Merge pull request #15734 from hvitved/dataflow/hidden-subpath

Data flow: Account for hidden `subpath` wrappers
github · Mar 18, 2024 · 8899d66 · 8899d66
2 parents 35a309f + 0cecbf5
commit 8899d66
Show file tree

Hide file tree

Showing 9 changed files with 217 additions and 12 deletions.
diff --git a/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected b/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected
@@ -52,6 +52,8 @@ edges
 | ExternalFlow.cs:84:17:84:21 | access to local variable objs2 : T[] [element] : Object | ExternalFlow.cs:85:18:85:22 | access to local variable objs2 : T[] [element] : Object | provenance |  |
 | ExternalFlow.cs:84:25:84:41 | call to method Map<Object,Object> : T[] [element] : Object | ExternalFlow.cs:84:17:84:21 | access to local variable objs2 : T[] [element] : Object | provenance |  |
 | ExternalFlow.cs:84:29:84:32 | access to local variable objs : null [element] : Object | ExternalFlow.cs:84:25:84:41 | call to method Map<Object,Object> : T[] [element] : Object | provenance |  |
+| ExternalFlow.cs:84:29:84:32 | access to local variable objs : null [element] : Object | ExternalFlow.cs:84:35:84:35 | o : Object | provenance |  |
+| ExternalFlow.cs:84:35:84:35 | o : Object | ExternalFlow.cs:84:40:84:40 | access to parameter o : Object | provenance |  |
 | ExternalFlow.cs:85:18:85:22 | access to local variable objs2 : T[] [element] : Object | ExternalFlow.cs:85:18:85:25 | access to array element | provenance |  |
 | ExternalFlow.cs:90:17:90:17 | access to local variable s : String | ExternalFlow.cs:91:19:91:19 | access to local variable s : String | provenance |  |
 | ExternalFlow.cs:90:21:90:34 | object creation of type String : String | ExternalFlow.cs:90:17:90:17 | access to local variable s : String | provenance |  |
@@ -154,6 +156,8 @@ nodes
 | ExternalFlow.cs:84:17:84:21 | access to local variable objs2 : T[] [element] : Object | semmle.label | access to local variable objs2 : T[] [element] : Object |
 | ExternalFlow.cs:84:25:84:41 | call to method Map<Object,Object> : T[] [element] : Object | semmle.label | call to method Map<Object,Object> : T[] [element] : Object |
 | ExternalFlow.cs:84:29:84:32 | access to local variable objs : null [element] : Object | semmle.label | access to local variable objs : null [element] : Object |
+| ExternalFlow.cs:84:35:84:35 | o : Object | semmle.label | o : Object |
+| ExternalFlow.cs:84:40:84:40 | access to parameter o : Object | semmle.label | access to parameter o : Object |
 | ExternalFlow.cs:85:18:85:22 | access to local variable objs2 : T[] [element] : Object | semmle.label | access to local variable objs2 : T[] [element] : Object |
 | ExternalFlow.cs:85:18:85:25 | access to array element | semmle.label | access to array element |
 | ExternalFlow.cs:90:17:90:17 | access to local variable s : String | semmle.label | access to local variable s : String |
@@ -201,6 +205,7 @@ nodes
 | ExternalFlow.cs:263:30:263:30 | access to parameter a : MyInlineArray [element] : Object | semmle.label | access to parameter a : MyInlineArray [element] : Object |
 | ExternalFlow.cs:264:18:264:18 | access to local variable b | semmle.label | access to local variable b |
 subpaths
