Merge pull request #33 from GitHubSecurityLab/fix_csharp_asPartialModel

Refactor Partial Path Queries

Author: Alvaro Muñoz

cpp/src/audit/templates/BackwardsPartialDataFlow.ql

@@ -1,7 +1,9 @@
 /**
  * @name Backwards Partial Dataflow
  * @description Backwards Partial Dataflow
- * @kind table
+ * @kind path-problem
+ * @precision low
+ * @problem.severity error
  * @id githubsecuritylab/backwards-partial-dataflow
  * @tags template
  */
@@ -27,8 +29,9 @@ private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<
 
 int explorationLimit() { result = 10 }
 
-private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+private module PartialFlow = MyFlow::FlowExplorationRev<explorationLimit/0>;
 
-from PartialFlow::PartialPathNode n, int dist
-where PartialFlow::partialFlowRev(n, _, dist)
-select dist, n
+from PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink
+where PartialFlow::partialFlow(source, sink, _)
+select sink.getNode(), source, sink, "This node receives taint from $@.", source.getNode(),
+  "this source"

cpp/src/audit/templates/ForwardPartialDataflow.ql

@@ -1,7 +1,9 @@
 /**
  * @name Forward Partial Dataflow
  * @description Forward Partial Dataflow
- * @kind table
+ * @kind path-problem
+ * @precision low
+ * @problem.severity error
  * @id githubsecuritylab/forward-partial-dataflow
  * @tags template
  */
@@ -27,8 +29,9 @@ private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<
 
 int explorationLimit() { result = 10 }
 
-private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+private module PartialFlow = MyFlow::FlowExplorationFwd<explorationLimit/0>;
 
-from PartialFlow::PartialPathNode n, int dist
-where PartialFlow::partialFlow(_, n, dist)
-select dist, n
+from PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink
+where PartialFlow::partialFlow(source, sink, _)
+select sink.getNode(), source, sink, "This node receives taint from $@.", source.getNode(),
+  "this source"

cpp/src/audit/templates/HoistSink.ql

@@ -27,10 +27,10 @@ private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<
 
 int explorationLimit() { result = 10 }
 
-private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+private module PartialFlow = MyFlow::FlowExplorationRev<explorationLimit/0>;
 
 from PartialFlow::PartialPathNode n, int dist
 where
-  PartialFlow::partialFlowRev(n, _, dist) and
+  PartialFlow::partialFlow(n, _, dist) and
   n.getNode() instanceof DataFlow::ParameterNode
 select dist, n

csharp/src/audit/templates/BackwardsPartialDataFlow.ql

@@ -1,7 +1,9 @@
 /**
  * @name Backwards Partial Dataflow
  * @description Backwards Partial Dataflow
- * @kind table
+ * @kind path-problem
+ * @precision low
+ * @problem.severity error
  * @id githubsecuritylab/backwards-partial-dataflow
  * @tags template
  */
@@ -27,8 +29,9 @@ private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<
 
 int explorationLimit() { result = 10 }
 
-private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+private module PartialFlow = MyFlow::FlowExplorationRev<explorationLimit/0>;
 
-from PartialFlow::PartialPathNode n, int dist
-where PartialFlow::partialFlowRev(n, _, dist)
-select dist, n
+from PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink
+where PartialFlow::partialFlow(source, sink, _)
+select sink.getNode(), source, sink, "This node receives taint from $@.", source.getNode(),
+  "this source"

csharp/src/audit/templates/ForwardPartialDataflow.ql

@@ -1,7 +1,9 @@
 /**
  * @name Forward Partial Dataflow
  * @description Forward Partial Dataflow
- * @kind table
+ * @kind path-problem
+ * @precision low
+ * @problem.severity error
  * @id githubsecuritylab/forward-partial-dataflow
  * @tags template
  */
@@ -27,8 +29,9 @@ private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<
 
 int explorationLimit() { result = 10 }
 
-private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+private module PartialFlow = MyFlow::FlowExplorationFwd<explorationLimit/0>;
 
