@@ -238,29 +238,13 @@ class TaintTrackingImplementation extends string {
238238
239239 predicate flowSource ( DataFlow:: Node node , TaintTrackingContext context , AttributePath path , TaintKind kind ) {
240240 context = TNoParam ( ) and path = TNoAttribute ( ) and
241- (
242- this .( TaintTracking:: Configuration ) .isSource ( node , kind )
243- or
244- exists ( TaintSource source |
245- this .( TaintTracking:: Configuration ) .isSource ( source ) and
246- node .asCfgNode ( ) = source and
247- source .isSourceOf ( kind )
248- )
249- )
241+ this .( TaintTracking:: Configuration ) .isSource ( node , kind )
250242 }
251243
252244
253245 predicate flowSink ( DataFlow:: Node node , AttributePath path , TaintKind kind ) {
254246 path = TNoAttribute ( ) and
255- (
256- this .( TaintTracking:: Configuration ) .isSink ( node , kind )
257- or
258- exists ( TaintSink sink |
259- this .( TaintTracking:: Configuration ) .isSink ( sink ) and
260- node .asCfgNode ( ) = sink and
261- sink .sinks ( kind )
262- )
263- )
247+ this .( TaintTracking:: Configuration ) .isSink ( node , kind )
264248 }
265249
266250 predicate isPathSource ( TaintTrackingNode source ) {
@@ -293,28 +277,6 @@ class TaintTrackingImplementation extends string {
293277 )
294278 }
295279
296- predicate flowBarrier ( DataFlow:: Node node , TaintKind kind ) {
297- this .( TaintTracking:: Configuration ) .isBarrier ( node , kind )
298- or
299- exists ( Sanitizer sanitizer |
300- this .( TaintTracking:: Configuration ) .isSanitizer ( sanitizer )
301- |
302- sanitizer .sanitizingNode ( kind , node .asCfgNode ( ) )
303- or
304- sanitizer .sanitizingDefinition ( kind , node .asVariable ( ) .getDefinition ( ) )
305- or
306- exists ( MethodCallsiteRefinement call , FunctionObject callee |
307- call = node .asVariable ( ) .getDefinition ( ) and
308- callee .getACall ( ) = call .getCall ( ) and
309- sanitizer .sanitizingCall ( kind , callee )
310- )
311- or
312- sanitizer .sanitizingEdge ( kind , node .asVariable ( ) .getDefinition ( ) )
313- or
314- sanitizer .sanitizingSingleEdge ( kind , node .asVariable ( ) .getDefinition ( ) )
315- )
316- }
317-
318280 /** Gets the boolean value that `test` evaluates to when `use` is tainted with `kind`
319281 * and `test` and `use` are part of a test in a branch.
320282 */
@@ -334,9 +296,14 @@ class TaintTrackingImplementation extends string {
334296 Filters:: isinstance ( test , c , use ) and
335297 c .pointsTo ( cls )
336298 |
337- kind .getType ( ) .getASuperType ( ) = cls and result = true
299+ exists ( ClassValue scls |
300+ scls = kind .getType ( ) |
301+ scls .getASuperType ( ) = cls and result = true
302+ or
303+ not scls .getASuperType ( ) = cls and result = false
304+ )
338305 or
339- not kind .getType ( ) . getASuperType ( ) = cls and result = false
306+ not exists ( kind .getType ( ) ) and result = maybe ( )
340307 )
341308 }
342309
@@ -379,7 +346,7 @@ class TaintTrackingImplementation extends string {
379346 (
380347 not path = TNoAttribute ( )
381348 or
382- not this .flowBarrier ( node , kind ) and
349+ not this .( TaintTracking :: Configuration ) . isBarrier ( node , kind ) and
383350 exists ( DataFlow:: Node srcnode , TaintKind srckind |
384351 src = TTaintTrackingNode_ ( srcnode , _, _, srckind , this ) and
385352 not this .prunedEdge ( srcnode , node , srckind , kind )
@@ -687,15 +654,18 @@ class TaintTrackingImplementation extends string {
687654 this .taintedExceptionCapture ( src , defn , context , path , kind )
688655 or
689656 this .taintedScopeEntryDefinition ( src , defn , context , path , kind )
657+ or
658+ this .taintedWith ( src , defn , context , path , kind )
690659 }
691660
692661 pragma [ noinline]
693662 predicate taintedPhi ( TaintTrackingNode src , PhiFunction defn , TaintTrackingContext context , AttributePath path , TaintKind kind ) {
694- exists ( DataFlow:: Node srcnode , BasicBlock pred , EssaVariable predvar |
663+ exists ( DataFlow:: Node srcnode , BasicBlock pred , EssaVariable predvar , DataFlow :: Node phi |
695664 src = TTaintTrackingNode_ ( srcnode , context , path , kind , this ) and
665+ defn = phi .asVariable ( ) .getDefinition ( ) and
