Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dataflow: Add support for speculative taint flow. #17663

Merged
merged 15 commits into from
Oct 31, 2024
Merged

Dataflow: Add support for speculative taint flow. #17663

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
c80627a
Dataflow: add plumbing for adding provenance to state-steps.
aschackmull Sep 19, 2024
7d12329
Dataflow: Add speculative flow modules.
aschackmull Sep 19, 2024
8b99154
Java: Add support for speculative taint flow.
aschackmull Sep 24, 2024
6c6b606
Dataflow: Add consistency check.
aschackmull Oct 3, 2024
7b43100
C#: Add support for speculative taint flow.
aschackmull Oct 3, 2024
8eb0cb4
Ruby: Add tentative support for speculative taint flow.
aschackmull Oct 3, 2024
7497d95
Python: Add tentative support for speculative taint flow.
aschackmull Oct 3, 2024
635071f
Swift: Add tentative support for speculative taint flow.
aschackmull Oct 4, 2024
fae7175
Go: Add tentative support for speculative taint flow.
aschackmull Oct 4, 2024
4e8a4a5
C/C++: Add tentative support for speculative taint flow.
aschackmull Oct 4, 2024
9ca8a27
C/C++: Accept test changes.
aschackmull Oct 4, 2024
c20f12f
Add qldoc.
aschackmull Oct 16, 2024
42d35f8
Ruby: Exclude some cases that are unlikely library calls.
aschackmull Oct 16, 2024
4153a83
Python: Add workaround.
aschackmull Oct 16, 2024
570b042
Dataflow: Rename SpeculativeFlow to SpeculativeGlobal.
aschackmull Oct 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,13 +261,17 @@ deprecated private module Config implements FullStateConfigSig {
model = ""
}

predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
predicate isAdditionalFlowStep(
Node node1, FlowState state1, Node node2, FlowState state2, string model
) {
getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
getConfig(state2) = getConfig(state1)
getConfig(state2) = getConfig(state1) and
model = ""
or
not singleConfiguration() and
getConfig(state1).isAdditionalFlowStep(node1, node2) and
state2 = state1
state2 = state1 and
model = ""
}

predicate allowImplicitRead(Node node, ContentSet c) {
Expand Down
10 changes: 7 additions & 3 deletions cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,13 +261,17 @@ deprecated private module Config implements FullStateConfigSig {
model = ""
}

predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
predicate isAdditionalFlowStep(
Node node1, FlowState state1, Node node2, FlowState state2, string model
) {
getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
getConfig(state2) = getConfig(state1)
getConfig(state2) = getConfig(state1) and
model = ""
or
not singleConfiguration() and
getConfig(state1).isAdditionalFlowStep(node1, node2) and
state2 = state1
state2 = state1 and
model = ""
}

predicate allowImplicitRead(Node node, ContentSet c) {
Expand Down
10 changes: 7 additions & 3 deletions cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,13 +261,17 @@ deprecated private module Config implements FullStateConfigSig {
model = ""
}

predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
predicate isAdditionalFlowStep(
Node node1, FlowState state1, Node node2, FlowState state2, string model
) {
getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
getConfig(state2) = getConfig(state1)
getConfig(state2) = getConfig(state1) and
model = ""
or
not singleConfiguration() and
getConfig(state1).isAdditionalFlowStep(node1, node2) and
state2 = state1
state2 = state1 and
model = ""
}

predicate allowImplicitRead(Node node, ContentSet c) {
Expand Down
10 changes: 7 additions & 3 deletions cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,13 +261,17 @@ deprecated private module Config implements FullStateConfigSig {
model = ""
}

predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
predicate isAdditionalFlowStep(
Node node1, FlowState state1, Node node2, FlowState state2, string model
) {
getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
getConfig(state2) = getConfig(state1)
getConfig(state2) = getConfig(state1) and
model = ""
or
not singleConfiguration() and
getConfig(state1).isAdditionalFlowStep(node1, node2) and
state2 = state1
state2 = state1 and
model = ""
}

predicate allowImplicitRead(Node node, ContentSet c) {
Expand Down
10 changes: 7 additions & 3 deletions cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,13 +261,17 @@ deprecated private module Config implements FullStateConfigSig {
model = ""
}

predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
predicate isAdditionalFlowStep(
Node node1, FlowState state1, Node node2, FlowState state2, string model
) {
getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
getConfig(state2) = getConfig(state1)
getConfig(state2) = getConfig(state1) and
model = ""
or
not singleConfiguration() and
getConfig(state1).isAdditionalFlowStep(node1, node2) and
state2 = state1
state2 = state1 and
model = ""
}

predicate allowImplicitRead(Node node, ContentSet c) {
Expand Down
6 changes: 6 additions & 0 deletions cpp/ql/lib/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -281,3 +281,9 @@ private predicate exprToPartialDefinitionStep(Expr exprIn, Expr exprOut) {
}

private predicate iteratorDereference(Call c) { c.getTarget() instanceof IteratorReferenceFunction }

