Model generator

hvitved · hvitved · commit 13b8249247a0 · 2024-12-09T13:36:49.000+01:00
diff --git a/shared/dataflow/codeql/dataflow/DataFlow.qll b/shared/dataflow/codeql/dataflow/DataFlow.qll
@@ -363,6 +363,11 @@ module Configs<LocationSig Location, InputSig<Location> Lang>{
 */
 predicate isSink(Node sink);
 
+ /**
+ * Holds if `sink` is a relevant data flow sink.
+ */
+ default predicate isSinkReverse(Node sink){none() }
+
 /**
 * Holds if data flow through `node` is prohibited. This completely removes
 * `node` from the data flow graph.
@@ -465,6 +470,16 @@ module Configs<LocationSig Location, InputSig<Location> Lang>{
 */
 default predicate isSink(Node sink){none() }
 
+ /**
+ * Holds if `sink` is a relevant data flow sink for any state.
+ */
+ default predicate isSinkReverse(Node sink){none() }
+
+ /**
+ * Holds if `sink` is a relevant data flow sink accepting `state`.
+ */
+ default predicate isSinkReverse(Node sink, FlowState state){none() }
+
 /**
 * Holds if data flow through `node` is prohibited. This completely removes
 * `node` from the data flow graph.
diff --git a/shared/dataflow/codeql/dataflow/TaintTracking.qll b/shared/dataflow/codeql/dataflow/TaintTracking.qll
@@ -179,6 +179,10 @@ module TaintFlowMake<
 Config::isSink(sink, state.getState())
 }
 
+ predicate isSinkReverse(DataFlowLang::Node sink, FlowState state){
+ Config::isSinkReverse(sink, state.getState())
+ }
+
 predicate isBarrier(DataFlowLang::Node node, FlowState state){
 Config::isBarrier(node, state.getState())
 }
diff --git a/shared/dataflow/codeql/dataflow/internal/ContentDataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/ContentDataFlowImpl.qll
@@ -46,6 +46,11 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang>{
 */
 predicate isSink(Node sink);
 
+ /**
+ * Holds if `sink` is a relevant data flow sink.
+ */
+ default predicate isSinkReverse(Node sink){none() }
+
 /**
 * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
 */
@@ -98,6 +103,15 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang>{
 )
 }
 
+ predicate isSinkReverse(Node sink, FlowState state){
+ ContentConfig::isSinkReverse(sink) and
+ (
+ state instanceof InitState or
+ state instanceof StoreState or
+ state instanceof ReadState
+ )
+ }
+
 predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2){
 storeStep(node1, state1, _, node2, state2) or
 readStep(node1, state1, _, node2, state2) or
@@ -114,7 +128,35 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang>{
 predicate includeHiddenNodes(){any() }
 }
 
- private module Flow = GlobalWithState<FlowConfig>;
+ module Flow = GlobalWithState<FlowConfig>;
+
+ /**
+ * Holds if data stored inside `sourceAp` on `source` flows to `sinkAp` inside `sink`
+ * for this configuration. `preservesValue` indicates whether any of the additional
+ * flow steps defined by `isAdditionalFlowStep` are needed.
+ *
+ * For the source access path, `sourceAp`, the top of the stack represents the content
+ * that was last read from. That is, if `sourceAp` is `Field1.Field2` (with `Field1`
+ * being the top of the stack), then there is flow from `source.Field2.Field1`.
+ *
+ * For the sink access path, `sinkAp`, the top of the stack represents the content
+ * that was last stored into. That is, if `sinkAp` is `Field1.Field2` (with `Field1`
+ * being the top of the stack), then there is flow into `sink.Field1.Field2`.
+ */
+ predicate flowPath(
+ Flow::PathNode source, AccessPath sourceAp, Flow::PathNode sink, AccessPath sinkAp,
+ boolean preservesValue
+ ){
+ Flow::flowPath(source, sink) and
+ nodeReaches(source, TAccessPathNil(), TAccessPathNil(), sink, sourceAp, sinkAp) and
+ (
+ sink.getState().(InitState).decode(preservesValue)
+ or
+ sink.getState().(ReadState).decode(_, preservesValue)
+ or
+ sink.getState().(StoreState).decode(_, preservesValue)
+ )
+ }
 
