Skip to content

Commit 7eef5ba

Browse files
dilanbhalladilanbhalla
authored
Merge pull request #294 from microsoft/jb1/dataflowstack-overlay
DataFlowStack parameterized over Dataflow implementation
2 parents 2a0a312 + 18ff8d2 commit 7eef5ba

File tree

2 files changed

+70
-50
lines changed

2 files changed

+70
-50
lines changed

java/ql/lib/semmle/code/java/dataflow/TaintTrackingStack.qll

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -7,10 +7,11 @@ private import semmle.code.java.dataflow.TaintTracking
77
private import semmle.code.java.dataflow.internal.DataFlowImplSpecific
88
private import semmle.code.java.dataflow.internal.TaintTrackingImplSpecific
99
private import codeql.dataflowstack.TaintTrackingStack as TTS
10-
private import TTS::TaintTrackingStackMake<Location, JavaDataFlow, JavaTaintTracking> as TaintTrackingStackFactory
1110

12-
private module TaintTrackingStackInput<TaintTrackingStackFactory::DataFlow::ConfigSig Config>
13-
implements TTS::TaintTrackingStackSig<Location, JavaDataFlow, JavaTaintTracking, Config>
11+
module LanguageTaintTrackingStack = TTS::LanguageTaintTracking<Location, JavaDataFlow, JavaTaintTracking>;
12+
13+
private module TaintTrackingStackInput<DataFlow::ConfigSig Config>
14+
implements LanguageTaintTrackingStack::DataFlowGroup<Config>::TaintTrackingStackSig<TaintTracking::Global<Config>>
1415
{
1516
private module Flow = TaintTracking::Global<Config>;
1617

@@ -29,13 +30,13 @@ private module TaintTrackingStackInput<TaintTrackingStackFactory::DataFlow::Conf
2930
}
3031
}
3132

32-
module DataFlowStackMake<TaintTrackingStackFactory::DataFlow::ConfigSig Config> {
33-
import TaintTrackingStackFactory::FlowStack<Config, TaintTrackingStackInput<Config>>
33+
module DataFlowStackMake<DataFlow::ConfigSig Config> {
34+
import LanguageTaintTrackingStack::FlowStack<TaintTracking::Global<Config>, Config, TaintTrackingStackInput<Config>>
3435
}
3536

3637
module BiStackAnalysisMake<
37-
TaintTrackingStackFactory::DataFlow::ConfigSig ConfigA,
38-
TaintTrackingStackFactory::DataFlow::ConfigSig ConfigB>
39-
{
40-
import TaintTrackingStackFactory::BiStackAnalysis<ConfigA, TaintTrackingStackInput<ConfigA>, ConfigB, TaintTrackingStackInput<ConfigB>>
38+
DataFlow::ConfigSig ConfigA,
39+
DataFlow::ConfigSig ConfigB
40+
>{
41+
import LanguageTaintTrackingStack::BiStackAnalysis<ConfigA, TaintTracking::Global<ConfigA>, TaintTrackingStackInput<ConfigA>, ConfigB, TaintTracking::Global<ConfigB>, TaintTrackingStackInput<ConfigB>>
4142
}

shared/dataflowstack/codeql/dataflowstack/TaintTrackingStack.qll

Lines changed: 60 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -5,43 +5,58 @@ private import codeql.dataflow.DataFlow as DF
55
private import codeql.dataflow.TaintTracking as TT
66
private import codeql.util.Location
77

8-
signature module TaintTrackingStackSig<
9-
LocationSig Location, DF::InputSig<Location> Lang, TT::InputSig<Location, Lang> TTLang,
10-
DF::Configs<Location, Lang>::ConfigSig Config>
11-
{
12-
Lang::Node getNode(TT::TaintFlowMake<Location, Lang, TTLang>::Global<Config>::PathNode n);
8+
/**
9+
* A Language-initialized grouping of DataFlow types and primitives.
10+
*/
11+
module LanguageTaintTracking<LocationSig Location, DF::InputSig<Location> Lang, TT::InputSig<Location, Lang> TTLang>{
12+
module AbstractDF = DF::Configs<Location, Lang>;
13+
module AbstractDataFlow = DF::DataFlowMake<Location, Lang>;
14+
module AbstractTaintFlow = TT::TaintFlowMake<Location, Lang, TTLang>;
15+
module AbstractTaintFlowOverlay = TT::TaintFlowMakeOverlay<Location, Lang, TTLang>;
16+
17+
/**
18+
* A collection of modules that are scoped to a specific DataFlow config implementation
19+
*/
20+
module DataFlowGroup<AbstractDF::ConfigSig Config>{
21+
22+
module MyConfig = Config;
23+
module TaintFlowGlobal = AbstractTaintFlow::Global<Config>;
24+
module TaintFlowOverlayGlobal = AbstractTaintFlowOverlay::Global<Config>;
1325

