temp2

Author: hvitved

csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql

@@ -16,6 +16,8 @@ import csharp
 import semmle.code.csharp.security.dataflow.HardcodedCredentialsQuery
 import HardcodedCredentials::PathGraph
 
+predicate stats = HardcodedCredentials::stageStats/10;
+
 from
   Source source, Sink sink, HardcodedCredentials::PathNode sourcePath,
   HardcodedCredentials::PathNode sinkPath, string value

shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll

@@ -3430,6 +3430,27 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
       private module StoreReadMatchingInput implements StoreReadMatchingInputSig {
         class NodeEx = NodeExAlias;
 
+        predicate nodeRange(NodeEx node, boolean fromArg) {
+          exists(PrevStage::Ap ap |
+            PrevStage::revFlowAp(node, ap) and
+            (
+              ap = true
+              or
+              PrevStage::storeStepCand(node, ap, _, _, _, _)
+              or
+              PrevStage::readStepCand(_, _, node)
+            )
+          |
+            exists(PrevStage::Cc cc | PrevStage::fwdFlow(node, _, cc, _, _, _, _, ap, _) |
+              PrevStage::instanceofCcCall(cc) and
+              fromArg = true
+              or
+              PrevStage::instanceofCcNoCall(cc) and
+              fromArg = false
+            )
+          )
+        }
+
         predicate localValueStep(NodeEx node1, NodeEx node2) {
           exists(FlowState state, PrevStage::ApOption returnAp |
             PrevStage::revFlow(node1, pragma[only_bind_into](state), _,
@@ -3442,12 +3463,23 @@ module MakeImpl<LocationSig Location, InputSig<Location> Lang> {
 
         predicate jumpValueStep = jumpStepEx/2;
 
+        pragma[nomagic]
+        private predicate flowThroughOutOfCall(RetNodeEx ret, NodeEx out) {
+          exists(DataFlowCall call, CcCall ccc, ReturnKindExt kind |
+            PrevStage::callEdgeReturn(call, _, ret, kind, out, true, true) and
+            PrevStage::callMayFlowThroughRev(call) and
+            PrevStage::returnMayFlowThrough(ret, true, true, kind) and
+            matchesCall(ccc, call)
+          )
+        }
+
         predicate callEdgeArgParam(NodeEx arg, NodeEx param) {
-          PrevStage::callEdgeArgParam(_, _, arg, param, true, _)
+          PrevStage::callEdgeArgParam(_, _, arg, param, true, true)
         }
 
-        predicate callEdgeReturn(NodeEx ret, NodeEx out) {
-          PrevStage::callEdgeReturn(_, _, ret, _, out, true, _)
+        predicate callEdgeReturn(NodeEx ret, NodeEx out, boolean mayFlowThrough) {
+          PrevStage::callEdgeReturn(_, _, ret, _, out, true, true) and
+          if flowThroughOutOfCall(ret, out) then mayFlowThrough = true else mayFlowThrough = false
         }
 
         predicate readContentStep = PrevStage::readStepCand/3;

shared/dataflow/codeql/dataflow/internal/DataFlowImplCommon.qll

@@ -2358,13 +2358,15 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
       string toString();
     }
 
+    predicate nodeRange(NodeEx node, boolean fromArg);
+
     predicate localValueStep(NodeEx node1, NodeEx node2);
 
     predicate jumpValueStep(NodeEx node1, NodeEx node2);
 
     predicate callEdgeArgParam(NodeEx arg, NodeEx param);
 
-    predicate callEdgeReturn(NodeEx ret, NodeEx out);
+    predicate callEdgeReturn(NodeEx ret, NodeEx out, boolean mayFlowThrough);
 
     predicate readContentStep(NodeEx node1, Content c, NodeEx node2);
 
@@ -2394,23 +2396,16 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
   module StoreReadMatching<StoreReadMatchingInputSig Input> {
     private import Input
 
-    pragma[nomagic]
-    private predicate valueStep(NodeEx node1, NodeEx node2) {
-      localValueStep(node1, node2)
-      or
-      jumpValueStep(node1, node2)
-      or
-      callEdgeArgParam(node1, node2)
-      or
-      callEdgeReturn(node1, node2)
-    }
-
     private signature module StoreReachesReadInputSig {
       int iteration();
 