+| ExternalFlow.cs:84:29:84:32 | access to local variable objs : null [element] : Object | ExternalFlow.cs:84:35:84:35 | o : Object | ExternalFlow.cs:84:40:84:40 | access to parameter o : Object | ExternalFlow.cs:84:25:84:41 | call to method Map<Object,Object> : T[] [element] : Object |
 #select
 | ExternalFlow.cs:10:18:10:33 | call to method StepArgRes | ExternalFlow.cs:9:27:9:38 | object creation of type Object : Object | ExternalFlow.cs:10:18:10:33 | call to method StepArgRes | $@ | ExternalFlow.cs:9:27:9:38 | object creation of type Object : Object | object creation of type Object : Object |
 | ExternalFlow.cs:18:18:18:24 | access to local variable argOut1 | ExternalFlow.cs:15:29:15:40 | object creation of type Object : Object | ExternalFlow.cs:18:18:18:24 | access to local variable argOut1 | $@ | ExternalFlow.cs:15:29:15:40 | object creation of type Object : Object | object creation of type Object : Object |

diff --git a/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected b/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected
diff --git a/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected b/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected
diff --git a/python/ql/test/experimental/dataflow/summaries/summaries.expected b/python/ql/test/experimental/dataflow/summaries/summaries.expected
@@ -4,7 +4,9 @@ edges
 | summaries.py:32:20:32:25 | ControlFlowNode for SOURCE | summaries.py:32:11:32:26 | ControlFlowNode for identity() | provenance |  |
 | summaries.py:36:1:36:14 | ControlFlowNode for tainted_lambda | summaries.py:37:6:37:19 | ControlFlowNode for tainted_lambda | provenance |  |
 | summaries.py:36:18:36:54 | ControlFlowNode for apply_lambda() | summaries.py:36:1:36:14 | ControlFlowNode for tainted_lambda | provenance |  |
+| summaries.py:36:38:36:38 | ControlFlowNode for x | summaries.py:36:41:36:45 | ControlFlowNode for BinaryExpr | provenance |  |
 | summaries.py:36:48:36:53 | ControlFlowNode for SOURCE | summaries.py:36:18:36:54 | ControlFlowNode for apply_lambda() | provenance |  |
+| summaries.py:36:48:36:53 | ControlFlowNode for SOURCE | summaries.py:36:38:36:38 | ControlFlowNode for x | provenance |  |
 | summaries.py:44:1:44:12 | ControlFlowNode for tainted_list | summaries.py:45:6:45:20 | ControlFlowNode for Subscript | provenance |  |
 | summaries.py:44:1:44:12 | ControlFlowNode for tainted_list [List element] | summaries.py:45:6:45:17 | ControlFlowNode for tainted_list [List element] | provenance |  |
 | summaries.py:44:16:44:33 | ControlFlowNode for reversed() | summaries.py:44:1:44:12 | ControlFlowNode for tainted_list | provenance |  |
@@ -14,13 +16,17 @@ edges
 | summaries.py:44:26:44:31 | ControlFlowNode for SOURCE | summaries.py:44:25:44:32 | ControlFlowNode for List | provenance |  |
 | summaries.py:44:26:44:31 | ControlFlowNode for SOURCE | summaries.py:44:25:44:32 | ControlFlowNode for List [List element] | provenance |  |
 | summaries.py:45:6:45:17 | ControlFlowNode for tainted_list [List element] | summaries.py:45:6:45:20 | ControlFlowNode for Subscript | provenance |  |
+| summaries.py:48:15:48:15 | ControlFlowNode for x | summaries.py:49:12:49:18 | ControlFlowNode for BinaryExpr | provenance |  |
 | summaries.py:51:1:51:14 | ControlFlowNode for tainted_mapped [List element] | summaries.py:52:6:52:19 | ControlFlowNode for tainted_mapped [List element] | provenance |  |