14-
predicate isSource(TT::TaintFlowMake<Location, Lang, TTLang>::Global<Config>::PathNode n);
26+
/**
27+
* A Taint tracking implementation, paramaterized over a DataFlow type
28+
*/
29+
signature module TaintTrackingStackSig<AbstractDataFlow::GlobalFlowSig GlobalFlow>{
1530

16-
TT::TaintFlowMake<Location, Lang, TTLang>::Global<Config>::PathNode getASuccessor(
17-
TT::TaintFlowMake<Location, Lang, TTLang>::Global<Config>::PathNode n
18-
);
31+
Lang::Node getNode(GlobalFlow::PathNode n);
1932

20-
Lang::DataFlowCallable getARuntimeTarget(Lang::DataFlowCall call);
33+
predicate isSource(GlobalFlow::PathNode n);
2134

22-
Lang::Node getAnArgumentNode(Lang::DataFlowCall call);
23-
}
35+
GlobalFlow::PathNode getASuccessor(
36+
GlobalFlow::PathNode n
37+
);
2438

25-
module TaintTrackingStackMake<
26-
LocationSig Location, DF::InputSig<Location> Lang, TT::InputSig<Location, Lang> TTLang>
27-
{
28-
module DataFlow = DF::DataFlowMake<Location, Lang>;
39+
Lang::DataFlowCallable getARuntimeTarget(Lang::DataFlowCall call);
2940

30-
module TaintTracking = TT::TaintFlowMake<Location, Lang, TTLang>;
41+
Lang::Node getAnArgumentNode(Lang::DataFlowCall call);
42+
}
43+
}
3144

3245
module BiStackAnalysis<
33-
DF::Configs<Location, Lang>::ConfigSig ConfigA,
34-
TaintTrackingStackSig<Location, Lang, TTLang, ConfigA> TaintTrackingStackA,
35-
DF::Configs<Location, Lang>::ConfigSig ConfigB,
36-
TaintTrackingStackSig<Location, Lang, TTLang, ConfigB> TaintTrackingStackB>
46+
AbstractDF::ConfigSig ConfigA,
47+
AbstractDataFlow::GlobalFlowSig GlobalFlowA,
48+
DataFlowGroup<ConfigA>::TaintTrackingStackSig<GlobalFlowA> TaintTrackingStackA,
49+
AbstractDF::ConfigSig ConfigB,
50+
AbstractDataFlow::GlobalFlowSig GlobalFlowB,
51+
DataFlowGroup<ConfigB>::TaintTrackingStackSig<GlobalFlowB> TaintTrackingStackB>
3752
{
38-
module FlowA = TaintTracking::Global<ConfigA>;
53+
module FlowA = GlobalFlowA;
3954

40-
module FlowStackA = FlowStack<ConfigA, TaintTrackingStackA>;
55+
module FlowStackA = FlowStack<GlobalFlowA, ConfigA, TaintTrackingStackA>;
4156

42-
module FlowB = TaintTracking::Global<ConfigB>;
57+
module FlowB = GlobalFlowB;
4358

44-
module FlowStackB = FlowStack<ConfigB, TaintTrackingStackB>;
59+
module FlowStackB = FlowStack<GlobalFlowB, ConfigB, TaintTrackingStackB>;
4560

