C#: Address review comments

hvitved · hvitved · commit 751985dcf282 · 2019-08-30T09:37:23.000+02:00
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/Nullness.qll b/csharp/ql/src/semmle/code/csharp/dataflow/Nullness.qll
@@ -127,7 +127,7 @@ private predicate dereferenceAt(BasicBlock bb, int i, Ssa::Definition def, Deref
 private predicate exprImpliesSsaDef(
   Expr e, G::AbstractValue vExpr, Ssa::Definition def, G::AbstractValue vDef
 ) {
-  exists(G::Internal::Guard g | G::Internal::impliesSteps(e, vExpr, g, vDef) |
+  exists(G::Guard g | G::Internal::impliesSteps(e, vExpr, g, vDef) |
     g = def.getARead()
     or
     g = def.(Ssa::ExplicitDefinition).getADefinition().getTargetAccess()
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPublic.qll
@@ -192,11 +192,13 @@ class BarrierGuard extends Guard {
 }
 
 module BarrierGuards {
+  import AbstractValues
+
   /** A simple guard that checks that this expression has an abstract value. */
-  class ValueBarrierGuard extends BarrierGuard {
-    private AbstractValue v0;
+  abstract class ValueBarrierGuard extends BarrierGuard {
+    AbstractValue val;
 
-    ValueBarrierGuard() { this.controlsNode(_, this, v0) }
+    ValueBarrierGuard() { this.controlsNode(_, this, val) }
 
     /**
      * Gets the abstract value that this expression is checked against.
@@ -211,18 +213,8 @@ module BarrierGuards {
      * `x == null` is checked against an abstract Boolean value (`BooleanValue`),
      * and `x` is checked against an abstract nullness value (`NullValue`).
      */
-    AbstractValue getCheckedValue() { result = v0 }
-
-    final override predicate checks(Expr e, AbstractValue v) { e = this and v = v0 }
-  }
-
-  /** A guard that checks if this expression is non-`null`. */
-  class NullGuard extends DataFlow::BarrierGuards::ValueBarrierGuard {
-    NullGuard() { this.getCheckedValue() = any(AbstractValues::NullValue nv | not nv.isNull()) }
-  }
+    AbstractValue getCheckedValue() { result = val }
 
-  /** A guard that checks if this expression is `null`. */
-  class AntiNullGuard extends DataFlow::BarrierGuards::ValueBarrierGuard {
-    AntiNullGuard() { this.getCheckedValue().(AbstractValues::NullValue).isNull() }
+    final override predicate checks(Expr e, AbstractValue v) { e = this and v = val }
   }
 }
diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/TaintedPath.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/TaintedPath.qll
@@ -30,7 +30,7 @@ module TaintedPath {
   /**
    * A guard for uncontrolled data in path expression vulnerabilities.
    */
-  abstract class BarrierGuard extends DataFlow::BarrierGuard { }
+  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
 
   /**
    * A taint-tracking configuration for uncontrolled data in path expression vulnerabilities.
@@ -45,7 +45,7 @@ module TaintedPath {
     override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
 
     override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof BarrierGuard
+      guard instanceof SanitizerGuard
     }
   }
 
@@ -102,12 +102,16 @@ module TaintedPath {
     }
   }
 
+  class NullBarrierGuard extends DataFlow::BarrierGuards::ValueBarrierGuard {
+    NullBarrierGuard() { val instanceof DataFlow::BarrierGuards::NullValue }
+  }
+
   /**
    * A conditional involving the path, that is not considered to be a weak check.
    *
    * A weak check is one that is insufficient to prevent path tampering.
    */
-  class PathCheck extends BarrierGuard {
+  class PathCheck extends SanitizerGuard {
     PathCheck() {
       // None of these are sufficient to guarantee that a string is safe.
       not this.(MethodCall).getTarget() = any(Method m |
@@ -119,8 +123,7 @@ module TaintedPath {
           m = any(SystemIODirectoryClass f).getAMethod("Exists")
         ) and
       // Checking against `null` has no bearing on path traversal.
-      not this instanceof DataFlow::BarrierGuards::NullGuard and
-      not this instanceof DataFlow::BarrierGuards::AntiNullGuard
+      not this instanceof NullBarrierGuard
     }
 
     override predicate checks(Expr e, AbstractValue v) { this.controlsNode(_, e, v) }
diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/UrlRedirect.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/UrlRedirect.qll
@@ -30,7 +30,7 @@ module UrlRedirect {
   /**
    * A guard for unvalidated URL redirect vulnerabilities.
    */
-  abstract class BarrierGuard extends DataFlow::BarrierGuard { }
+  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
 