/**
* Holds if the additional step from `src` to `sink` should be considered in
* speculative taint flow exploration.
*/
predicate speculativeTaintStep(DataFlow::Node src, DataFlow::Node sink) { none() }
10 changes: 7 additions & 3 deletions cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl1.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,13 +261,17 @@ deprecated private module Config implements FullStateConfigSig {
model = ""
}

predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
predicate isAdditionalFlowStep(
Node node1, FlowState state1, Node node2, FlowState state2, string model
) {
getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
getConfig(state2) = getConfig(state1)
getConfig(state2) = getConfig(state1) and
model = ""
or
not singleConfiguration() and
getConfig(state1).isAdditionalFlowStep(node1, node2) and
state2 = state1
state2 = state1 and
model = ""
}

predicate allowImplicitRead(Node node, ContentSet c) {
Expand Down
10 changes: 7 additions & 3 deletions cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,13 +261,17 @@ deprecated private module Config implements FullStateConfigSig {
model = ""
}

predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
predicate isAdditionalFlowStep(
Node node1, FlowState state1, Node node2, FlowState state2, string model
) {
getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
getConfig(state2) = getConfig(state1)
getConfig(state2) = getConfig(state1) and
model = ""
or
not singleConfiguration() and
getConfig(state1).isAdditionalFlowStep(node1, node2) and
state2 = state1
state2 = state1 and
model = ""
}

predicate allowImplicitRead(Node node, ContentSet c) {
Expand Down
10 changes: 7 additions & 3 deletions cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,13 +261,17 @@ deprecated private module Config implements FullStateConfigSig {
model = ""
}

predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
predicate isAdditionalFlowStep(
Node node1, FlowState state1, Node node2, FlowState state2, string model
) {
getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
getConfig(state2) = getConfig(state1)
getConfig(state2) = getConfig(state1) and
model = ""
or
not singleConfiguration() and
getConfig(state1).isAdditionalFlowStep(node1, node2) and
state2 = state1
state2 = state1 and
model = ""
}

predicate allowImplicitRead(Node node, ContentSet c) {
Expand Down
10 changes: 7 additions & 3 deletions cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,13 +261,17 @@ deprecated private module Config implements FullStateConfigSig {
model = ""
}

predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
predicate isAdditionalFlowStep(
Node node1, FlowState state1, Node node2, FlowState state2, string model
) {
getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
getConfig(state2) = getConfig(state1)
getConfig(state2) = getConfig(state1) and
model = ""
or
not singleConfiguration() and
getConfig(state1).isAdditionalFlowStep(node1, node2) and
state2 = state1
state2 = state1 and
model = ""
}

predicate allowImplicitRead(Node node, ContentSet c) {
Expand Down
27 changes: 27 additions & 0 deletions cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -212,3 +212,30 @@ predicate modeledTaintStep(DataFlow::Node nodeIn, DataFlow::Node nodeOut, string
nodeOut = callOutput(call, modelOut)
)
}

import SpeculativeTaintFlow

private module SpeculativeTaintFlow {
private import semmle.code.cpp.ir.dataflow.internal.DataFlowDispatch as DataFlowDispatch
private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate as DataFlowPrivate

