Java: Use normalized read access paths in synthetic validation.

github · Sep 6, 2024 · e565479 · e565479
1 parent ef763bb
commit e565479
Showing 1 changed file with 10 additions and 7 deletions.
diff --git a/java/ql/src/utils/modelgenerator/internal/CaptureModels.qll b/java/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -368,14 +368,15 @@ private predicate hasSyntheticContent(PropagateContentFlow::AccessPath path) {
 private module AccessPathSyntheticValidation {
   /**
    * Holds if there exist an API within the type `t` that has
-   * content flow from `read` to `store`.
+   * content flow from `read` to `store`, where `read` and `store` have
+   * been normalized (content flow lists the read steps in reverse order).
    */
   private predicate step(
     Type t, PropagateContentFlow::AccessPath read, PropagateContentFlow::AccessPath store
   ) {
     exists(ContentDataFlowSummaryTargetApi api |
       api.getDeclaringType() = t and
-      apiContentFlow(api, _, read, _, store, _)
+      apiContentFlow(api, _, read.reverse(), _, store, _)
     )
   }
 
@@ -469,11 +470,13 @@ private module AccessPathSyntheticValidation {
   predicate acceptReadStore(
     Type t, PropagateContentFlow::AccessPath read, PropagateContentFlow::AccessPath store
   ) {
-    synthPathEntry(t, read, store) and reachesSynthExit(t, store)
-    or
-    synthEntryReaches(t, read) and synthPathExit(t, read, store)
-    or
-    synthEntryReaches(t, read) and step(t, read, store) and reachesSynthExit(t, store)
+    exists(PropagateContentFlow::AccessPath read0 | read0 = read.reverse() |
+      synthPathEntry(t, read0, store) and reachesSynthExit(t, store)
+      or
+      synthEntryReaches(t, read0) and synthPathExit(t, read0, store)
+      or
+      synthEntryReaches(t, read0) and step(t, read0, store) and reachesSynthExit(t, store)
+    )
   }
 }