Skip to content

Commit

Permalink
Merge pull request github#17246 from michaelnebel/modelgendebug
Browse files Browse the repository at this point in the history 
C#/Java: Add some model generator summary debugging queries.
  • Loading branch information
@michaelnebel
michaelnebel authored Aug 26, 2024
2 parents 4e3440a + 34d83a6 commit e81fdc9
Show file tree
Hide file tree
Showing 8 changed files with 138 additions and 14 deletions.
27 changes: 27 additions & 0 deletions csharp/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPartialPath.ql
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
/**
* @name Capture Summary Models Partial Path
* @description Capture Summary Models Partial Path
* @kind path-problem
* @precision low
* @id csharp/utils/modelgenerator/summary-models-partial-path
* @severity info
* @tags modelgenerator
*/

import csharp
import utils.modelgenerator.internal.CaptureModels
import PartialFlow::PartialPathGraph

int explorationLimit() { result = 3 }

module PartialFlow = PropagateFlow::FlowExplorationFwd<explorationLimit/0>;

from
PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink,
DataFlowSummaryTargetApi api, DataFlow::ParameterNode p
where
PartialFlow::partialFlow(source, sink, _) and
p = source.getNode() and
p.asParameter() = api.getAParameter()
select sink.getNode(), source, sink, "There is flow from a $@ to $@.", source.getNode(),
"parameter", sink.getNode(), "intermediate value"
24 changes: 24 additions & 0 deletions csharp/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPath.ql
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
/**
* @name Capture Summary Models Path
* @description Capture Summary Models Path
* @kind path-problem
* @precision low
* @id csharp/utils/modelgenerator/summary-models-path
* @severity warning
* @tags modelgenerator
*/

import csharp
import utils.modelgenerator.internal.CaptureModels
import PropagateFlow::PathGraph

from
PropagateFlow::PathNode source, PropagateFlow::PathNode sink, DataFlowSummaryTargetApi api,
DataFlow::Node p, DataFlow::Node returnNodeExt
where
PropagateFlow::flowPath(source, sink) and
p = source.getNode() and
returnNodeExt = sink.getNode() and
exists(captureThroughFlow0(api, p, returnNodeExt))
select sink.getNode(), source, sink, "There is flow from $@ to the $@.", source.getNode(),
"parameter", sink.getNode(), "return value"
1 change: 1 addition & 0 deletions csharp/ql/src/utils/modelgenerator/debug/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
The queries in this directory are purely used for model generator debugging purposes in VS Code.
23 changes: 16 additions & 7 deletions csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll
View file
Original file line number Diff line number Diff line change
Expand Up @@ -194,14 +194,13 @@ module PropagateFlowConfig implements DataFlow::StateConfigSig {
}
}

private module PropagateFlow = TaintTracking::GlobalWithState<PropagateFlowConfig>;
module PropagateFlow = TaintTracking::GlobalWithState<PropagateFlowConfig>;

/**
* Gets the summary model(s) of `api`, if there is flow from parameters to return value or parameter.
*/
string captureThroughFlow(DataFlowSummaryTargetApi api) {
exists(DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt, string input, string output |
PropagateFlow::flow(p, returnNodeExt) and
string captureThroughFlow0(
DataFlowSummaryTargetApi api, DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt
) {
exists(string input, string output |
p.getEnclosingCallable() = api and
returnNodeExt.(DataFlow::Node).getEnclosingCallable() = api and
input = parameterNodeAsInput(p) and
output = returnNodeExt.getOutput() and
Expand All @@ -210,6 +209,16 @@ string captureThroughFlow(DataFlowSummaryTargetApi api) {
)
}

/**
* Gets the summary model(s) of `api`, if there is flow from parameters to return value or parameter.
*/
string captureThroughFlow(DataFlowSummaryTargetApi api) {
exists(DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt |
PropagateFlow::flow(p, returnNodeExt) and
result = captureThroughFlow0(api, p, returnNodeExt)
)
}