696666 predvar = defn .getInput ( pred ) and
697667 not pred .unlikelySuccessor ( defn .getBasicBlock ( ) ) and
698- not predvar . ( DataFlowExtension :: DataFlowVariable ) . prunedSuccessor ( defn . getVariable ( ) ) and
668+ not this . ( TaintTracking :: Configuration ) . isBarrierEdge ( srcnode , phi ) and
699669 srcnode .asVariable ( ) = predvar
700670 )
701671 }
@@ -791,6 +761,14 @@ class TaintTrackingImplementation extends string {
791761 )
792762 }
793763
764+ pragma [ noinline]
765+ predicate taintedWith ( TaintTrackingNode src , WithDefinition defn , TaintTrackingContext context , AttributePath path , TaintKind kind ) {
766+ exists ( DataFlow:: Node srcnode |
767+ src = TTaintTrackingNode_ ( srcnode , context , path , kind , this ) and
768+ with_flow ( _, srcnode .asCfgNode ( ) , defn .getDefiningNode ( ) )
769+ )
770+ }
771+
794772 predicate moduleAttributeTainted ( ModuleValue m , string name , TaintTrackingNode taint ) {
795773 exists ( DataFlow:: Node srcnode , EssaVariable var |
796774 taint = TTaintTrackingNode_ ( srcnode , TNoParam ( ) , _, _, this ) and
@@ -803,6 +781,13 @@ class TaintTrackingImplementation extends string {
803781
804782}
805783
784+ /* Helper predicate for tainted_with */
785+ private predicate with_flow ( With with , ControlFlowNode contextManager , ControlFlowNode var ) {
786+ with .getContextExpr ( ) = contextManager .getNode ( ) and
787+ with .getOptionalVars ( ) = var .getNode ( ) and
788+ contextManager .strictlyDominates ( var )
789+ }
790+
806791/* Backwards compatibility with config-less taint-tracking */
807792private class LegacyConfiguration extends TaintTracking:: Configuration {
808793
@@ -811,20 +796,14 @@ private class LegacyConfiguration extends TaintTracking::Configuration {
811796 this = "Semmle: Internal legacy configuration"
812797 }
813798
814- override predicate isSource ( DataFlow :: Node source , TaintKind kind ) {
799+ override predicate isSource ( TaintSource src ) {
815800 isValid ( ) and
816- exists ( TaintSource src |
817- source .asCfgNode ( ) = src and
818- src .isSourceOf ( kind )
819- )
801+ src = src
820802 }
821803
822- override predicate isSink ( DataFlow :: Node sink , TaintKind kind ) {
804+ override predicate isSink ( TaintSink sink ) {
823805 isValid ( ) and
824- exists ( TaintSink snk |
825- sink .asCfgNode ( ) = snk and
826- snk .sinks ( kind )
827- )
806+ sink = sink
828807 }
829808
830809 override predicate isSanitizer ( Sanitizer sanitizer ) {
@@ -836,6 +815,45 @@ private class LegacyConfiguration extends TaintTracking::Configuration {
836815 not exists ( TaintTracking:: Configuration config | config != this )
837816 }
838817
818+ override predicate isAdditionalFlowStep ( DataFlow:: Node src , DataFlow:: Node dest ) {
819+ isValid ( ) and
820+ exists ( DataFlowExtension:: DataFlowNode legacyExtension |
821+ src .asCfgNode ( ) = legacyExtension
822+ |
823+ dest .asCfgNode ( ) = legacyExtension .getASuccessorNode ( )
824+ or
825+ dest .asVariable ( ) = legacyExtension .getASuccessorVariable ( )
826+ or
827+ dest .asCfgNode ( ) = legacyExtension .getAReturnSuccessorNode ( _)
828+ or
829+ dest .asCfgNode ( ) = legacyExtension .getACalleeSuccessorNode ( _)
830+ )
831+ }
832+
833+ override predicate isAdditionalFlowStep ( DataFlow:: Node src , DataFlow:: Node dest , TaintKind srckind , TaintKind destkind ) {
834+ isValid ( ) and
835+ exists ( DataFlowExtension:: DataFlowNode legacyExtension |
836+ src .asCfgNode ( ) = legacyExtension
837+ |
838+ dest .asCfgNode ( ) = legacyExtension .getASuccessorNode ( srckind , destkind )
839+ )
840+ }
841+
842+ override predicate isBarrierEdge ( DataFlow:: Node src , DataFlow:: Node dest ) {
843+ isValid ( ) and
844+ (
845+ exists ( DataFlowExtension:: DataFlowVariable legacyExtension |
846+ src .asVariable ( ) = legacyExtension and
847+ legacyExtension .prunedSuccessor ( dest .asVariable ( ) )
848+ )
849+ or
850+ exists ( DataFlowExtension:: DataFlowNode legacyExtension |
851+ src .asCfgNode ( ) = legacyExtension and
852+ legacyExtension .prunedSuccessor ( dest .asCfgNode ( ) )
853+ )
854+ )
855+ }
856+
839857}
840858
841859module Implementation {
0 commit comments