-      predicate storeMayReachReadDelta(NodeEx storeSource, Content c, NodeEx readTarget);
+      predicate storeMayReachReadDelta(
+        NodeEx storeSource, Content c, NodeEx readTarget, boolean fromArg1, boolean fromArg2
+      );
 
-      predicate storeMayReachReadPrev(NodeEx storeSource, Content c, NodeEx readTarget);
+      predicate storeMayReachReadPrev(
+        NodeEx storeSource, Content c, NodeEx readTarget, boolean fromArg1, boolean fromArg2
+      );
     }
 
     private signature class UsesPrevDeltaInfoSig {
@@ -2428,13 +2423,15 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
       private predicate enabled() { accessPathConfigLimit() > Prev::iteration() }
 
       private newtype TNodeOrContent =
-        TNodeOrContentNode(NodeEx n, UsesPrevDeltaInfo usesPrevDelta) { enabled() } or
+        TNodeOrContentNode(NodeEx n, UsesPrevDeltaInfo usesPrevDelta, boolean fromArg) {
+          enabled() and nodeRange(n, fromArg)
+        } or
         TNodeOrContentStoreContent(Content c) { enabled() and storeContentStep(_, c, _) } or
         TNodeOrContentReadContent(Content c) { enabled() and readContentStep(_, c, _) }
 
       private class NodeOrContent extends TNodeOrContent {
-        NodeEx asNodeEx(UsesPrevDeltaInfo usesPrevDelta) {
-          this = TNodeOrContentNode(result, usesPrevDelta)
+        NodeEx asNodeEx(UsesPrevDeltaInfo usesPrevDelta, boolean fromArg) {
+          this = TNodeOrContentNode(result, usesPrevDelta, fromArg)
         }
 
         Content asStoreContent() { this = TNodeOrContentStoreContent(result) }
@@ -2446,41 +2443,68 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
           or
           result = this.asReadContent().toString()
           or
-          result = this.asNodeEx(_).toString()
+          result = this.asNodeEx(_, _).toString()
         }
       }
 
+      bindingset[usesPrevDelta]
+      pragma[inline_late]
+      private predicate usesPrevDelta(UsesPrevDeltaInfo usesPrevDelta, boolean b) {
+        usesPrevDelta.toBoolean() = b
+      }
+
+      pragma[nomagic]
+      private predicate stepNode(
+        NodeOrContent node1, NodeEx n2, UsesPrevDeltaInfo usesPrevDelta1,
+        UsesPrevDeltaInfo usesPrevDelta2, Boolean fromArg1, Boolean fromArg2
+      ) {
+        exists(NodeEx n1 | n1 = node1.asNodeEx(usesPrevDelta1, fromArg1) |
+          usesPrevDelta1 = usesPrevDelta2 and
+          (
+            localValueStep(n1, n2) and
+            fromArg1 = fromArg2
+            or
+            jumpValueStep(n1, n2) and
+            fromArg2 = false
+            or
+            callEdgeArgParam(n1, n2) and
+            fromArg2 = true
+            or
+            exists(boolean mayFlowThrough | callEdgeReturn(n1, n2, mayFlowThrough) |
+              fromArg1 = false or mayFlowThrough = true
+            )
+          )
+          or
+          Prev::storeMayReachReadDelta(n1, _, n2, fromArg1, fromArg2) and
+          usesPrevDelta(usesPrevDelta2, true)
+          or
+          Prev::storeMayReachReadPrev(n1, _, n2, fromArg1, fromArg2) and
+          usesPrevDelta1 = usesPrevDelta2
+        )
+      }
+
       pragma[nomagic]
       private predicate step(NodeOrContent node1, NodeOrContent node2) {
         exists(
-          NodeEx n1, NodeEx n2, UsesPrevDeltaInfo usesPrevDelta1, UsesPrevDeltaInfo usesPrevDelta2
+          NodeEx n2, UsesPrevDeltaInfo usesPrevDelta1, UsesPrevDeltaInfo usesPrevDelta2,
+          boolean fromArg1, boolean fromArg2
         |
-          n1 = node1.asNodeEx(usesPrevDelta1) and
-          n2 = node2.asNodeEx(usesPrevDelta2)
-        |
-          valueStep(n1, n2) and
-          pragma[only_bind_into](pragma[only_bind_out](usesPrevDelta2)) =
-            pragma[only_bind_into](pragma[only_bind_out](usesPrevDelta1))
-          or
-          Prev::storeMayReachReadDelta(n1, _, n2) and usesPrevDelta2.toBoolean() = true
-          or
-          Prev::storeMayReachReadPrev(n1, _, n2) and
-          pragma[only_bind_into](pragma[only_bind_out](usesPrevDelta2)) =
-            pragma[only_bind_into](pragma[only_bind_out](usesPrevDelta1))
+          n2 = node2.asNodeEx(usesPrevDelta2, fromArg2) and
+          stepNode(node1, n2, usesPrevDelta1, usesPrevDelta2, fromArg1, fromArg2)
         )
         or
         exists(NodeEx n2, Content c, UsesPrevDeltaInfo usesPrevDelta2 |
-          n2 = node2.asNodeEx(usesPrevDelta2) and
+          n2 = node2.asNodeEx(usesPrevDelta2, _) and
           c = node1.asStoreContent() and
           storeContentStep(_, c, n2) and
-          usesPrevDelta2.toBoolean() = false
+          usesPrevDelta(usesPrevDelta2, false)
         )
         or
         exists(NodeEx n1, Content c, UsesPrevDeltaInfo usesPrevDelta1 |
-          n1 = node1.asNodeEx(usesPrevDelta1) and
+          n1 = node1.asNodeEx(usesPrevDelta1, _) and
           c = node2.asReadContent() and
           readContentStep(n1, c, _) and
-          usesPrevDelta1.toBoolean() = true
+          usesPrevDelta(usesPrevDelta1, true)
         )
       }
 