/**
* A dataflow configuration used for finding new sources.
* The sources are the already known existing sources and the sinks are the API return nodes.
Expand Down
28 changes: 28 additions & 0 deletions java/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPartialPath.ql
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
/**
* @name Capture Summary Models Partial Path
* @description Capture Summary Models Partial Path
* @kind path-problem
* @precision low
* @id java/utils/modelgenerator/summary-models-partial-path
* @severity info
* @tags modelgenerator
*/

import java
import semmle.code.java.dataflow.DataFlow
import utils.modelgenerator.internal.CaptureModels
import PartialFlow::PartialPathGraph

int explorationLimit() { result = 3 }

module PartialFlow = PropagateFlow::FlowExplorationFwd<explorationLimit/0>;

from
PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink,
DataFlowSummaryTargetApi api, DataFlow::ParameterNode p
where
PartialFlow::partialFlow(source, sink, _) and
p = source.getNode() and
p.asParameter() = api.getAParameter()
select sink.getNode(), source, sink, "There is flow from a $@ to $@.", source.getNode(),
"parameter", sink.getNode(), "intermediate value"
25 changes: 25 additions & 0 deletions java/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPath.ql
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
/**
* @name Capture Summary Models Path
* @description Capture Summary Models Path
* @kind path-problem
* @precision low
* @id java/utils/modelgenerator/summary-models-path
* @severity warning
* @tags modelgenerator
*/

import java
import semmle.code.java.dataflow.DataFlow
import utils.modelgenerator.internal.CaptureModels
import PropagateFlow::PathGraph

from
PropagateFlow::PathNode source, PropagateFlow::PathNode sink, DataFlowSummaryTargetApi api,
DataFlow::Node p, DataFlow::Node returnNodeExt
where
PropagateFlow::flowPath(source, sink) and
p = source.getNode() and
returnNodeExt = sink.getNode() and
exists(captureThroughFlow0(api, p, returnNodeExt))
select sink.getNode(), source, sink, "There is flow from $@ to the $@.", source.getNode(),
"parameter", sink.getNode(), "return value"
1 change: 1 addition & 0 deletions java/ql/src/utils/modelgenerator/debug/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
The queries in this directory are purely used for model generator debugging purposes in VS Code.
23 changes: 16 additions & 7 deletions java/ql/src/utils/modelgenerator/internal/CaptureModels.qll
View file
Original file line number Diff line number Diff line change
Expand Up @@ -194,14 +194,13 @@ module PropagateFlowConfig implements DataFlow::StateConfigSig {
}
}

private module PropagateFlow = TaintTracking::GlobalWithState<PropagateFlowConfig>;
module PropagateFlow = TaintTracking::GlobalWithState<PropagateFlowConfig>;

/**
* Gets the summary model(s) of `api`, if there is flow from parameters to return value or parameter.
*/
string captureThroughFlow(DataFlowSummaryTargetApi api) {
exists(DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt, string input, string output |
PropagateFlow::flow(p, returnNodeExt) and
string captureThroughFlow0(
DataFlowSummaryTargetApi api, DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt
) {
exists(string input, string output |
p.getEnclosingCallable() = api and
returnNodeExt.(DataFlow::Node).getEnclosingCallable() = api and
input = parameterNodeAsInput(p) and
output = returnNodeExt.getOutput() and
Expand All @@ -210,6 +209,16 @@ string captureThroughFlow(DataFlowSummaryTargetApi api) {
)
}

/**
* Gets the summary model(s) of `api`, if there is flow from parameters to return value or parameter.
*/
string captureThroughFlow(DataFlowSummaryTargetApi api) {
exists(DataFlow::ParameterNode p, ReturnNodeExt returnNodeExt |
PropagateFlow::flow(p, returnNodeExt) and
result = captureThroughFlow0(api, p, returnNodeExt)
)
}

/**
* A dataflow configuration used for finding new sources.
* The sources are the already known existing sources and the sinks are the API return nodes.
Expand Down

0 comments on commit e81fdc9

Please sign in to comment.