4661
/**
4762
* Holds if either the Stack associated with `sourceNodeA` is a subset of the stack associated with `sourceNodeB`
@@ -59,10 +74,10 @@ module TaintTrackingStackMake<
5974
flowStackA = FlowStackA::createFlowStack(sourceNodeA, sinkNodeA) and
6075
flowStackB = FlowStackB::createFlowStack(sourceNodeB, sinkNodeB) and
6176
(
62-
BiStackAnalysisImpl<ConfigA, TaintTrackingStackA, ConfigB, TaintTrackingStackB>::flowStackIsSubsetOf(flowStackA,
77+
BiStackAnalysisImpl<GlobalFlowA, ConfigA, TaintTrackingStackA, GlobalFlowB, ConfigB, TaintTrackingStackB>::flowStackIsSubsetOf(flowStackA,
6378
flowStackB)
6479
or
65-
BiStackAnalysisImpl<ConfigB, TaintTrackingStackB, ConfigA, TaintTrackingStackA>::flowStackIsSubsetOf(flowStackB,
80+
BiStackAnalysisImpl<GlobalFlowB, ConfigB, TaintTrackingStackB, GlobalFlowA, ConfigA, TaintTrackingStackA>::flowStackIsSubsetOf(flowStackB,
6681
flowStackA)
6782
)
6883
)
@@ -87,10 +102,10 @@ module TaintTrackingStackMake<
87102
flowStackA = FlowStackA::createFlowStack(sourceNodeA, sinkNodeA) and
88103
flowStackB = FlowStackB::createFlowStack(sourceNodeB, sinkNodeB) and
89104
(
90-
BiStackAnalysisImpl<ConfigA, TaintTrackingStackA, ConfigB, TaintTrackingStackB>::flowStackIsConvergingTerminatingSubsetOf(flowStackA,
105+
BiStackAnalysisImpl<GlobalFlowA, ConfigA, TaintTrackingStackA, GlobalFlowB, ConfigB, TaintTrackingStackB>::flowStackIsConvergingTerminatingSubsetOf(flowStackA,
91106
flowStackB)
92107
or
93-
BiStackAnalysisImpl<ConfigB, TaintTrackingStackB, ConfigA, TaintTrackingStackA>::flowStackIsConvergingTerminatingSubsetOf(flowStackB,
108+
BiStackAnalysisImpl<GlobalFlowB, ConfigB, TaintTrackingStackB, GlobalFlowA, ConfigA, TaintTrackingStackA>::flowStackIsConvergingTerminatingSubsetOf(flowStackB,
94109
flowStackA)
95110
)
96111
)
@@ -103,7 +118,7 @@ module TaintTrackingStackMake<
103118
* The top of stackA is in stackB and the bottom of stackA is then some successor further down stackB.
104119
*/
105120
predicate flowStackIsSubsetOf(FlowStackA::FlowStack flowStackA, FlowStackB::FlowStack flowStackB) {
106-
BiStackAnalysisImpl<ConfigA, TaintTrackingStackA, ConfigB, TaintTrackingStackB>::flowStackIsSubsetOf(flowStackA,
121+
BiStackAnalysisImpl<GlobalFlowA, ConfigA, TaintTrackingStackA, GlobalFlowB, ConfigB, TaintTrackingStackB>::flowStackIsSubsetOf(flowStackA,
107122
flowStackB)
108123
}
109124

@@ -115,20 +130,23 @@ module TaintTrackingStackMake<
115130
predicate flowStackIsConvergingTerminatingSubsetOf(
116131
FlowStackA::FlowStack flowStackA, FlowStackB::FlowStack flowStackB
117132
) {
118-
BiStackAnalysisImpl<ConfigA, TaintTrackingStackA, ConfigB, TaintTrackingStackB>::flowStackIsConvergingTerminatingSubsetOf(flowStackA,
133+
BiStackAnalysisImpl<GlobalFlowA, ConfigA, TaintTrackingStackA, GlobalFlowB, ConfigB, TaintTrackingStackB>::flowStackIsConvergingTerminatingSubsetOf(flowStackA,
119134
flowStackB)
120135
}
121136
}
122137

123138
private module BiStackAnalysisImpl<
124-
DF::Configs<Location, Lang>::ConfigSig ConfigA,
125-
TaintTrackingStackSig<Location, Lang, TTLang, ConfigA> DataFlowStackA,
126-
DF::Configs<Location, Lang>::ConfigSig ConfigB,
127-
TaintTrackingStackSig<Location, Lang, TTLang, ConfigB> DataFlowStackB>
139+
AbstractDataFlow::GlobalFlowSig GlobalFlowA,
140+
AbstractDF::ConfigSig ConfigA,
141+
DataFlowGroup<ConfigA>::TaintTrackingStackSig<GlobalFlowA> DataFlowStackA,
142+
AbstractDataFlow::GlobalFlowSig GlobalFlowB,
143+
AbstractDF::ConfigSig ConfigB,
144+
DataFlowGroup<ConfigB>::TaintTrackingStackSig<GlobalFlowB> DataFlowStackB>
128145
{
129-
module FlowStackA = FlowStack<ConfigA, DataFlowStackA>;
130146

131-
module FlowStackB = FlowStack<ConfigB, DataFlowStackB>;
147+
module FlowStackA = FlowStack<GlobalFlowA, ConfigA, DataFlowStackA>;
148+
149+
module FlowStackB = FlowStack<GlobalFlowB, ConfigB, DataFlowStackB>;
132150

133151
/**
134152
* Holds if stackA is a subset of stackB,
@@ -173,10 +191,11 @@ module TaintTrackingStackMake<
173191
}
174192

175193
module FlowStack<
176-
DF::Configs<Location, Lang>::ConfigSig Config,
177-
TaintTrackingStackSig<Location, Lang, TTLang, Config> TaintTrackingStack>
194+
AbstractDataFlow::GlobalFlowSig GlobalFlow,
195+
AbstractDF::ConfigSig Config,
196+
DataFlowGroup<Config>::TaintTrackingStackSig<GlobalFlow> TaintTrackingStack>
178197
{
179-
private module Flow = TT::TaintFlowMake<Location, Lang, TTLang>::Global<Config>;
198+
private module Flow = GlobalFlow;
180199

181200
/**
182201
* Determines whether or not the given PathNode is a source
@@ -436,4 +455,4 @@ module TaintTrackingStackMake<
436455
}
437456
}
438457
}
439-
}
458+
}

0 commit comments

Comments
 (0)