@@ -2508,8 +2532,8 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
       private predicate isStoreTarget0(NodeOrContent node, Content c) {
         exists(UsesPrevDeltaInfo usesPrevDelta |
           contentIsReadAndStored(c) and
-          storeContentStep(_, c, node.asNodeEx(usesPrevDelta)) and
-          usesPrevDelta.toBoolean() = false
+          storeContentStep(_, c, node.asNodeEx(usesPrevDelta, _)) and
+          usesPrevDelta(usesPrevDelta, false)
         )
       }
 
@@ -2519,8 +2543,8 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
       private predicate isReadSource0(NodeOrContent node, Content c) {
         exists(UsesPrevDeltaInfo usesPrevDelta |
           contentIsReadAndStored(c) and
-          readContentStep(node.asNodeEx(usesPrevDelta), c, _) and
-          usesPrevDelta.toBoolean() = true
+          readContentStep(node.asNodeEx(usesPrevDelta, _), c, _) and
+          usesPrevDelta(usesPrevDelta, true)
         )
       }
 
@@ -2566,47 +2590,63 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
         doublyBoundedFastTC(step/2, isStoreTargetPruned/1, isReadSourcePruned/1)(node1, node2)
 
       pragma[nomagic]
-      private predicate storeMayReachReadDeltaJoinLeft(NodeEx node1, Content c, NodeOrContent node2) {
+      private predicate storeMayReachReadDeltaJoinLeft(
+        NodeEx node1, Content c, NodeOrContent node2, boolean fromArg
+      ) {
         exists(UsesPrevDeltaInfo usesPrevDelta |
-          storeMayReachARead(node2, c) and
-          storeContentStep(node1, c, node2.asNodeEx(usesPrevDelta)) and
-          usesPrevDelta.toBoolean() = false
+          storeMayReachARead(pragma[only_bind_into](node2), pragma[only_bind_into](c)) and
+          storeContentStep(node1, c, node2.asNodeEx(usesPrevDelta, fromArg)) and
+          usesPrevDelta(usesPrevDelta, false)
         )
       }
 
       pragma[nomagic]
-      private predicate storeMayReachReadDeltaJoinRight(NodeOrContent node1, Content c, NodeEx node2) {
+      private predicate storeMayReachReadDeltaJoinRight(
+        NodeOrContent node1, Content c, NodeEx node2, boolean fromArg
+      ) {
         exists(UsesPrevDeltaInfo usesPrevDelta |
-          aStoreMayReachRead(node1, c) and
-          readContentStep(node1.asNodeEx(usesPrevDelta), c, node2) and
-          usesPrevDelta.toBoolean() = true
+          aStoreMayReachRead(pragma[only_bind_into](node1), pragma[only_bind_into](c)) and
+          readContentStep(node1.asNodeEx(usesPrevDelta, fromArg), c, node2) and
+          usesPrevDelta(usesPrevDelta, true)
         )
       }
 