 /**
 * Holds if data stored inside `sourceAp` on `source` flows to `sinkAp` inside `sink`
@@ -133,16 +175,9 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang>{
 Node source, AccessPath sourceAp, Node sink, AccessPath sinkAp, boolean preservesValue
 ){
 exists(Flow::PathNode pathSource, Flow::PathNode pathSink |
- Flow::flowPath(pathSource, pathSink) and
- nodeReaches(pathSource, TAccessPathNil(), TAccessPathNil(), pathSink, sourceAp, sinkAp) and
+ flowPath(pathSource, sourceAp, pathSink, sinkAp, preservesValue) and
 source = pathSource.getNode() and
 sink = pathSink.getNode()
- |
- pathSink.getState().(InitState).decode(preservesValue)
- or
- pathSink.getState().(ReadState).decode(_, preservesValue)
- or
- pathSink.getState().(StoreState).decode(_, preservesValue)
 )
 }
 
@@ -359,6 +394,8 @@ module MakeImplContentDataFlow<LocationSig Location, InputSig<Location> Lang>{
 or
 FlowConfig::isSink(node.getNode(), node.getState())
 or
+ FlowConfig::isSinkReverse(node.getNode(), node.getState())
+ or
 excludeStep(node, _)
 or
 Flow::PathGraph::subpaths(_, _, node, _)
diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
@@ -40,6 +40,16 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang>{
 */
 predicate isSink(Node sink);
 
+ /**
+ * Holds if `sink` is a relevant data flow sink accepting `state`.
+ */
+ predicate isSinkReverse(Node sink, FlowState state);
+
+ /**
+ * Holds if `sink` is a relevant data flow sink for any state.
+ */
+ predicate isSinkReverse(Node sink);
+
 /**
 * Holds if data flow through `node` is prohibited. This completely removes
 * `node` from the data flow graph.
@@ -149,6 +159,10 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang>{
 
 predicate isSink(Node sink, FlowState state){Config::isSink(sink) and exists(state) }
 
+ predicate isSinkReverse(Node sink, FlowState state){
+ Config::isSinkReverse(sink) and exists(state)
+ }
+
 predicate isBarrier(Node node, FlowState state){none() }
 
 predicate isBarrierIn(Node node, FlowState state){none() }
@@ -192,18 +206,32 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang>{
 else any()
 }
 
+ pragma[nomagic]
+ private predicate isFilteredSinkReverse(Node sink){
+ (
+ Config::isSinkReverse(sink, _) or
+ Config::isSinkReverse(sink)
+ ) and
+ if Config::observeDiffInformedIncrementalMode()
+ then AlertFiltering::filterByLocation(sink.getLocation())
+ else any()
+ }
+
 private predicate hasFilteredSource(){isFilteredSource(_) }
 
 private predicate hasFilteredSink(){isFilteredSink(_) }
 
+ private predicate hasFilteredSinkReverse(){isFilteredSinkReverse(_) }
+
 predicate isRelevantSource(Node source, FlowState state){
 // If there are filtered sinks, we need to pass through all sources to preserve all alerts
 // with filtered sinks. Otherwise the only alerts of interest are those with filtered
 // sources, so we can perform the source filtering right here.
 Config::isSource(source, state) and
 (
 isFilteredSource(source) or
- hasFilteredSink()
+ hasFilteredSink() or
+ hasFilteredSinkReverse()
 )
 }
 
@@ -218,6 +246,17 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang>{
 )
 }
 
+ predicate isRelevantSinkReverse(Node sink, FlowState state){
+ // If there are filtered sources, we need to pass through all sinks to preserve all alerts
+ // with filtered sources. Otherwise the only alerts of interest are those with filtered
+ // sinks, so we can perform the sink filtering right here.
+ Config::isSinkReverse(sink, state) and
+ (
+ isFilteredSinkReverse(sink) or
+ hasFilteredSource()
+ )
+ }
+
 predicate isRelevantSink(Node sink){
 // If there are filtered sources, we need to pass through all sinks to preserve all alerts
 // with filtered sources. Otherwise the only alerts of interest are those with filtered
@@ -229,12 +268,30 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang>{
 )
 }
 
+ predicate isRelevantSinkReverse(Node sink){
+ // If there are filtered sources, we need to pass through all sinks to preserve all alerts
+ // with filtered sources. Otherwise the only alerts of interest are those with filtered
+ // sinks, so we can perform the sink filtering right here.
+ Config::isSinkReverse(sink) and
+ (
+ isFilteredSinkReverse(sink) or
+ hasFilteredSource()
+ )
+ }
+
 bindingset[source, sink]
 pragma[inline_late]
 predicate isRelevantSourceSinkPair(Node source, Node sink){
 isFilteredSource(source) or
 isFilteredSink(sink)
 }
+
+ bindingset[source, sink]
+ pragma[inline_late]
+ predicate isRelevantSourceSinkPairReverse(Node source, Node sink){
+ isFilteredSource(source) or
+ isFilteredSinkReverse(sink)
+ }
 }
 
