Skip to content

Commit e81fdc9

Browse files
michaelnebelmichaelnebel
authored
Merge pull request #17246 from michaelnebel/modelgendebug
C#/Java: Add some model generator summary debugging queries.
2 parents 4e3440a + 34d83a6 commit e81fdc9

8 files changed

Lines changed: 138 additions & 14 deletions

File tree

csharp/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPartialPath.ql

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
/**
2+
* @name Capture Summary Models Partial Path
3+
* @description Capture Summary Models Partial Path
4+
* @kind path-problem
5+
* @precision low
6+
* @id csharp/utils/modelgenerator/summary-models-partial-path
7+
* @severity info
8+
* @tags modelgenerator
9+
*/
10+
11+
import csharp
12+
import utils.modelgenerator.internal.CaptureModels
13+
import PartialFlow::PartialPathGraph
14+
15+
int explorationLimit() { result = 3 }
16+
17+
module PartialFlow = PropagateFlow::FlowExplorationFwd<explorationLimit/0>;
18+
19+
from
20+
PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink,
21+
DataFlowSummaryTargetApi api, DataFlow::ParameterNode p
22+
where
23+
PartialFlow::partialFlow(source, sink, _) and
24+
p = source.getNode() and
25+
p.asParameter() = api.getAParameter()
26+
select sink.getNode(), source, sink, "There is flow from a $@ to $@.", source.getNode(),
27+
"parameter", sink.getNode(), "intermediate value"

csharp/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPath.ql

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
/**
2+
* @name Capture Summary Models Path
3+
* @description Capture Summary Models Path
4+
* @kind path-problem
5+
* @precision low
6+
* @id csharp/utils/modelgenerator/summary-models-path
7+
* @severity warning
8+
* @tags modelgenerator
9+
*/
10+
11+
import csharp
12+
import utils.modelgenerator.internal.CaptureModels
13+
import PropagateFlow::PathGraph
14+
15+
from
16+
PropagateFlow::PathNode source, PropagateFlow::PathNode sink, DataFlowSummaryTargetApi api,
17+
DataFlow::Node p, DataFlow::Node returnNodeExt
18+
where
19+
PropagateFlow::flowPath(source, sink) and
20+
p = source.getNode() and
21+
returnNodeExt = sink.getNode() and
22+
exists(captureThroughFlow0(api, p, returnNodeExt))
23+
select sink.getNode(), source, sink, "There is flow from $@ to the $@.", source.getNode(),
24+
"parameter", sink.getNode(), "return value"

csharp/ql/src/utils/modelgenerator/debug/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
The queries in this directory are purely used for model generator debugging purposes in VS Code.

csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll

Lines changed: 16 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -194,14 +194,13 @@ module PropagateFlowConfig implements DataFlow::StateConfigSig {
194194
}
195195
}
196196

197-
private module PropagateFlow = TaintTracking::GlobalWithState<PropagateFlowConfig>;
197+
module PropagateFlow = TaintTracking::GlobalWithState<PropagateFlowConfig>;
198198

199-
/**
200-
* Gets the summary model(s) of `api`, if there is flow from parameters to return value or parameter.
201-
*/
202-
string captureThroughFlow(DataFlowSummaryTargetApi api) {
203-
exists(DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt, string input, string output |
204-
PropagateFlow::flow(p, returnNodeExt) and
199+
string captureThroughFlow0(
200+
DataFlowSummaryTargetApi api, DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt
201+
) {
202+
exists(string input, string output |
203+
p.getEnclosingCallable() = api and
205204
returnNodeExt.(DataFlow::Node).getEnclosingCallable() = api and
206205
input = parameterNodeAsInput(p) and
207206
output = returnNodeExt.getOutput() and
@@ -210,6 +209,16 @@ string captureThroughFlow(DataFlowSummaryTargetApi api) {
210209
)
211210
}
212211

212+
/**
213+
* Gets the summary model(s) of `api`, if there is flow from parameters to return value or parameter.
214+
*/
215+
string captureThroughFlow(DataFlowSummaryTargetApi api) {
216+
exists(DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt |
217+
PropagateFlow::flow(p, returnNodeExt) and
218+
result = captureThroughFlow0(api, p, returnNodeExt)
219+
)
220+
}
221+
213222
/**
214223
* A dataflow configuration used for finding new sources.
215224
* The sources are the already known existing sources and the sinks are the API return nodes.