       pragma[nomagic]
-      predicate storeMayReachReadDelta(NodeEx storeSource, Content c, NodeEx readTarget) {
+      predicate storeMayReachReadDelta(
+        NodeEx storeSource, Content c, NodeEx readTarget, boolean fromArg1, boolean fromArg2
+      ) {
         exists(NodeOrContent storeTarget, NodeOrContent readSource |
           storeMayReachReadTc(storeTarget, readSource) and
-          storeMayReachReadDeltaJoinLeft(storeSource, c, storeTarget) and
-          storeMayReachReadDeltaJoinRight(readSource, c, readTarget)
+          storeMayReachReadDeltaJoinLeft(storeSource, c, storeTarget, fromArg1) and
+          storeMayReachReadDeltaJoinRight(readSource, c, readTarget, fromArg2)
         ) and
-        not Prev::storeMayReachReadPrev(storeSource, c, readTarget)
+        not Prev::storeMayReachReadPrev(storeSource, c, readTarget, fromArg1, fromArg2)
       }
 
       pragma[nomagic]
-      predicate storeMayReachReadPrev(NodeEx storeSource, Content c, NodeEx readTarget) {
-        Prev::storeMayReachReadPrev(storeSource, c, readTarget)
+      predicate storeMayReachReadPrev(
+        NodeEx storeSource, Content c, NodeEx readTarget, boolean fromArg1, boolean fromArg2
+      ) {
+        Prev::storeMayReachReadPrev(storeSource, c, readTarget, fromArg1, fromArg2)
         or
-        Prev::storeMayReachReadDelta(storeSource, c, readTarget)
+        Prev::storeMayReachReadDelta(storeSource, c, readTarget, fromArg1, fromArg2)
       }
     }
 
     module Iteration0 implements StoreReachesReadInputSig {
       int iteration() { result = 0 }
 
-      predicate storeMayReachReadDelta(NodeEx node1, Content c, NodeEx node2) { none() }
+      predicate storeMayReachReadDelta(
+        NodeEx node1, Content c, NodeEx node2, boolean fromArg1, boolean fromArg2
+      ) {
+        none()
+      }
 
-      predicate storeMayReachReadPrev(NodeEx node1, Content c, NodeEx node2) { none() }
+      predicate storeMayReachReadPrev(
+        NodeEx node1, Content c, NodeEx node2, boolean fromArg1, boolean fromArg2
+      ) {
+        none()
+      }
     }
 
     // in the first iteration there is no previous delta to use
@@ -2619,15 +2659,20 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
 
       import M
 
-      predicate storeMayReachReadDelta(NodeEx storeSource, Content c, NodeEx readTarget) {
-        M::storeMayReachReadDelta(storeSource, c, readTarget)
+      predicate storeMayReachReadDelta(
+        NodeEx storeSource, Content c, NodeEx readTarget, boolean fromArg1, boolean fromArg2
+      ) {
+        M::storeMayReachReadDelta(storeSource, c, readTarget, fromArg1, fromArg2)
         or
         // special case only needed for the first iteration: a store immediately followed by a read
         exists(NodeEx storeTargetReadSource |
           StoreReachesRead1::contentIsReadAndStored(c) and
           storeContentStep(storeSource, c, storeTargetReadSource) and
           readContentStep(storeTargetReadSource, c, readTarget)
-        )
+        ) and
+        nodeRange(storeSource, fromArg1) and
+        nodeRange(readTarget, fromArg2) and
+        fromArg1 = fromArg2
       }
     }
 
@@ -2650,9 +2695,9 @@ module MakeImplCommon<LocationSig Location, InputSig<Location> Lang> {
       StoreReachesRead<StoreReachesRead4, UsesPrevDeltaInfoBoolean>;
 
     predicate storeMayReachRead(NodeEx storeSource, Content c, NodeEx readTarget) {
-      StoreReachesRead5::storeMayReachReadDelta(storeSource, c, readTarget)
+      StoreReachesRead5::storeMayReachReadDelta(storeSource, c, readTarget, _, _)
       or
-      StoreReachesRead5::storeMayReachReadPrev(storeSource, c, readTarget)
+      StoreReachesRead5::storeMayReachReadPrev(storeSource, c, readTarget, _, _)
     }
   }
 }