 private import SourceSinkFiltering
@@ -258,19 +315,28 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang>{
 
 private predicate outBarrier(NodeEx node){
 exists(Node n |
- [node.asNodeOrImplicitRead(), node.asNodeReverse(_)] = n and
+ node.asNodeOrImplicitRead() = n and
 Config::isBarrierOut(n)
 |
 isRelevantSink(n, _)
 or
 isRelevantSink(n)
 )
+ or
+ exists(Node n |
+ node.asNodeReverse(_) = n and
+ Config::isBarrierOut(n)
+ |
+ isRelevantSinkReverse(n, _)
+ or
+ isRelevantSinkReverse(n)
+ )
 }
 
 pragma[nomagic]
 private predicate outBarrier(NodeEx node, FlowState state){
 exists(Node n |
- [node.asNodeOrImplicitRead(), node.asNodeReverse(_)] = n and
+ node.asNodeOrImplicitRead() = n and
 Config::isBarrierOut(n, state)
 |
 isRelevantSink(n, state)
@@ -321,6 +387,13 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang>{
 not stateBarrier(node, state)
 }
 
+ pragma[nomagic]
+ private predicate sinkNodeWithStateReverse(NodeEx node, FlowState state){
+ isRelevantSinkReverse(node.asNodeReverse(_), state) and
+ not fullBarrier(node) and
+ not stateBarrier(node, state)
+ }
+
 /** Provides the relevant barriers for a step from `node1` to `node2`. */
 bindingset[node1, node2]
 private predicate stepFilter(NodeEx node1, NodeEx node2){
@@ -707,6 +780,18 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang>{
 fwdFlow(node) and
 fwdFlowState(state) and
 sinkNodeWithState(node, state)
+ or
+ fwdFlow(pragma[only_bind_into](node)) and
+ fwdFlowState(state) and
+ isRelevantSinkReverse(node.asNodeReverse(_))
+ or
+ fwdFlow(node) and
+ fwdFlowState(state) and
+ sinkNodeWithState(node, state)
+ or
+ fwdFlow(node) and
+ fwdFlowState(state) and
+ sinkNodeWithStateReverse(node, state)
 }
 
 /**
@@ -1025,7 +1110,7 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang>{
 
 private predicate sinkModel(NodeEx node, string model){
 sinkNode(node, _) and
- exists(Node n | n = node.asNodeOrImplicitRead() |
+ exists(Node n | n = [node.asNodeOrImplicitRead(), node.asNodeReverse(_)] |
 knownSinkModel(n, model)
 or
 not knownSinkModel(n, _) and model = ""
@@ -3021,6 +3106,12 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang>{
 (isRelevantSink(n) or isRelevantSink(n, _)) and
 result.asNode() = n
 )
+ or
+ exists(Node n |
+ node.asNodeReverse(_) = n and
+ (isRelevantSinkReverse(n) or isRelevantSinkReverse(n, _)) and
+ result = node
+ )
 }
 
 override PathNodeImpl getASuccessorImpl(string label){
@@ -3520,6 +3611,9 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang>{
 /** Gets the underlying `Node`. */
 final Node getNode(){super.getNodeEx().projectToNode() = result }
 
+ /** Gets the underlying `Node`, but only when it represents a reverse-flow node. */
+ final Node getNodeReverse(){super.getNodeEx().asNodeReverse(_) = result }
+
 /** Gets the parameter node through which data is returned, if any. */
 final ParameterNode asParameterReturnNode(){
 result = super.getNodeEx().asNodeReverse(_)
@@ -4869,7 +4963,9 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang>{
 private predicate interestingCallableSink(DataFlowCallable c){
 exists(Node n | c = getNodeEnclosingCallable(n) |
 isRelevantSink(n, _) or
- isRelevantSink(n)
+ isRelevantSink(n) or
+ isRelevantSinkReverse(n, _) or
+ isRelevantSinkReverse(n)
 )
 or
 exists(DataFlowCallable mid | interestingCallableSink(mid) and callableStep(c, mid))
@@ -4905,7 +5001,9 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang>{
 ce1 = TCallable(getNodeEnclosingCallable(n))
 |
 isRelevantSink(n, _) or
- isRelevantSink(n)
+ isRelevantSink(n) or
+ isRelevantSinkReverse(n, _) or
+ isRelevantSinkReverse(n)
 )
 }
 
