Add implicit reads for FlowState sinks and steps

atorralba · atorralba · commit 1b87167d966f · 2022-09-08T17:26:59.000+02:00
diff --git a/java/ql/lib/change-notes/2022-09-08-implicit-read-flowstates.md b/java/ql/lib/change-notes/2022-09-08-implicit-read-flowstates.md
@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll b/java/ql/lib/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll
@@ -172,7 +172,12 @@ abstract class Configuration extends DataFlow::Configuration {
   }
 
   override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
-    (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and
+    (
+      this.isSink(node) or
+      this.isSink(node, _) or
+      this.isAdditionalTaintStep(node, _) or
+      this.isAdditionalTaintStep(node, _, _, _)
+    ) and
     defaultImplicitTaintRead(node, c)
   }
 

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: fix
 +---
 +* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
Original file line number	Diff line number	Diff line change
`@@ -172,7 +172,12 @@ abstract class Configuration extends DataFlow::Configuration {`
`172`	`172`	`}`
`173`	`173`
`174`	`174`	`override predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {`
`175`		`- (this.isSink(node) or this.isAdditionalTaintStep(node, _)) and`
	`175`	`+ (`
	`176`	`+ this.isSink(node) or`
	`177`	`+ this.isSink(node, _) or`
	`178`	`+ this.isAdditionalTaintStep(node, _) or`
	`179`	`+ this.isAdditionalTaintStep(node, _, _, _)`
	`180`	`+ ) and`
`176`	`181`	`defaultImplicitTaintRead(node, c)`
`177`	`182`	`}`
`178`	`183`