Skip to content

python: Add provenance column to MaD #15730

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 7 commits into
base: main
Choose a base branch
from
Draft

python: Add provenance column to MaD #15730

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
a8dad1b
python: add provenance column to MaD
yoff Feb 22, 2024
74f6340
python: fix compilation
yoff Mar 22, 2024
448eb1e
ruby/js: add provenance column to MaD
yoff Apr 9, 2024
bff3bd4
js/py: add manual provenance
yoff Apr 10, 2024
e0f2547
ruby: add manual provenance
yoff Apr 10, 2024
c8b7610
python: sync files
yoff Apr 10, 2024
ac0a1e7
ruby: update ModelEditor.qll
yoff Apr 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
85 changes: 46 additions & 39 deletions javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -229,75 +229,82 @@ private predicate typeModel(string row) { any(TypeModelCsv s).row(inversePad(row
private predicate typeVariableModel(string row) { any(TypeVariableModelCsv s).row(inversePad(row)) }

/** Holds if a source model exists for the given parameters. */
predicate sourceModel(string type, string path, string kind) {
predicate sourceModel(string type, string path, string kind, string provenance) {
exists(string row |
sourceModel(row) and
row.splitAt(";", 0) = type and
row.splitAt(";", 1) = path and
row.splitAt(";", 2) = kind
row.splitAt(";", 2) = kind and
row.splitAt(";", 3) = provenance
)
or
Extensions::sourceModel(type, path, kind)
Extensions::sourceModel(type, path, kind, provenance)
}

/** Holds if a sink model exists for the given parameters. */
private predicate sinkModel(string type, string path, string kind) {
private predicate sinkModel(string type, string path, string kind, string provenance) {
exists(string row |
sinkModel(row) and
row.splitAt(";", 0) = type and
row.splitAt(";", 1) = path and
row.splitAt(";", 2) = kind
row.splitAt(";", 2) = kind and
row.splitAt(";", 3) = provenance
)
or
Extensions::sinkModel(type, path, kind)
Extensions::sinkModel(type, path, kind, provenance)
}

/** Holds if a summary model `row` exists for the given parameters. */
private predicate summaryModel(string type, string path, string input, string output, string kind) {
private predicate summaryModel(
string type, string path, string input, string output, string kind, string provenance
) {
exists(string row |
summaryModel(row) and
row.splitAt(";", 0) = type and
row.splitAt(";", 1) = path and
row.splitAt(";", 2) = input and
row.splitAt(";", 3) = output and
row.splitAt(";", 4) = kind
row.splitAt(";", 4) = kind and
row.splitAt(";", 5) = provenance
)
or
Extensions::summaryModel(type, path, input, output, kind)
Extensions::summaryModel(type, path, input, output, kind, provenance)
}

/** Holds if a type model exists for the given parameters. */
private predicate typeModel(string type1, string type2, string path) {
private predicate typeModel(string type1, string type2, string path, string provenance) {
exists(string row |
typeModel(row) and
row.splitAt(";", 0) = type1 and
row.splitAt(";", 1) = type2 and
row.splitAt(";", 2) = path
row.splitAt(";", 2) = path and
row.splitAt(";", 3) = provenance
)
or
Extensions::typeModel(type1, type2, path)
Extensions::typeModel(type1, type2, path, provenance)
}

/** Holds if a type variable model exists for the given parameters. */
private predicate typeVariableModel(string name, string path) {
private predicate typeVariableModel(string name, string path, string provenance) {
exists(string row |
typeVariableModel(row) and
row.splitAt(";", 0) = name and
row.splitAt(";", 1) = path
row.splitAt(";", 1) = path and
row.splitAt(";", 2) = provenance
)
or
Extensions::typeVariableModel(name, path)
Extensions::typeVariableModel(name, path, provenance)
}

/**
* Holds if CSV rows involving `type` might be relevant for the analysis of this database.
*/
predicate isRelevantType(string type) {
(
sourceModel(type, _, _) or
sinkModel(type, _, _) or
summaryModel(type, _, _, _, _) or
typeModel(_, type, _)
sourceModel(type, _, _, _) or
sinkModel(type, _, _, _) or
summaryModel(type, _, _, _, _, _) or
typeModel(_, type, _, _)
) and
(
Specific::isTypeUsed(type)
Expand All @@ -306,7 +313,7 @@ predicate isRelevantType(string type) {
)
or
exists(string other | isRelevantType(other) |
typeModel(type, other, _)
typeModel(type, other, _, _)
or
Specific::hasImplicitTypeModel(type, other)
)
Expand All @@ -319,10 +326,10 @@ pragma[nomagic]
predicate isRelevantFullPath(string type, string path) {
isRelevantType(type) and
(
sourceModel(type, path, _) or
sinkModel(type, path, _) or
summaryModel(type, path, _, _, _) or
typeModel(_, type, path)
sourceModel(type, path, _, _) or
sinkModel(type, path, _, _) or
summaryModel(type, path, _, _, _, _) or
typeModel(_, type, path, _)
)
}

Expand All @@ -331,11 +338,11 @@ private predicate accessPathRange(string s) {
isRelevantFullPath(_, s)
or
exists(string type | isRelevantType(type) |
summaryModel(type, _, s, _, _) or
summaryModel(type, _, _, s, _)
summaryModel(type, _, s, _, _, _) or
summaryModel(type, _, _, s, _, _)
)
or
typeVariableModel(_, s)
typeVariableModel(_, s, _)
}

import AccessPath<accessPathRange/1>
Expand Down Expand Up @@ -418,7 +425,7 @@ private class TypeModelDefEntry extends API::EntryPoint {
pragma[nomagic]
private API::Node getNodeFromType(string type) {
exists(string type2, AccessPath path2 |
typeModel(type, type2, path2) and
typeModel(type, type2, path2, _) and
result = getNodeFromPath(type2, path2)
)
or
Expand Down Expand Up @@ -471,7 +478,7 @@ pragma[nomagic]
private AccessPath getSubPathAt(AccessPath path, int n) {
exists(string typeVarName |
path.getToken(n).getAnArgument("TypeVar") = typeVarName and
typeVariableModel(typeVarName, result)
typeVariableModel(typeVarName, result, _)
)
}