 | summaries.py:51:18:51:46 | ControlFlowNode for list_map() [List element] | summaries.py:51:1:51:14 | ControlFlowNode for tainted_mapped [List element] | provenance |  |
+| summaries.py:51:38:51:45 | ControlFlowNode for List [List element] | summaries.py:48:15:48:15 | ControlFlowNode for x | provenance |  |
 | summaries.py:51:38:51:45 | ControlFlowNode for List [List element] | summaries.py:51:18:51:46 | ControlFlowNode for list_map() [List element] | provenance |  |
 | summaries.py:51:39:51:44 | ControlFlowNode for SOURCE | summaries.py:51:38:51:45 | ControlFlowNode for List [List element] | provenance |  |
 | summaries.py:52:6:52:19 | ControlFlowNode for tainted_mapped [List element] | summaries.py:52:6:52:22 | ControlFlowNode for Subscript | provenance |  |
+| summaries.py:54:23:54:23 | ControlFlowNode for x | summaries.py:55:12:55:12 | ControlFlowNode for x | provenance |  |
 | summaries.py:57:1:57:23 | ControlFlowNode for tainted_mapped_explicit [List element] | summaries.py:58:6:58:28 | ControlFlowNode for tainted_mapped_explicit [List element] | provenance |  |
 | summaries.py:57:27:57:63 | ControlFlowNode for list_map() [List element] | summaries.py:57:1:57:23 | ControlFlowNode for tainted_mapped_explicit [List element] | provenance |  |
+| summaries.py:57:55:57:62 | ControlFlowNode for List [List element] | summaries.py:54:23:54:23 | ControlFlowNode for x | provenance |  |
 | summaries.py:57:55:57:62 | ControlFlowNode for List [List element] | summaries.py:57:27:57:63 | ControlFlowNode for list_map() [List element] | provenance |  |
 | summaries.py:57:56:57:61 | ControlFlowNode for SOURCE | summaries.py:57:55:57:62 | ControlFlowNode for List [List element] | provenance |  |
 | summaries.py:58:6:58:28 | ControlFlowNode for tainted_mapped_explicit [List element] | summaries.py:58:6:58:31 | ControlFlowNode for Subscript | provenance |  |
@@ -46,6 +52,8 @@ nodes
 | summaries.py:33:6:33:12 | ControlFlowNode for tainted | semmle.label | ControlFlowNode for tainted |
 | summaries.py:36:1:36:14 | ControlFlowNode for tainted_lambda | semmle.label | ControlFlowNode for tainted_lambda |
 | summaries.py:36:18:36:54 | ControlFlowNode for apply_lambda() | semmle.label | ControlFlowNode for apply_lambda() |
+| summaries.py:36:38:36:38 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| summaries.py:36:41:36:45 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 | summaries.py:36:48:36:53 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | summaries.py:37:6:37:19 | ControlFlowNode for tainted_lambda | semmle.label | ControlFlowNode for tainted_lambda |
 | summaries.py:44:1:44:12 | ControlFlowNode for tainted_list | semmle.label | ControlFlowNode for tainted_list |
@@ -57,12 +65,16 @@ nodes
 | summaries.py:44:26:44:31 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | summaries.py:45:6:45:17 | ControlFlowNode for tainted_list [List element] | semmle.label | ControlFlowNode for tainted_list [List element] |
 | summaries.py:45:6:45:20 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| summaries.py:48:15:48:15 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| summaries.py:49:12:49:18 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
 | summaries.py:51:1:51:14 | ControlFlowNode for tainted_mapped [List element] | semmle.label | ControlFlowNode for tainted_mapped [List element] |