@@ -4973,6 +5071,11 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang>{
 relevantState(state) and
 not fullBarrier(node) and
 not stateBarrier(node, state)
+ or
+ isRelevantSinkReverse(node.asNodeReverse(_)) and
+ relevantState(state) and
+ not fullBarrier(node) and
+ not stateBarrier(node, state)
 }
 
 private newtype TSummaryCtx1 =
diff --git a/shared/mad/codeql/mad/modelgenerator/internal/ModelGeneratorImpl.qll b/shared/mad/codeql/mad/modelgenerator/internal/ModelGeneratorImpl.qll

Original file line number	Diff line number	Diff line change
`@@ -179,6 +179,10 @@ module TaintFlowMake<`
`179`	`179`	`Config::isSink(sink,state.getState())`
`180`	`180`	`}`
`181`	`181`
	`182`	`+predicateisSinkReverse(DataFlowLang::Nodesink,FlowStatestate){`
	`183`	`+ Config::isSinkReverse(sink,state.getState())`
	`184`	`+}`
	`185`	`+`
`182`	`186`	`predicateisBarrier(DataFlowLang::Nodenode,FlowStatestate){`
`183`	`187`	`Config::isBarrier(node,state.getState())`
`184`	`188`	`}`
-Original file line number
+Diff line change
  */
 predicateisSink(Nodesink);
 +/**
 + * Holds if `sink` is a relevant data flow sink.
 + */
 +defaultpredicateisSinkReverse(Nodesink){none()}
++
 /**
  * Holds if data may flow from `node1` to `node2` in addition to the normal data-flow steps.
  */
+)
+}
 +predicateisSinkReverse(Nodesink,FlowStatestate){
 + ContentConfig::isSinkReverse(sink)and
 +(
 +stateinstanceofInitStateor
 +stateinstanceofStoreStateor
 +stateinstanceofReadState
 +)
 +}
++
 predicateisAdditionalFlowStep(Nodenode1,FlowStatestate1,Nodenode2,FlowStatestate2){
 storeStep(node1,state1, _,node2,state2)or
 readStep(node1,state1, _,node2,state2)or
 predicateincludeHiddenNodes(){any()}
+}
 -privatemodule Flow = GlobalWithState<FlowConfig>;
 +module Flow = GlobalWithState<FlowConfig>;
++
 +/**
 + * Holds if data stored inside `sourceAp` on `source` flows to `sinkAp` inside `sink`
 + * for this configuration. `preservesValue` indicates whether any of the additional
 + * flow steps defined by `isAdditionalFlowStep` are needed.
 + *
 + * For the source access path, `sourceAp`, the top of the stack represents the content
 + * that was last read from. That is, if `sourceAp` is `Field1.Field2` (with `Field1`
 + * being the top of the stack), then there is flow from `source.Field2.Field1`.
 + *
 + * For the sink access path, `sinkAp`, the top of the stack represents the content
 + * that was last stored into. That is, if `sinkAp` is `Field1.Field2` (with `Field1`
 + * being the top of the stack), then there is flow into `sink.Field1.Field2`.
 + */
 +predicateflowPath(
 + Flow::PathNodesource,AccessPathsourceAp, Flow::PathNodesink,AccessPathsinkAp,
 +booleanpreservesValue
 +){
 + Flow::flowPath(source,sink)and
 +nodeReaches(source,TAccessPathNil(),TAccessPathNil(),sink,sourceAp,sinkAp)and
 +(
 +sink.getState().(InitState).decode(preservesValue)
 +or
 +sink.getState().(ReadState).decode(_,preservesValue)
 +or
 +sink.getState().(StoreState).decode(_,preservesValue)
 +)
 +}
 /**
  * Holds if data stored inside `sourceAp` on `source` flows to `sinkAp` inside `sink`
 Nodesource,AccessPathsourceAp,Nodesink,AccessPathsinkAp,booleanpreservesValue
 ){
 exists(Flow::PathNodepathSource, Flow::PathNodepathSink|
 - Flow::flowPath(pathSource,pathSink)and
 -nodeReaches(pathSource,TAccessPathNil(),TAccessPathNil(),pathSink,sourceAp,sinkAp)and
 +flowPath(pathSource,sourceAp,pathSink,sinkAp,preservesValue)and
 source=pathSource.getNode()and
 sink=pathSink.getNode()
 -|
 -pathSink.getState().(InitState).decode(preservesValue)
 -or
 -pathSink.getState().(ReadState).decode(_,preservesValue)
 -or
 -pathSink.getState().(StoreState).decode(_,preservesValue)
+)
+}
 or
  FlowConfig::isSink(node.getNode(),node.getState())
 or
 + FlowConfig::isSinkReverse(node.getNode(),node.getState())
 +or
 excludeStep(node, _)
 or
  Flow::PathGraph::subpaths(_, _,node, _)