Move SsaWithFields to the Ssa file and rework it for public use

Sauyon Lee · Sauyon Lee · commit 1092fe58709f · 2019-11-20T11:20:55.000-08:00
Also use it in OpenRedirect
diff --git a/ql/src/semmle/go/dataflow/SSA.qll b/ql/src/semmle/go/dataflow/SSA.qll
@@ -288,3 +288,97 @@ class SsaPhiNode extends SsaPseudoDefinition, TPhi {
     getBasicBlock().hasLocationInfo(filepath, startline, startcolumn, _, _)
   }
 }
+
+/**
+ * An SSA variable, possibly with a chain of field reads on it.
+ */
+private newtype TSsaWithFields =
+  TRoot(SsaVariable v) or
+  TStep(SsaWithFields base, Field f) { exists(accessPathAux(base, f)) }
+
+/**
+ * Gets a representation of `nd` as an ssa-with-fields value if there is one.
+ */
+private TSsaWithFields accessPath(IR::Instruction insn) {
+  exists(SsaVariable v | insn = v.getAUse() | result = TRoot(v))
+  or
+  exists(SsaWithFields base, Field f | insn = accessPathAux(base, f) | result = TStep(base, f))
+}
+
+/**
+ * Gets a data-flow node that reads a field `f` from a node that is represented
+ * by ssa-with-fields value `base`.
+ */
+private IR::Instruction accessPathAux(TSsaWithFields base, Field f) {
+  exists(IR::FieldReadInstruction fr | fr = result |
+    base = accessPath(fr.getBase()) and
+    f = fr.getField()
+  )
+}
+
+abstract class SsaWithFields extends TSsaWithFields {
+  /**
+   * Gets the SSA variable corresponding to the base of this SSA variable with fields.
+   *
+   * For example, the SSA variable corresponding to `a` for the SSA variable with fields
+   * corresponding to `a.b`.
+   */
+  abstract SsaVariable getBaseVariable();
+
+  /** Gets the type of this SSA variable with fields. */
+  abstract Type getType();
+
+  /** Gets a use in basic block `bb` that refers to this SSA variable with fields. */
+  abstract IR::Instruction getAUseIn(ReachableBasicBlock bb);
+
+  /** Gets a use that refers to this SSA variable with fields. */
+  IR::Instruction getAUse() { result = this.getAUseIn(_) }
+
+  /** Gets a textual representation of this element. */
+  abstract string toString();
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
+   */
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    this.getBaseVariable().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
+  }
+}
+
+private class SsaWithFieldsRoot extends SsaWithFields, TRoot {
+  SsaVariable self;
+
+  SsaWithFieldsRoot() { this = TRoot(self) }
+
+  override SsaVariable getBaseVariable() { result = self }
+
+  override Type getType() { result = self.getType() }
+
+  override IR::Instruction getAUseIn(ReachableBasicBlock bb) { result = self.getAUseIn(bb) }
+
+  override string toString() { result = "(" + self.toString() + ")" }
+}
+
+private class SsaWithFieldsStep extends SsaWithFields, TStep {
+  SsaWithFields base;
+  Field f;
+
+  SsaWithFieldsStep() { this = TStep(base, f) }
+
+  override SsaVariable getBaseVariable() { result = base.getBaseVariable() }
+
+  override Type getType() { result = f.getType() }
+
+  override IR::FieldReadInstruction getAUseIn(ReachableBasicBlock bb) {
+    result.getBase() = base.getAUseIn(bb) and
+    result.getField() = f
+  }
+
+  override string toString() { result = base.toString() + "." + f.getName() }
+}
diff --git a/ql/src/semmle/go/dataflow/internal/DataFlowUtil.qll b/ql/src/semmle/go/dataflow/internal/DataFlowUtil.qll
@@ -733,33 +733,6 @@ predicate localFlowStep(Node nodeFrom, Node nodeTo) {
  */
 predicate localFlow(Node source, Node sink) { localFlowStep*(source, sink) }
 
-/**
- * An SSA variable, possibly with a chain of field reads on it.
- */
-private newtype SsaWithFields =
-  Root(SsaVariable v) or
-  Step(SsaWithFields base, Field f) { exists(accessPathAux(base, f)) }
-
-/**
- * Gets a representation of `nd` as an ssa-with-fields value if there is one.
- */
-private SsaWithFields accessPath(Node nd) {
-  exists(SsaVariable v | nd.asInstruction() = v.getAUse() | result = Root(v))
-  or
-  exists(SsaWithFields base, Field f | nd = accessPathAux(base, f) | result = Step(base, f))
-}
-
-/**
- * Gets a data-flow node that reads a field `f` from a node that is represented
- * by ssa-with-fields value `base`.
- */
-private Node accessPathAux(SsaWithFields base, Field f) {
-  exists(IR::FieldReadInstruction fr | fr = result.asInstruction() |
-    base = accessPath(instructionNode(fr.getBase())) and
-    f = fr.getField()
-  )
-}
-
 /**
  * A guard that validates some expression.
  *
@@ -776,8 +749,10 @@ abstract class BarrierGuard extends Node {
   /** Gets a node guarded by this guard. */
   final Node getAGuardedNode() {
     exists(ControlFlow::ConditionGuardNode guard, Node nd |
-      guards(guard, nd, accessPath(result)) and
-      guard.dominates(result.asInstruction().getBasicBlock())
+      exists(SsaWithFields var | result.asInstruction() = var.getAUse() |
+        guards(guard, nd, var) and
+        guard.dominates(result.asInstruction().getBasicBlock())
+      )
     )
   }
 
@@ -789,8 +764,7 @@ abstract class BarrierGuard extends Node {
    */
   pragma[noinline]
   private predicate guards(ControlFlow::ConditionGuardNode guard, Node nd, SsaWithFields ap) {
-    guards(guard, nd) and
-    ap = accessPath(nd)
+    guards(guard, nd) and nd.asInstruction() = ap.getAUse()
   }
 
   /**
diff --git a/ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll b/ql/src/semmle/go/security/OpenUrlRedirectCustomizations.qll
@@ -50,17 +50,6 @@ module OpenUrlRedirect {
     }
   }
 
-  /**
-   * Holds if `a` and `b` read the same variable, field, or method.
-   */
-  predicate readsSameEntity(Read a, Read b) {
-    exists(DataFlow::Node aBase, DataFlow::Node bBase | readsSameEntity(aBase, bBase) |
-      exists(Field f | a.readsField(aBase, f) | b.readsField(bBase, f))
-      or
-      exists(Method m | a.readsMethod(aBase, m) | b.readsMethod(bBase, m))
-    )
-  }
-
   /**
    * An access to a variable that is preceded by an assignment to its `Path` field.
    *
@@ -69,10 +58,11 @@ module OpenUrlRedirect {
    */
   class PathAssignmentBarrier extends Barrier, Read {
     PathAssignmentBarrier() {
-      exists(Write w, Field f, Read writeBase, ValueEntity v |
+      exists(Write w, Field f, Read writeBase, SsaWithFields var |
         f.getName() = "Path" and
         hasHostnameSanitizingSubstring(w.getRhs()) and
-        readsSameEntity(this, writeBase)
+        this.asInstruction() = var.getAUse() and
+        writeBase.asInstruction() = var.getAUse()
       |
         w.writesField(writeBase, f, _) and
         w.getBasicBlock().(ReachableBasicBlock).dominates(this.asInstruction().getBasicBlock()) and
