Diff-informed queries via primary/secondary abstractions #19586

jbj · 2025-05-27T07:28:17Z

This PR is a proof of concept for how diff-informed queries could be made more high level, reducing hard-to-remember design patterns and simultaneously reducing reverse dependencies and the "module soup" I proposed in #17846.

I've only implemented what's necessary for XSS.ql so far since I expect a lot of changes to names and APIs.

I haven't figured out how to avoid the redundancy between `getASelected{Source,Sink}Location` in the module and the class. Maybe we need a strong notion of primary and secondary data-flow configurations.

For now I've only implemented what XSS.qll needs

java/ql/src/Security/CWE/CWE-079/XSS.ql

@@ -15,6 +15,16 @@
 import semmle.code.java.security.XssQuery
 import XssFlow::PathGraph

+class IsDiffInformed extends DataFlow::DiffInformedQuery {
+  // This predicate is overridden to be more precise than the default
+  // implementation in order to support secondary secondary data-flow


shared/dataflow/codeql/dataflow/DataFlow.qll

@@ -742,6 +746,33 @@
    import Flow
  }

+  module Primary<ConfigSig Config> implements GlobalFlowSig {
+    private module Config0 implements FullStateConfigSig {


shared/dataflow/codeql/dataflow/DataFlow.qll

+      }
+    }
+
+    private module C implements FullStateConfigSig {


shared/dataflow/codeql/dataflow/TaintTracking.qll

+      }
+    }
+
+    private module C implements DataFlowInternal::FullStateConfigSig {


shared/dataflow/codeql/dataflow/TaintTracking.qll

+  module FindSinks<DataFlow::ConfigSig Config, DataFlow::SecondaryConfig SC> implements
+    DataFlow::GlobalFlowSig
+  {
+    private module Config0 implements DataFlowInternal::FullStateConfigSig {


shared/dataflow/codeql/dataflow/TaintTracking.qll

+      }
+    }
+
+    private module C implements DataFlowInternal::FullStateConfigSig {


jbj added 4 commits May 27, 2025 08:44

DataFlow: Single-inheritance activation

7c7d639

Java: XSS with abstract class (some duplication)

f8922f1

I haven't figured out how to avoid the redundancy between `getASelected{Source,Sink}Location` in the module and the class. Maybe we need a strong notion of primary and secondary data-flow configurations.

DataFlow: primary and secondary configurations

7600a73

For now I've only implemented what XSS.qll needs

Java: avoid some duplication in XSS.qll

be3bd4a

jbj requested review from asgerf and aschackmull May 27, 2025 07:28

github-actions bot added Java DataFlow Library labels May 27, 2025

github-advanced-security bot found potential problems May 27, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Diff-informed queries via primary/secondary abstractions #19586

Diff-informed queries via primary/secondary abstractions #19586

Uh oh!

jbj commented May 27, 2025

Uh oh!

Check warning

Check warning

Check warning

Check warning

Check warning

Check warning

Uh oh!

Diff-informed queries via primary/secondary abstractions #19586

Are you sure you want to change the base?

Diff-informed queries via primary/secondary abstractions #19586

Uh oh!

Conversation

jbj commented May 27, 2025

Uh oh!

Check warning

Check warning

Check warning

Check warning

Check warning

Check warning

Uh oh!