-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Java: Refactor more dataflow queries to the new API #12476
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Java: Refactor more dataflow queries to the new API #12476
Conversation
| "Local information disclosure vulnerability due to use of " + | ||
| source.getNode().asExpr().(MethodAccessInsecureFileCreation).getFileSystemEntityType() + | ||
| " readable by other local users." | ||
| source.asPathNode2().getFileSystemEntityType() + " readable by other local users." |
Check warning
Code scanning / CodeQL
QL-for-QL encountered an internal consistency error
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems to be a problem of QL-for-QL not being able to resolve the concrete type of PathNode2, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That sounds plausible.
2b3fdfa to
d694a5a
Compare
|
Query result changes in dca looks good: the new results are precisely the expected ones - they were lost when the API changed and the queries used the compatibility wrapper. The lost result for |
d694a5a to
7c0e89f
Compare
|
Looks plausible to me. |
atorralba
left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! I added a couple of questions for my own learning :)
| */ | ||
| abstract string getFileSystemEntityType(); | ||
|
|
||
| DataFlow::Node getNode() { result.asExpr() = this } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this needed because MethodAccessInsecureFileCreation is used as the type parameter of PathGraphSig? I suppose we can't make MethodAccessInsecureFileCreation implement PathNodeSig in some way to enforce that, can we?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct.
| "Local information disclosure vulnerability due to use of " + | ||
| source.getNode().asExpr().(MethodAccessInsecureFileCreation).getFileSystemEntityType() + | ||
| " readable by other local users." | ||
| source.asPathNode2().getFileSystemEntityType() + " readable by other local users." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems to be a problem of QL-for-QL not being able to resolve the concrete type of PathNode2, right?
This builds on top of #12475.(Now rebased post merge).This refactors the remaining Java queries that showed result differences in the API refactor PR in order to restore the lost results.