 | summaries.py:51:18:51:46 | ControlFlowNode for list_map() [List element] | semmle.label | ControlFlowNode for list_map() [List element] |
 | summaries.py:51:38:51:45 | ControlFlowNode for List [List element] | semmle.label | ControlFlowNode for List [List element] |
 | summaries.py:51:39:51:44 | ControlFlowNode for SOURCE | semmle.label | ControlFlowNode for SOURCE |
 | summaries.py:52:6:52:19 | ControlFlowNode for tainted_mapped [List element] | semmle.label | ControlFlowNode for tainted_mapped [List element] |
 | summaries.py:52:6:52:22 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
+| summaries.py:54:23:54:23 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
+| summaries.py:55:12:55:12 | ControlFlowNode for x | semmle.label | ControlFlowNode for x |
 | summaries.py:57:1:57:23 | ControlFlowNode for tainted_mapped_explicit [List element] | semmle.label | ControlFlowNode for tainted_mapped_explicit [List element] |
 | summaries.py:57:27:57:63 | ControlFlowNode for list_map() [List element] | semmle.label | ControlFlowNode for list_map() [List element] |
 | summaries.py:57:55:57:62 | ControlFlowNode for List [List element] | semmle.label | ControlFlowNode for List [List element] |
@@ -87,6 +99,9 @@ nodes
 | summaries.py:68:6:68:23 | ControlFlowNode for tainted_resultlist [List element] | semmle.label | ControlFlowNode for tainted_resultlist [List element] |
 | summaries.py:68:6:68:26 | ControlFlowNode for Subscript | semmle.label | ControlFlowNode for Subscript |
 subpaths
+| summaries.py:36:48:36:53 | ControlFlowNode for SOURCE | summaries.py:36:38:36:38 | ControlFlowNode for x | summaries.py:36:41:36:45 | ControlFlowNode for BinaryExpr | summaries.py:36:18:36:54 | ControlFlowNode for apply_lambda() |
+| summaries.py:51:38:51:45 | ControlFlowNode for List [List element] | summaries.py:48:15:48:15 | ControlFlowNode for x | summaries.py:49:12:49:18 | ControlFlowNode for BinaryExpr | summaries.py:51:18:51:46 | ControlFlowNode for list_map() [List element] |
+| summaries.py:57:55:57:62 | ControlFlowNode for List [List element] | summaries.py:54:23:54:23 | ControlFlowNode for x | summaries.py:55:12:55:12 | ControlFlowNode for x | summaries.py:57:27:57:63 | ControlFlowNode for list_map() [List element] |
 invalidSpecComponent
 #select
 | summaries.py:33:6:33:12 | ControlFlowNode for tainted | summaries.py:32:20:32:25 | ControlFlowNode for SOURCE | summaries.py:33:6:33:12 | ControlFlowNode for tainted | $@ | summaries.py:32:20:32:25 | ControlFlowNode for SOURCE | ControlFlowNode for SOURCE |

diff --git a/ruby/ql/test/library-tests/dataflow/array-flow/array-flow.expected b/ruby/ql/test/library-tests/dataflow/array-flow/array-flow.expected
@@ -298,7 +298,9 @@ edges
 | array_flow.rb:251:9:251:9 | a [element 2] | array_flow.rb:251:30:251:30 | x | provenance |  |
 | array_flow.rb:251:9:254:7 | call to collect_concat [element] | array_flow.rb:251:5:251:5 | b [element] | provenance |  |
 | array_flow.rb:251:30:251:30 | x | array_flow.rb:252:14:252:14 | x | provenance |  |
+| array_flow.rb:251:30:251:30 | x | array_flow.rb:253:10:253:10 | x | provenance |  |
 | array_flow.rb:253:9:253:25 | call to [] [element 1] | array_flow.rb:251:9:254:7 | call to collect_concat [element] | provenance |  |
+| array_flow.rb:253:10:253:10 | x | array_flow.rb:253:9:253:25 | call to [] [element 0] | provenance |  |