java/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPartialPath.ql

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
/**
2+
* @name Capture Summary Models Partial Path
3+
* @description Capture Summary Models Partial Path
4+
* @kind path-problem
5+
* @precision low
6+
* @id java/utils/modelgenerator/summary-models-partial-path
7+
* @severity info
8+
* @tags modelgenerator
9+
*/
10+
11+
import java
12+
import semmle.code.java.dataflow.DataFlow
13+
import utils.modelgenerator.internal.CaptureModels
14+
import PartialFlow::PartialPathGraph
15+
16+
int explorationLimit() { result = 3 }
17+
18+
module PartialFlow = PropagateFlow::FlowExplorationFwd<explorationLimit/0>;
19+
20+
from
21+
PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink,
22+
DataFlowSummaryTargetApi api, DataFlow::ParameterNode p
23+
where
24+
PartialFlow::partialFlow(source, sink, _) and
25+
p = source.getNode() and
26+
p.asParameter() = api.getAParameter()
27+
select sink.getNode(), source, sink, "There is flow from a $@ to $@.", source.getNode(),
28+
"parameter", sink.getNode(), "intermediate value"

java/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPath.ql

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
/**
2+
* @name Capture Summary Models Path
3+
* @description Capture Summary Models Path
4+
* @kind path-problem
5+
* @precision low
6+
* @id java/utils/modelgenerator/summary-models-path
7+
* @severity warning
8+
* @tags modelgenerator
9+
*/
10+
11+
import java
12+
import semmle.code.java.dataflow.DataFlow
13+
import utils.modelgenerator.internal.CaptureModels
14+
import PropagateFlow::PathGraph
15+
16+
from
17+
PropagateFlow::PathNode source, PropagateFlow::PathNode sink, DataFlowSummaryTargetApi api,
18+
DataFlow::Node p, DataFlow::Node returnNodeExt
19+
where
20+
PropagateFlow::flowPath(source, sink) and
21+
p = source.getNode() and
22+
returnNodeExt = sink.getNode() and
23+
exists(captureThroughFlow0(api, p, returnNodeExt))
24+
select sink.getNode(), source, sink, "There is flow from $@ to the $@.", source.getNode(),
25+
"parameter", sink.getNode(), "return value"

java/ql/src/utils/modelgenerator/debug/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
The queries in this directory are purely used for model generator debugging purposes in VS Code.

java/ql/src/utils/modelgenerator/internal/CaptureModels.qll

Lines changed: 16 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -194,14 +194,13 @@ module PropagateFlowConfig implements DataFlow::StateConfigSig {
194194
}
195195
}
196196

197-
private module PropagateFlow = TaintTracking::GlobalWithState<PropagateFlowConfig>;
197+
module PropagateFlow = TaintTracking::GlobalWithState<PropagateFlowConfig>;
198198

199-
/**
200-
* Gets the summary model(s) of `api`, if there is flow from parameters to return value or parameter.
201-
*/
202-
string captureThroughFlow(DataFlowSummaryTargetApi api) {
203-
exists(DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt, string input, string output |
204-
PropagateFlow::flow(p, returnNodeExt) and
199+
string captureThroughFlow0(
200+
DataFlowSummaryTargetApi api, DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt
201+
) {
202+
exists(string input, string output |
203+
p.getEnclosingCallable() = api and
205204
returnNodeExt.(DataFlow::Node).getEnclosingCallable() = api and
206205
input = parameterNodeAsInput(p) and
207206
output = returnNodeExt.getOutput() and
@@ -210,6 +209,16 @@ string captureThroughFlow(DataFlowSummaryTargetApi api) {
210209
)
211210
}
212211

212+
/**
213+
* Gets the summary model(s) of `api`, if there is flow from parameters to return value or parameter.
214+
*/
215+
string captureThroughFlow(DataFlowSummaryTargetApi api) {
216+
exists(DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt |
217+
PropagateFlow::flow(p, returnNodeExt) and
218+
result = captureThroughFlow0(api, p, returnNodeExt)
219+
)
220+
}
221+
213222
/**
214223
* A dataflow configuration used for finding new sources.
215224
* The sources are the already known existing sources and the sinks are the API return nodes.

0 commit comments

Comments
 (0)