowPath(source, sink)
 }
 
-from CallableExpr capturing, AstNode loop, Variable var, string descr
+from
+  CallableExpr capturing, AstNode loop, Variable var, string descr,
+  EscapingCaptureFlow::PathNode source, EscapingCaptureFlow::PathNode sink
 where
-  escapingCapture(capturing, loop, var) and
+  escapingCapture(capturing, loop, var, source, sink) and
   if capturing instanceof Lambda then descr = "lambda" else descr = "function"
-select capturing, "This " + descr + " captures the loop variable $@.", loop, var.getId()
+select capturing, source, sink,
+  "This " + descr + " captures the loop variable $@, and may escape the loop by being stored $@.",
+  loop, var.getId(), sink, "here"