 | array_flow.rb:253:13:253:24 | call to source | array_flow.rb:253:9:253:25 | call to [] [element 1] | provenance |  |
 | array_flow.rb:255:10:255:10 | b [element] | array_flow.rb:255:10:255:13 | ...[...] | provenance |  |
 | array_flow.rb:256:5:256:5 | b [element] | array_flow.rb:260:10:260:10 | b [element] | provenance |  |
@@ -631,6 +633,7 @@ edges
 | array_flow.rb:507:9:507:9 | a [element 3] | array_flow.rb:507:26:507:26 | x | provenance |  |
 | array_flow.rb:507:9:510:7 | call to filter_map [element] | array_flow.rb:507:5:507:5 | b [element] | provenance |  |
 | array_flow.rb:507:26:507:26 | x | array_flow.rb:508:14:508:14 | x | provenance |  |
+| array_flow.rb:507:26:507:26 | x | array_flow.rb:509:9:509:9 | x | provenance |  |
 | array_flow.rb:511:10:511:10 | b [element] | array_flow.rb:511:10:511:13 | ...[...] | provenance |  |
 | array_flow.rb:518:5:518:5 | d [element] | array_flow.rb:521:10:521:10 | d [element] | provenance |  |
 | array_flow.rb:518:9:520:7 | call to filter_map [element] | array_flow.rb:518:5:518:5 | d [element] | provenance |  |
@@ -718,7 +721,9 @@ edges
 | array_flow.rb:571:9:571:9 | a [element 2] | array_flow.rb:571:24:571:24 | x | provenance |  |
 | array_flow.rb:571:9:574:7 | call to flat_map [element] | array_flow.rb:571:5:571:5 | b [element] | provenance |  |
 | array_flow.rb:571:24:571:24 | x | array_flow.rb:572:14:572:14 | x | provenance |  |
+| array_flow.rb:571:24:571:24 | x | array_flow.rb:573:10:573:10 | x | provenance |  |
 | array_flow.rb:573:9:573:25 | call to [] [element 1] | array_flow.rb:571:9:574:7 | call to flat_map [element] | provenance |  |
+| array_flow.rb:573:10:573:10 | x | array_flow.rb:573:9:573:25 | call to [] [element 0] | provenance |  |
 | array_flow.rb:573:13:573:24 | call to source | array_flow.rb:573:9:573:25 | call to [] [element 1] | provenance |  |
 | array_flow.rb:575:10:575:10 | b [element] | array_flow.rb:575:10:575:13 | ...[...] | provenance |  |
 | array_flow.rb:576:5:576:5 | b [element] | array_flow.rb:580:10:580:10 | b [element] | provenance |  |
@@ -2337,7 +2342,9 @@ edges
 | array_flow.rb:1677:16:1677:28 | call to source | array_flow.rb:1677:9:1677:29 | call to [] [element 2] | provenance |  |
 | array_flow.rb:1678:5:1678:5 | b [element] | array_flow.rb:1681:10:1681:10 | b [element] | provenance |  |
 | array_flow.rb:1678:9:1678:9 | a [element 2] | array_flow.rb:1678:9:1680:7 | call to map [element] | provenance |  |
+| array_flow.rb:1678:9:1678:9 | a [element 2] | array_flow.rb:1678:19:1678:19 | x | provenance |  |
 | array_flow.rb:1678:9:1680:7 | call to map [element] | array_flow.rb:1678:5:1678:5 | b [element] | provenance |  |
+| array_flow.rb:1678:19:1678:19 | x | array_flow.rb:1679:9:1679:9 | x | provenance |  |
 | array_flow.rb:1681:10:1681:10 | b [element] | array_flow.rb:1681:10:1681:13 | ...[...] | provenance |  |
 | array_flow.rb:1685:5:1685:5 | a [element 2] | array_flow.rb:1686:18:1686:18 | a [element 2] | provenance |  |
 | array_flow.rb:1685:5:1685:5 | a [element 3] | array_flow.rb:1686:18:1686:18 | a [element 3] | provenance |  |
@@ -2674,7 +2681,9 @@ nodes
 | array_flow.rb:251:9:254:7 | call to collect_concat [element] | semmle.label | call to collect_concat [element] |
 | array_flow.rb:251:30:251:30 | x | semmle.label | x |
 | array_flow.rb:252:14:252:14 | x | semmle.label | x |
