@@ -731,9 +731,9 @@ module DataFlow {
731731 * A helper class for defining expression-based data flow steps, while properly
732732 * taking control flow into account.
733733 */
734- abstract class ExprStep extends string {
734+ abstract class ExprStepConfiguration extends string {
735735 bindingset [ this ]
736- ExprStep ( ) { any ( ) }
736+ ExprStepConfiguration ( ) { any ( ) }
737737
738738 /**
739739 * Holds if data can flow from expression `exprFrom` to expression `exprTo`,
@@ -841,15 +841,14 @@ module DataFlow {
841841
842842 /** Provides predicates related to local data flow. */
843843 module LocalFlow {
844- private class LocalExprStep extends ExprStep {
845- LocalExprStep ( ) { this = "LocalExprStep " }
844+ private class LocalExprStepConfiguration extends ExprStepConfiguration {
845+ LocalExprStepConfiguration ( ) { this = "LocalExprStepConfiguration " }
846846
847847 override predicate stepsToExpr ( Expr exprFrom , Expr exprTo , ControlFlowElement scope , boolean exactScope , boolean isSuccessor ) {
848848 exactScope = false and
849849 (
850850 // Flow using library code
851- libraryFlow ( exprFrom , exprTo , scope , true ) and
852- ( isSuccessor = false or isSuccessor = true )
851+ libraryFlow ( exprFrom , exprTo , scope , isSuccessor , true )
853852 or
854853 exprFrom = exprTo .( ParenthesizedExpr ) .getExpr ( ) and
855854 scope = exprTo and
@@ -911,7 +910,7 @@ module DataFlow {
911910 predicate step ( Node nodeFrom , Node nodeTo ) {
912911 forceCachingInSameStage ( ) and
913912 TaintTracking:: Internal:: Cached:: forceCachingInSameStage ( ) and
914- any ( LocalExprStep x ) .hasStep ( nodeFrom , nodeTo )
913+ any ( LocalExprStepConfiguration x ) .hasStep ( nodeFrom , nodeTo )
915914 or
916915 // Flow from SSA definition to first read
917916 exists ( Ssa:: Definition def , ControlFlow:: Node cfn |
@@ -1008,9 +1007,14 @@ module DataFlow {
10081007 )
10091008 }
10101009
1011- predicate libraryFlow ( Expr exprFrom , Expr exprTo , Expr scope , boolean preservesValue ) {
1010+ predicate libraryFlow ( Expr exprFrom , Expr exprTo , Expr scope , boolean isSuccessor , boolean preservesValue ) {
1011+ // To not pollute the definitions in `LibraryTypeDataFlow.qll` with syntactic scope,
1012+ // simply use the nearest common parent expression for `exprFrom` and `exprTo`
10121013 scope = getALibraryFlowParent ( exprFrom , exprTo , preservesValue ) and
1013- scope .getAChildExpr * ( ) = exprTo
1014+ scope .getAChildExpr * ( ) = exprTo and
1015+ // Similarly, for simplicity allow following both forwards and backwards edges from
1016+ // `exprFrom` to `exprTo`
1017+ ( isSuccessor = true or isSuccessor = false )
10141018 }
10151019
10161020 predicate localFlowStepNoConfig ( Node pred , Node succ ) {
@@ -1828,9 +1832,9 @@ module DataFlow {
18281832 flowsink .getNode ( ) = sink
18291833 }
18301834
1831- private class FlowThroughCallableLibraryOutRefStep extends ExprStep {
1832- FlowThroughCallableLibraryOutRefStep ( ) {
1833- this = "FlowThroughCallableLibraryOutRefStep "
1835+ private class FlowThroughCallableLibraryOutRefStepConfiguration extends ExprStepConfiguration {
1836+ FlowThroughCallableLibraryOutRefStepConfiguration ( ) {
1837+ this = "FlowThroughCallableLibraryOutRefStepConfiguration "
18341838 }
18351839
18361840 override predicate stepsToDefinition ( Expr exprFrom , AssignableDefinition defTo , ControlFlowElement scope , boolean exactScope , boolean isSuccessor ) {
@@ -1860,7 +1864,7 @@ module DataFlow {
18601864 */
18611865 predicate flowThroughCallableLibraryOutRef ( MethodCall mc , ExprNode arg , SsaDefinitionNode node , boolean preservesValue ) {
18621866 libraryFlowOutRef ( mc , arg .getExpr ( ) , _, preservesValue ) and
1863- any ( FlowThroughCallableLibraryOutRefStep x ) .hasStep ( arg , node )
1867+ any ( FlowThroughCallableLibraryOutRefStepConfiguration x ) .hasStep ( arg , node )
18641868 }
18651869
18661870 /**
0 commit comments