codeql icon indicating copy to clipboard operation
codeql copied to clipboard
verified publisher icon github

Data flow: Synthesize parameter return nodes

Open hvitved opened this issue 1 year ago • 0 comments

This PR adds synthetic return nodes for flow that returns from methods via a parameter. For example, in

class C
{
    public string Field;
}

public void TaintField(C c) // (1)
{
    c.Field = "taint"; // (2)
}

void M(C c)
{
    c.TaintField(); // (3)
    Sink(c.Field);
}

we would previously have a direct flow step from [post] c at (2) to [post] c at (3), whereas now we first have a step from [post] c at (2) to c [Return] at (1), and then from c [Return] at (1) to [post] c at (3).

The motivation for adding the extra node is two-fold: Firstly, it may help with generating fewer subpaths, and secondly it will be easier to follow flow path explanations (especially when the parameter write happens in a large method).

hvitved avatar May 02 '24 08:05 hvitved