Expand Down Expand Up @@ -543,7 +550,7 @@ private API::Node getNodeFromPath(string type, AccessPath path) {

pragma[nomagic]
private predicate typeStepModel(string type, AccessPath basePath, AccessPath output) {
summaryModel(type, basePath, "", output, "type")
summaryModel(type, basePath, "", output, "type", _)
}

pragma[nomagic]
Expand Down Expand Up @@ -623,7 +630,7 @@ module ModelOutput {
cached
API::Node getASourceNode(string kind) {
exists(string type, string path |
sourceModel(type, path, kind) and
sourceModel(type, path, kind, _) and
result = getNodeFromPath(type, path)
)
}
Expand All @@ -634,7 +641,7 @@ module ModelOutput {
cached
API::Node getASinkNode(string kind) {
exists(string type, string path |
sinkModel(type, path, kind) and
sinkModel(type, path, kind, _) and
result = getNodeFromPath(type, path)
)
}
Expand All @@ -647,15 +654,15 @@ module ModelOutput {
string type, string path, string input, string output, string kind
) {
isRelevantType(type) and
summaryModel(type, path, input, output, kind)
summaryModel(type, path, input, output, kind, _)
}

/**
* Holds if a `baseNode` is an invocation identified by the `type,path` part of a summary row.
*/
cached
predicate resolvedSummaryBase(string type, string path, Specific::InvokeNode baseNode) {
summaryModel(type, path, _, _, _) and
summaryModel(type, path, _, _, _, _) and
baseNode = getInvocationFromPath(type, path)
}

Expand All @@ -664,7 +671,7 @@ module ModelOutput {
*/
cached
predicate resolvedSummaryRefBase(string type, string path, API::Node baseNode) {
summaryModel(type, path, _, _, _) and
summaryModel(type, path, _, _, _, _) and
baseNode = getNodeFromPath(type, path)
}

Expand All @@ -681,11 +688,11 @@ module ModelOutput {
private import codeql.mad.ModelValidation as SharedModelVal

private module KindValConfig implements SharedModelVal::KindValidationConfigSig {
predicate summaryKind(string kind) { summaryModel(_, _, _, _, kind) }
predicate summaryKind(string kind) { summaryModel(_, _, _, _, kind, _) }

predicate sinkKind(string kind) { sinkModel(_, _, kind) }
predicate sinkKind(string kind) { sinkModel(_, _, kind, _) }

predicate sourceKind(string kind) { sourceModel(_, _, kind) }
predicate sourceKind(string kind) { sourceModel(_, _, kind, _) }
}

private module KindVal = SharedModelVal::KindValidation<KindValConfig>;
Expand Down Expand Up @@ -715,7 +722,7 @@ module ModelOutput {
or
// Check names and arguments of access path tokens
exists(AccessPath path, AccessPathToken token |
(isRelevantFullPath(_, path) or typeVariableModel(_, path)) and
(isRelevantFullPath(_, path) or typeVariableModel(_, path, _)) and
token = path.getToken(_)
|
not isValidTokenNameInIdentifyingAccessPath(token.getName()) and
Expand Down
14 changes: 8 additions & 6 deletions javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsExtensions.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,13 @@
*
* The kind `remote` represents a general remote flow source.
*/
extensible predicate sourceModel(string type, string path, string kind);
extensible predicate sourceModel(string type, string path, string kind, string provenance);

Check warning

Code scanning / CodeQL

Missing QLDoc for parameter Warning

The QLDoc has no documentation for provenance, but the QLDoc mentions remote

/**
* Holds if the value at `(type, path)` should be seen as a sink
* of the given `kind`.
*/
extensible predicate sinkModel(string type, string path, string kind);
extensible predicate sinkModel(string type, string path, string kind, string provenance);

/**
* Holds if in calls to `(type, path)`, the value referred to by `input`
Expand All @@ -23,21 +23,23 @@
* `kind` should be either `value` or `taint`, for value-preserving or taint-preserving steps,
* respectively.
*/
extensible predicate summaryModel(string type, string path, string input, string output, string kind);
extensible predicate summaryModel(

Check warning

Code scanning / CodeQL

Missing QLDoc for parameter Warning

The QLDoc has no documentation for provenance, but the QLDoc mentions taint
string type, string path, string input, string output, string kind, string provenance
);

/**
* Holds if calls to `(type, path)` should be considered neutral. The meaning of this depends on the `kind`.
* If `kind` is `summary`, the call does not propagate data flow. If `kind` is `source`, the call is not a source.
* If `kind` is `sink`, the call is not a sink.
*/
extensible predicate neutralModel(string type, string path, string kind);
extensible predicate neutralModel(string type, string path, string kind, string provenance);

/**
* Holds if `(type2, path)` should be seen as an instance of `type1`.
*/
extensible predicate typeModel(string type1, string type2, string path);
extensible predicate typeModel(string type1, string type2, string path, string provenance);

/**
* Holds if `path` can be substituted for a token `TypeVar[name]`.
*/
extensible predicate typeVariableModel(string name, string path);
extensible predicate typeVariableModel(string name, string path, string provenance);
Loading
Loading