/**
* Holds if the additional step from `src` to `sink` should be considered in
* speculative taint flow exploration.
*/
predicate speculativeTaintStep(DataFlow::Node src, DataFlow::Node sink) {
exists(DataFlowCall call, ArgumentPosition argpos |
// TODO: exclude neutrals and anything that has QL modeling.
not exists(DataFlowDispatch::viableCallable(call)) and
src.(DataFlowPrivate::ArgumentNode).argumentOf(call, argpos)
|
not argpos.(DirectPosition).getIndex() = -1 and
sink.(PostUpdateNode)
.getPreUpdateNode()
.(DataFlowPrivate::ArgumentNode)
.argumentOf(call, any(DirectPosition qualpos | qualpos.getIndex() = -1))
or
sink.(DataFlowPrivate::OutNode).getCall() = call
)
}
}
1 change: 1 addition & 0 deletions cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,3 +186,4 @@ identityLocalStep
missingArgumentCall
multipleArgumentCall
lambdaCallEnclosingCallableMismatch
speculativeStepAlreadyHasModel
1 change: 1 addition & 0 deletions cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,3 +38,4 @@ identityLocalStep
missingArgumentCall
multipleArgumentCall
lambdaCallEnclosingCallableMismatch
speculativeStepAlreadyHasModel
1 change: 1 addition & 0 deletions cpp/ql/test/library-tests/dataflow/fields/dataflow-consistency.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -195,3 +195,4 @@ identityLocalStep
missingArgumentCall
multipleArgumentCall
lambdaCallEnclosingCallableMismatch
speculativeStepAlreadyHasModel
1 change: 1 addition & 0 deletions cpp/ql/test/library-tests/dataflow/fields/dataflow-ir-consistency.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,4 @@ identityLocalStep
missingArgumentCall
multipleArgumentCall
lambdaCallEnclosingCallableMismatch
speculativeStepAlreadyHasModel
1 change: 1 addition & 0 deletions cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,3 +100,4 @@ identityLocalStep
missingArgumentCall
multipleArgumentCall
lambdaCallEnclosingCallableMismatch
speculativeStepAlreadyHasModel
1 change: 1 addition & 0 deletions cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,3 +37,4 @@ identityLocalStep
missingArgumentCall
multipleArgumentCall
lambdaCallEnclosingCallableMismatch
speculativeStepAlreadyHasModel
10 changes: 7 additions & 3 deletions csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl1.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,13 +261,17 @@ deprecated private module Config implements FullStateConfigSig {
model = ""
}

predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
predicate isAdditionalFlowStep(
Node node1, FlowState state1, Node node2, FlowState state2, string model
) {
getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
getConfig(state2) = getConfig(state1)
getConfig(state2) = getConfig(state1) and
model = ""
or
not singleConfiguration() and
getConfig(state1).isAdditionalFlowStep(node1, node2) and
state2 = state1
state2 = state1 and
model = ""
}

predicate allowImplicitRead(Node node, ContentSet c) {
Expand Down
10 changes: 7 additions & 3 deletions csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,13 +261,17 @@ deprecated private module Config implements FullStateConfigSig {
model = ""
}

predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
predicate isAdditionalFlowStep(
Node node1, FlowState state1, Node node2, FlowState state2, string model
) {
getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
getConfig(state2) = getConfig(state1)
getConfig(state2) = getConfig(state1) and
model = ""
or
not singleConfiguration() and
getConfig(state1).isAdditionalFlowStep(node1, node2) and
state2 = state1
state2 = state1 and
model = ""
}

predicate allowImplicitRead(Node node, ContentSet c) {
Expand Down
10 changes: 7 additions & 3 deletions csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,13 +261,17 @@ deprecated private module Config implements FullStateConfigSig {
model = ""
}

predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
predicate isAdditionalFlowStep(
Node node1, FlowState state1, Node node2, FlowState state2, string model
) {
getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
getConfig(state2) = getConfig(state1)
getConfig(state2) = getConfig(state1) and
model = ""
or
not singleConfiguration() and
getConfig(state1).isAdditionalFlowStep(node1, node2) and
state2 = state1
state2 = state1 and
model = ""
}

predicate allowImplicitRead(Node node, ContentSet c) {
Expand Down
10 changes: 7 additions & 3 deletions csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,13 +261,17 @@ deprecated private module Config implements FullStateConfigSig {
model = ""
}

predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
predicate isAdditionalFlowStep(
Node node1, FlowState state1, Node node2, FlowState state2, string model
) {
getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
getConfig(state2) = getConfig(state1)
getConfig(state2) = getConfig(state1) and
model = ""
or
not singleConfiguration() and
getConfig(state1).isAdditionalFlowStep(node1, node2) and
state2 = state1
state2 = state1 and
model = ""
}

predicate allowImplicitRead(Node node, ContentSet c) {
Expand Down
10 changes: 7 additions & 3 deletions csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,13 +261,17 @@ deprecated private module Config implements FullStateConfigSig {
model = ""
}

predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
predicate isAdditionalFlowStep(
Node node1, FlowState state1, Node node2, FlowState state2, string model
) {
getConfig(state1).isAdditionalFlowStep(node1, getState(state1), node2, getState(state2)) and
getConfig(state2) = getConfig(state1)
getConfig(state2) = getConfig(state1) and
model = ""
or
not singleConfiguration() and
getConfig(state1).isAdditionalFlowStep(node1, node2) and
state2 = state1
state2 = state1 and
model = ""
}

predicate allowImplicitRead(Node node, ContentSet c) {
Expand Down
Loading
Loading