   /**
    * A taint-tracking configuration for reasoning about unvalidated URL redirect vulnerabilities.
@@ -45,7 +45,7 @@ module UrlRedirect {
     override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
 
     override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof BarrierGuard
+      guard instanceof SanitizerGuard
     }
   }
 
@@ -107,7 +107,7 @@ module UrlRedirect {
   /**
    * A URL argument to a call to `UrlHelper.isLocalUrl()` that is a sanitizer for URL redirects.
    */
-  class IsLocalUrlSanitizer extends BarrierGuard, MethodCall {
+  class IsLocalUrlSanitizer extends SanitizerGuard, MethodCall {
     IsLocalUrlSanitizer() { this.getTarget().hasName("IsLocalUrl") }
 
     override predicate checks(Expr e, AbstractValue v) {
diff --git a/csharp/ql/src/semmle/code/csharp/security/dataflow/ZipSlip.qll b/csharp/ql/src/semmle/code/csharp/security/dataflow/ZipSlip.qll
@@ -25,7 +25,7 @@ module ZipSlip {
   /**
    * A guard for unsafe zip extraction.
    */
-  abstract class BarrierGuard extends DataFlow::BarrierGuard { }
+  abstract class SanitizerGuard extends DataFlow::BarrierGuard { }
 
   /** A taint tracking configuration for Zip Slip */
   class TaintTrackingConfiguration extends TaintTracking::Configuration {
@@ -38,7 +38,7 @@ module ZipSlip {
     override predicate isSanitizer(DataFlow::Node node) { node instanceof Sanitizer }
 
     override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-      guard instanceof BarrierGuard
+      guard instanceof SanitizerGuard
     }
   }
 
@@ -132,7 +132,7 @@ module ZipSlip {
    * A call to `String.StartsWith()` that indicates that the tainted path value is being
    * validated to ensure that it occurs within a permitted output path.
    */
-  class StringCheckGuard extends BarrierGuard, MethodCall {
+  class StringCheckGuard extends SanitizerGuard, MethodCall {
     private Expr q;
 
     StringCheckGuard() {
diff --git a/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll b/csharp/ql/test/library-tests/dataflow/callablereturnsarg/Common.qll
@@ -1,5 +1,9 @@
 import csharp
-import semmle.code.csharp.controlflow.Guards
+private import DataFlow::BarrierGuards
+
+private class AntiNullBarrierGuard extends ValueBarrierGuard {
+  AntiNullBarrierGuard() { val.(NullValue).isNull() }
+}
 
 class Configuration extends DataFlow::Configuration {
   Configuration() { this = "Configuration" }
@@ -9,7 +13,7 @@ class Configuration extends DataFlow::Configuration {
   override predicate isSink(DataFlow::Node sink) { any() }
 
   override predicate isBarrierGuard(DataFlow::BarrierGuard guard) {
-    guard instanceof DataFlow::BarrierGuards::AntiNullGuard
+    guard instanceof AntiNullBarrierGuard
   }
 }
 
diff --git a/csharp/ql/test/library-tests/dataflow/local/Common.qll b/csharp/ql/test/library-tests/dataflow/local/Common.qll
@@ -1,5 +1,10 @@
 import csharp
 private import semmle.code.csharp.dataflow.internal.DataFlowPrivate
+private import DataFlow::BarrierGuards
+
+private class NullBarrierGuard extends ValueBarrierGuard {
+  NullBarrierGuard() { val = any(NullValue nv | not nv.isNull()) }
+}
 
 class MyFlowSource extends DataFlow::Node {
   MyFlowSource() {
@@ -20,7 +25,5 @@ class MyFlowSource extends DataFlow::Node {
 }
 
 class MyNullGuardedDataFlowNode extends DataFlow::Node {
-  MyNullGuardedDataFlowNode() {
-    this = any(DataFlow::BarrierGuards::NullGuard ng).getAGuardedNode()
-  }
+  MyNullGuardedDataFlowNode() { this = any(NullBarrierGuard ng).getAGuardedNode() }
 }
