@@ -35,7 +35,7 @@ private class DefaultTaintTrackingCfg extends DataFlow::Configuration {
3535
3636 override predicate isSource ( DataFlow:: Node source ) { source = getNodeForSource ( _) }
3737
38- override predicate isSink ( DataFlow:: Node sink ) { any ( ) }
38+ override predicate isSink ( DataFlow:: Node sink ) { exists ( adjustedSink ( sink ) ) }
3939
4040 override predicate isAdditionalFlowStep ( DataFlow:: Node n1 , DataFlow:: Node n2 ) {
4141 instructionTaintStep ( n1 .asInstruction ( ) , n2 .asInstruction ( ) )
@@ -50,18 +50,15 @@ private class ToGlobalVarTaintTrackingCfg extends DataFlow::Configuration {
5050 override predicate isSource ( DataFlow:: Node source ) { source = getNodeForSource ( _) }
5151
5252 override predicate isSink ( DataFlow:: Node sink ) {
53- exists ( GlobalOrNamespaceVariable gv | writesVariable ( sink .asInstruction ( ) , gv ) )
53+ sink .asVariable ( ) instanceof GlobalOrNamespaceVariable
5454 }
5555
5656 override predicate isAdditionalFlowStep ( DataFlow:: Node n1 , DataFlow:: Node n2 ) {
5757 instructionTaintStep ( n1 .asInstruction ( ) , n2 .asInstruction ( ) )
5858 or
59- exists ( StoreInstruction i1 , LoadInstruction i2 , GlobalOrNamespaceVariable gv |
60- writesVariable ( i1 , gv ) and
61- readsVariable ( i2 , gv ) and
62- i1 = n1 .asInstruction ( ) and
63- i2 = n2 .asInstruction ( )
64- )
59+ writesVariable ( n1 .asInstruction ( ) , n2 .asVariable ( ) .( GlobalOrNamespaceVariable ) )
60+ or
61+ readsVariable ( n2 .asInstruction ( ) , n1 .asVariable ( ) .( GlobalOrNamespaceVariable ) )
6562 }
6663
6764 override predicate isBarrier ( DataFlow:: Node node ) { nodeIsBarrier ( node ) }
@@ -71,19 +68,20 @@ private class FromGlobalVarTaintTrackingCfg extends DataFlow2::Configuration {
7168 FromGlobalVarTaintTrackingCfg ( ) { this = "FromGlobalVarTaintTrackingCfg" }
7269
7370 override predicate isSource ( DataFlow:: Node source ) {
74- exists (
75- ToGlobalVarTaintTrackingCfg other , DataFlow:: Node prevSink , GlobalOrNamespaceVariable gv
76- |
77- other .hasFlowTo ( prevSink ) and
78- writesVariable ( prevSink .asInstruction ( ) , gv ) and
79- readsVariable ( source .asInstruction ( ) , gv )
80- )
71+ // This set of sources should be reasonably small, which is good for
72+ // performance since the set of sinks is very large.
73+ exists ( ToGlobalVarTaintTrackingCfg otherCfg | otherCfg .hasFlowTo ( source ) )
8174 }
8275
83- override predicate isSink ( DataFlow:: Node sink ) { any ( ) }
76+ override predicate isSink ( DataFlow:: Node sink ) { exists ( adjustedSink ( sink ) ) }
8477
8578 override predicate isAdditionalFlowStep ( DataFlow:: Node n1 , DataFlow:: Node n2 ) {
8679 instructionTaintStep ( n1 .asInstruction ( ) , n2 .asInstruction ( ) )
80+ or
81+ // Additional step for flow out of variables. There is no flow _into_
82+ // variables in this configuration, so this step only serves to take flow
83+ // out of a variable that's a source.
84+ readsVariable ( n2 .asInstruction ( ) , n1 .asVariable ( ) )
8785 }
8886
8987 override predicate isBarrier ( DataFlow:: Node node ) { nodeIsBarrier ( node ) }
@@ -315,23 +313,12 @@ predicate taintedIncludingGlobalVars(Expr source, Element tainted, string global
315313 globalVar = ""
316314 or
317315 exists (
318- ToGlobalVarTaintTrackingCfg toCfg , FromGlobalVarTaintTrackingCfg fromCfg , DataFlow :: Node store ,
319- GlobalOrNamespaceVariable global , DataFlow:: Node load , DataFlow:: Node sink
316+ ToGlobalVarTaintTrackingCfg toCfg , FromGlobalVarTaintTrackingCfg fromCfg ,
317+ DataFlow:: VariableNode variableNode , GlobalOrNamespaceVariable global , DataFlow:: Node sink
320318 |
321- toCfg .hasFlow ( getNodeForSource ( source ) , store ) and
322- store
323- .asInstruction ( )
324- .( StoreInstruction )
325- .getDestinationAddress ( )
326- .( VariableAddressInstruction )
327- .getASTVariable ( ) = global and
328- load
329- .asInstruction ( )
330- .( LoadInstruction )
331- .getSourceAddress ( )
332- .( VariableAddressInstruction )
333- .getASTVariable ( ) = global and
334- fromCfg .hasFlow ( load , sink ) and
319+ global = variableNode .getVariable ( ) and
320+ toCfg .hasFlow ( getNodeForSource ( source ) , variableNode ) and
321+ fromCfg .hasFlow ( variableNode , sink ) and
335322 tainted = adjustedSink ( sink ) and
336323 global = globalVarFromId ( globalVar )
337324 )
0 commit comments