Add dataflow callback to filter out receiver argument flow to Golang interface dispatch candidates.

smowton · smowton · commit 4d8ca3d759b7 · 2023-04-12T14:19:06.000+01:00
Other langauges stub the callback.
diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowDispatch.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowDispatch.qll
@@ -79,3 +79,11 @@ class ArgumentPosition extends int {
 /** Holds if arguments at position `apos` match parameters at position `ppos`. */
 pragma[inline]
 predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
+
+/**
+ * Holds if flow from `call`'s argument `arg` to parameter `p` is permissible.
+ *
+ * This is a filter on top of the language-neutral argument/parameter matching implemented by `viableParamArg`.
+ */
+pragma[inline]
+predicate viableParamArgSpecific(DataFlowCall call, ParameterNode p, ArgumentNode arg) { any() }
diff --git a/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll b/cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll
@@ -425,7 +425,8 @@ private module Cached {
     exists(ParameterPosition ppos |
       viableParam(call, ppos, p) and
       argumentPositionMatch(call, arg, ppos) and
-      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
+      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p)) and
+      viableParamArgSpecific(call, p, arg)
     )
   }
 
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
@@ -271,3 +271,11 @@ Function viableImplInCallContext(CallInstruction call, CallInstruction ctx) {
 /** Holds if arguments at position `apos` match parameters at position `ppos`. */
 pragma[inline]
 predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
+
+/**
+ * Holds if flow from `call`'s argument `arg` to parameter `p` is permissible.
+ *
+ * This is a filter on top of the language-neutral argument/parameter matching implemented by `viableParamArg`.
+ */
+pragma[inline]
+predicate viableParamArgSpecific(DataFlowCall call, ParameterNode p, ArgumentNode arg) { any() }
diff --git a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplCommon.qll
@@ -425,7 +425,8 @@ private module Cached {
     exists(ParameterPosition ppos |
       viableParam(call, ppos, p) and
       argumentPositionMatch(call, arg, ppos) and
-      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
+      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p)) and
+      viableParamArgSpecific(call, p, arg)
     )
   }
 
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
@@ -555,3 +555,11 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
     apos.isImplicitCapturedArgumentPosition(v)
   )
 }
+
+/**
+ * Holds if flow from `call`'s argument `arg` to parameter `p` is permissible.
+ *
+ * This is a filter on top of the language-neutral argument/parameter matching implemented by `viableParamArg`.
+ */
+pragma[inline]
+predicate viableParamArgSpecific(DataFlowCall call, ParameterNode p, ArgumentNode arg) { any() }
diff --git a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImplCommon.qll
@@ -425,7 +425,8 @@ private module Cached {
     exists(ParameterPosition ppos |
       viableParam(call, ppos, p) and
       argumentPositionMatch(call, arg, ppos) and
-      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
+      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p)) and
+      viableParamArgSpecific(call, p, arg)
     )
   }
 
diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowDispatch.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowDispatch.qll
@@ -133,3 +133,25 @@ class ArgumentPosition extends int {
 /** Holds if arguments at position `apos` match parameters at position `ppos`. */
 pragma[inline]
 predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
+
+private predicate isInterfaceMethod(Method c) {
+  c.getReceiverBaseType().getUnderlyingType() instanceof InterfaceType
+}
+
+/**
+ * Holds if `call` is passing `arg` to param `p` in any circumstance except passing
+ * a receiver parameter to a concrete method.
+ */
+pragma[inline]
+predicate viableParamArgSpecific(
+  DataFlowCall call, DataFlow::ParameterNode p, DataFlow::ArgumentNode arg
+) {
+  // Interface methods calls may be passed strictly to that exact method's model receiver:
+  arg.getPosition() != -1
+  or
+  exists(Function callTarget | callTarget = call.getNode().(DataFlow::CallNode).getTarget() |
+    not isInterfaceMethod(callTarget)
+    or
+    callTarget = p.getCallable().asSummarizedCallable().asFunction()
+  )
+}
diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowImplCommon.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowImplCommon.qll
@@ -425,7 +425,8 @@ private module Cached {
     exists(ParameterPosition ppos |
       viableParam(call, ppos, p) and
       argumentPositionMatch(call, arg, ppos) and
-      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
+      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p)) and
+      viableParamArgSpecific(call, p, arg)
     )
   }
 
diff --git a/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll b/go/ql/lib/semmle/go/dataflow/internal/DataFlowNodes.qll
@@ -570,6 +570,12 @@ module Public {
   abstract class ParameterNode extends DataFlow::Node {
     /** Holds if this node initializes the `i`th parameter of `c`. */
     abstract predicate isParameterOf(DataFlowCallable c, int i);
+
+    /** Gets the callable that this parameter belongs to. */
+    DataFlowCallable getCallable() { this.isParameterOf(result, _) }
+
+    /** Gets this parameter's position. */
+    int getPosition() { this.isParameterOf(_, result) }
   }
 
   /**
@@ -722,20 +728,18 @@ module Public {
      */
     predicate argumentOf(CallExpr call, int pos) {
       call = c.asExpr() and
-      pos = i and
-      (
-        i != -1
-        or
-        exists(c.(MethodCallNode).getTarget().getBody())
-        or
-        hasExternalSpecification(c.(DataFlow::MethodCallNode).getTarget())
-      )
+      pos = i
     }
 