+| array_flow.rb:253:9:253:25 | call to [] [element 0] | semmle.label | call to [] [element 0] |
 | array_flow.rb:253:9:253:25 | call to [] [element 1] | semmle.label | call to [] [element 1] |
+| array_flow.rb:253:10:253:10 | x | semmle.label | x |
 | array_flow.rb:253:13:253:24 | call to source | semmle.label | call to source |
 | array_flow.rb:255:10:255:10 | b [element] | semmle.label | b [element] |
 | array_flow.rb:255:10:255:13 | ...[...] | semmle.label | ...[...] |
@@ -3041,6 +3050,7 @@ nodes
 | array_flow.rb:507:9:510:7 | call to filter_map [element] | semmle.label | call to filter_map [element] |
 | array_flow.rb:507:26:507:26 | x | semmle.label | x |
 | array_flow.rb:508:14:508:14 | x | semmle.label | x |
+| array_flow.rb:509:9:509:9 | x | semmle.label | x |
 | array_flow.rb:511:10:511:10 | b [element] | semmle.label | b [element] |
 | array_flow.rb:511:10:511:13 | ...[...] | semmle.label | ...[...] |
 | array_flow.rb:518:5:518:5 | d [element] | semmle.label | d [element] |
@@ -3132,7 +3142,9 @@ nodes
 | array_flow.rb:571:9:574:7 | call to flat_map [element] | semmle.label | call to flat_map [element] |
 | array_flow.rb:571:24:571:24 | x | semmle.label | x |
 | array_flow.rb:572:14:572:14 | x | semmle.label | x |
+| array_flow.rb:573:9:573:25 | call to [] [element 0] | semmle.label | call to [] [element 0] |
 | array_flow.rb:573:9:573:25 | call to [] [element 1] | semmle.label | call to [] [element 1] |
+| array_flow.rb:573:10:573:10 | x | semmle.label | x |
 | array_flow.rb:573:13:573:24 | call to source | semmle.label | call to source |
 | array_flow.rb:575:10:575:10 | b [element] | semmle.label | b [element] |
 | array_flow.rb:575:10:575:13 | ...[...] | semmle.label | ...[...] |
@@ -4821,6 +4833,8 @@ nodes
 | array_flow.rb:1678:5:1678:5 | b [element] | semmle.label | b [element] |
 | array_flow.rb:1678:9:1678:9 | a [element 2] | semmle.label | a [element 2] |
 | array_flow.rb:1678:9:1680:7 | call to map [element] | semmle.label | call to map [element] |
+| array_flow.rb:1678:19:1678:19 | x | semmle.label | x |
+| array_flow.rb:1679:9:1679:9 | x | semmle.label | x |
 | array_flow.rb:1681:10:1681:10 | b [element] | semmle.label | b [element] |
 | array_flow.rb:1681:10:1681:13 | ...[...] | semmle.label | ...[...] |
 | array_flow.rb:1685:5:1685:5 | a [element 2] | semmle.label | a [element 2] |
@@ -4836,6 +4850,10 @@ nodes
 | array_flow.rb:1689:10:1689:10 | z | semmle.label | z |
 | array_flow.rb:1690:10:1690:10 | w | semmle.label | w |
 subpaths
+| array_flow.rb:251:9:251:9 | a [element 2] | array_flow.rb:251:30:251:30 | x | array_flow.rb:253:9:253:25 | call to [] [element 0] | array_flow.rb:251:9:254:7 | call to collect_concat [element] |
+| array_flow.rb:507:9:507:9 | a [element 3] | array_flow.rb:507:26:507:26 | x | array_flow.rb:509:9:509:9 | x | array_flow.rb:507:9:510:7 | call to filter_map [element] |
+| array_flow.rb:571:9:571:9 | a [element 2] | array_flow.rb:571:24:571:24 | x | array_flow.rb:573:9:573:25 | call to [] [element 0] | array_flow.rb:571:9:574:7 | call to flat_map [element] |
+| array_flow.rb:1678:9:1678:9 | a [element 2] | array_flow.rb:1678:19:1678:19 | x | array_flow.rb:1679:9:1679:9 | x | array_flow.rb:1678:9:1680:7 | call to map [element] |
 arrayLiteral
 | array_flow.rb:9:9:9:25 | call to [] |
 | array_flow.rb:33:9:33:22 | call to [] |