debug

hvitved · hvitved · commit 6508ccc06ab1 · 2024-02-07T13:50:25.000+01:00
diff --git a/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll b/java/ql/lib/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
@@ -408,6 +408,12 @@ private predicate compatibleTypes0(DataFlowType t1, DataFlowType t2) {
   erasedHaveIntersection(t1, t2)
 }
 
+private predicate sdef(DataFlowType t1, DataFlowType t2) {
+  t1.toString() = "String" and
+  t2.toString() = "ArrayList" and
+  compatibleTypes(t1, t2)
+}
+
 /**
  * Holds if `t1` and `t2` are compatible, that is, whether data can flow from
  * a node of type `t1` to a node of type `t2`.
diff --git a/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll b/java/ql/lib/semmle/code/java/security/TaintedPathQuery.qll
@@ -60,7 +60,8 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
   predicate isBarrier(DataFlow::Node sanitizer) {
     sanitizer instanceof SimpleTypeSanitizer or
     sanitizer instanceof PathInjectionSanitizer or
-    sanitizer.getLocation().getFile().getBaseName() = "BaseObject.java"
+    sanitizer.getLocation().getFile().getBaseName() =
+      ["BaseObject.java", "SimpleNode.java", "Context.java"]
   }
 
   predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {
diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImpl.qll
@@ -3202,20 +3202,32 @@ module MakeImpl<InputSig Lang> {
       NodeEx node, DataFlowType t0, DataFlowType t, boolean inSummaryCtx
     ) {
       exists(inSummaryCtx) and
-      if node instanceof RetNodeEx and inSummaryCtx = true
-      then t = node.getDataFlowType() and compatibleTypes(t, t0)
-      else
-        if castingNodeEx(node)
-        then
-          exists(DataFlowType nt | nt = node.getDataFlowType() |
-            if inSummaryCtx = false and typeStrongerThan(nt, t0)
-            then t = nt
-            else (
-              compatibleTypes(nt, t0) and
-              if inSummaryCtx = true and node instanceof ParamNodeEx then t = nt else t = t0
-            )
+      // if node instanceof RetNodeEx and inSummaryCtx = true
+      // then t = node.getDataFlowType() and compatibleTypes(t, t0)
+      // else
+      //   if castingNodeEx(node)
+      //   then
+      //     exists(DataFlowType nt | nt = node.getDataFlowType() |
+      //       if inSummaryCtx = false and typeStrongerThan(nt, t0)
+      //       then t = nt
+      //       else (
+      //         compatibleTypes(nt, t0) and
+      //         if inSummaryCtx = true and node instanceof ParamNodeEx then t = nt else t = t0
+      //       )
+      //     )
+      //   else t = t0
+      if castingNodeEx(node)
+      then
+        exists(DataFlowType nt | nt = node.getDataFlowType() |
+          if inSummaryCtx = false and typeStrongerThan(nt, t0)
+          then t = nt
+          else (
+            compatibleTypes(nt, t0) and
+            // t = t0
+            if inSummaryCtx = true and node instanceof ParamNodeEx then t = nt else t = t0
           )
-        else t = t0
+        )
+      else t = t0
     }
 
     private module Stage3_5Param implements MkStage<Stage3>::StageParam {

Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,8 @@ module TaintedPathConfig implements DataFlow::ConfigSig {`
`60`	`60`	`predicate isBarrier(DataFlow::Node sanitizer) {`
`61`	`61`	`sanitizer instanceof SimpleTypeSanitizer or`
`62`	`62`	`sanitizer instanceof PathInjectionSanitizer or`
`63`		`- sanitizer.getLocation().getFile().getBaseName() = "BaseObject.java"`
	`63`	`+ sanitizer.getLocation().getFile().getBaseName() =`
	`64`	`+ ["BaseObject.java", "SimpleNode.java", "Context.java"]`
`64`	`65`	`}`
`65`	`66`
`66`	`67`	`predicate isAdditionalFlowStep(DataFlow::Node n1, DataFlow::Node n2) {`