     /**
      * Gets the `CallNode` this is an argument to.
      */
     CallNode getCall() { result = c }
+
+    /**
+     * Gets this argument's position.
+     */
+    int getPosition() { result = i }
   }
 
   /**
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowDispatch.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowDispatch.qll
@@ -171,6 +171,14 @@ private module DispatchImpl {
   /** Holds if arguments at position `apos` match parameters at position `ppos`. */
   pragma[inline]
   predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
+
+  /**
+   * Holds if flow from `call`'s argument `arg` to parameter `p` is permissible.
+   *
+   * This is a filter on top of the language-neutral argument/parameter matching implemented by `viableParamArg`.
+   */
+  pragma[inline]
+  predicate viableParamArgSpecific(DataFlowCall call, ParameterNode p, ArgumentNode arg) { any() }
 }
 
 import DispatchImpl
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll
@@ -425,7 +425,8 @@ private module Cached {
     exists(ParameterPosition ppos |
       viableParam(call, ppos, p) and
       argumentPositionMatch(call, arg, ppos) and
-      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
+      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p)) and
+      viableParamArgSpecific(call, p, arg)
     )
   }
 
diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll
@@ -1614,3 +1614,11 @@ private module OutNodes {
  * `kind`.
  */
 OutNode getAnOutNode(DataFlowCall call, ReturnKind kind) { call = result.getCall(kind) }
+
+/**
+ * Holds if flow from `call`'s argument `arg` to parameter `p` is permissible.
+ *
+ * This is a filter on top of the language-neutral argument/parameter matching implemented by `viableParamArg`.
+ */
+pragma[inline]
+predicate viableParamArgSpecific(DataFlowCall call, ParameterNode p, ArgumentNode arg) { any() }
diff --git a/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll b/python/ql/lib/semmle/python/dataflow/new/internal/DataFlowImplCommon.qll
@@ -425,7 +425,8 @@ private module Cached {
     exists(ParameterPosition ppos |
       viableParam(call, ppos, p) and
       argumentPositionMatch(call, arg, ppos) and
-      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
+      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p)) and
+      viableParamArgSpecific(call, p, arg)
     )
   }
 
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
@@ -1380,3 +1380,13 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
   or
   apos.isAnyNamed() and ppos.isKeyword(_)
 }
+
+/**
+ * Holds if flow from `call`'s argument `arg` to parameter `p` is permissible.
+ *
+ * This is a filter on top of the language-neutral argument/parameter matching implemented by `viableParamArg`.
+ */
+pragma[inline]
+predicate viableParamArgSpecific(DataFlowCall call, DataFlow::Node param, ArgumentNode arg) {
+  any()
+}
diff --git a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplCommon.qll b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplCommon.qll
@@ -425,7 +425,8 @@ private module Cached {
     exists(ParameterPosition ppos |
       viableParam(call, ppos, p) and
       argumentPositionMatch(call, arg, ppos) and
-      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
+      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p)) and
+      viableParamArgSpecific(call, p, arg)
     )
   }
 
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowDispatch.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowDispatch.qll
@@ -333,3 +333,11 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
   or
   ppos.(PositionalParameterPosition).getIndex() = apos.(PositionalArgumentPosition).getIndex()
 }
+
+/**
+ * Holds if flow from `call`'s argument `arg` to parameter `p` is permissible.
+ *
+ * This is a filter on top of the language-neutral argument/parameter matching implemented by `viableParamArg`.
+ */
+pragma[inline]
+predicate viableParamArgSpecific(DataFlowCall call, ParameterNode p, ArgumentNode arg) { any() }
diff --git a/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplCommon.qll b/swift/ql/lib/codeql/swift/dataflow/internal/DataFlowImplCommon.qll
@@ -425,7 +425,8 @@ private module Cached {
     exists(ParameterPosition ppos |
       viableParam(call, ppos, p) and
       argumentPositionMatch(call, arg, ppos) and
-      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))
+      compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p)) and
+      viableParamArgSpecific(call, p, arg)
     )
   }
 

Original file line number	Diff line number	Diff line change
`@@ -425,7 +425,8 @@ private module Cached {`
`425`	`425`	`exists(ParameterPosition ppos \|`
`426`	`426`	`viableParam(call, ppos, p) and`
`427`	`427`	`argumentPositionMatch(call, arg, ppos) and`
`428`		`- compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p))`
	`428`	`+ compatibleTypes(getNodeDataFlowType(arg), getNodeDataFlowType(p)) and`
	`429`	`+ viableParamArgSpecific(call, p, arg)`
`429`	`430`	`)`
`430`	`431`	`}`
`431`	`432`
Original file line number	Diff line number	Diff line change
`@@ -555,3 +555,11 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {`
`555`	`555`	`apos.isImplicitCapturedArgumentPosition(v)`
`556`	`556`	`)`
`557`	`557`	`}`
	`558`	`+`
	`559`	`+/**`
	`560`	+ * Holds if flow from `call`'s argument `arg` to parameter `p` is permissible.
	`561`	`+ *`
	`562`	+ * This is a filter on top of the language-neutral argument/parameter matching implemented by `viableParamArg`.
	`563`	`+ */`
	`564`	`+pragma[inline]`
	`565`	`+predicate viableParamArgSpecific(DataFlowCall call, ParameterNode p, ArgumentNode arg) { any() }`