-from PartialFlow::PartialPathNode n, int dist
-where PartialFlow::partialFlow(_, n, dist)
-select dist, n
+from PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink
+where PartialFlow::partialFlow(source, sink, _)
+select sink.getNode(), source, sink, "This node receives taint from $@.", source.getNode(),
+  "this source"

csharp/src/audit/templates/HoistSink.ql

@@ -27,10 +27,10 @@ private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<
 
 int explorationLimit() { result = 10 }
 
-private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+private module PartialFlow = MyFlow::FlowExplorationRev<explorationLimit/0>;
 
 from PartialFlow::PartialPathNode n, int dist
 where
-  PartialFlow::partialFlowRev(n, _, dist) and
+  PartialFlow::partialFlow(n, _, dist) and
   exists(Parameter p | n.getNode().asParameter() = p)
 select dist, n

csharp/src/library_sources/ExternalAPIsQuery.qll

@@ -9,10 +9,10 @@ private import semmle.code.csharp.dataflow.flowsources.Remote
 private import semmle.code.csharp.frameworks.System
 private import semmle.code.csharp.dataflow.FlowSummary
 // SECLAB: Import CSV utils
-private import semmle.code.csharp.dataflow.internal.DataFlowPrivate as DataFlowPrivate
+private import semmle.code.csharp.dataflow.internal.ExternalFlow as ExternalFlow
 
 // SECLAB: Import Csv::asPartialModel
-predicate asPartialModel = DataFlowPrivate::Csv::asPartialModel/1;
+predicate asPartialModel = ExternalFlow::asPartialModel/1;
 
 /**
  * A callable that is considered a "safe" external API from a security perspective.

go/src/audit/templates/BackwardsPartialDataFlow.ql

@@ -1,7 +1,9 @@
 /**
  * @name Backwards Partial Dataflow
  * @description Backwards Partial Dataflow
- * @kind table
+ * @kind path-problem
+ * @precision low
+ * @problem.severity error
  * @id githubsecuritylab/backwards-partial-dataflow
  * @tags template
  */
@@ -27,8 +29,9 @@ private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<
 
 int explorationLimit() { result = 10 }
 
-private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+private module PartialFlow = MyFlow::FlowExplorationRev<explorationLimit/0>;
 
-from PartialFlow::PartialPathNode n, int dist
-where PartialFlow::partialFlowRev(n, _, dist)
-select dist, n
+from PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink
+where PartialFlow::partialFlow(source, sink, _)
+select sink.getNode(), source, sink, "This node receives taint from $@.", source.getNode(),
+  "this source"

go/src/audit/templates/ForwardPartialDataflow.ql

@@ -1,7 +1,9 @@
 /**
  * @name Forward Partial Dataflow
  * @description Forward Partial Dataflow
- * @kind table
+ * @kind path-problem
+ * @precision low
+ * @problem.severity error
  * @id githubsecuritylab/forward-partial-dataflow
  * @tags template
  */
@@ -27,8 +29,9 @@ private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<
 
 int explorationLimit() { result = 10 }
 
-private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+private module PartialFlow = MyFlow::FlowExplorationFwd<explorationLimit/0>;
 
-from PartialFlow::PartialPathNode n, int dist
-where PartialFlow::partialFlow(_, n, dist)
-select dist, n
+from PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink
+where PartialFlow::partialFlow(source, sink, _)
+select sink.getNode(), source, sink, "This node receives taint from $@.", source.getNode(),
+  "this source"

go/src/audit/templates/HoistSink.ql

@@ -27,10 +27,10 @@ private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Make<..
 
 int explorationLimit() { result = 10 }
 
-private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+private module PartialFlow = MyFlow::FlowExplorationRev<explorationLimit/0>;
 
 from PartialFlow::PartialPathNode n, int dist
 where
-  PartialFlow::partialFlowRev(n, _, dist) and
+  PartialFlow::partialFlow(n, _, dist) and
   n.getNode() instanceof DataFlow::ParameterNode
 select dist, n

java/src/audit/templates/BackwardsPartialDataFlow.ql

@@ -1,7 +1,9 @@
 /**
  * @name Backwards Partial Dataflow
  * @description Backwards Partial Dataflow
- * @kind table
+ * @kind path-problem
+ * @precision low
+ * @problem.severity error
  * @id githubsecuritylab/backwards-partial-dataflow
  * @tags template
  */
@@ -28,8 +30,9 @@ private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<
 
 int explorationLimit() { result = 10 }
 
-private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+private module PartialFlow = MyFlow::FlowExplorationRev<explorationLimit/0>;
 
-from PartialFlow::PartialPathNode n, int dist
-where PartialFlow::partialFlowRev(n, _, dist)
-select dist, n
+from PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink
+where PartialFlow::partialFlow(source, sink, _)
+select sink.getNode(), source, sink, "This node receives taint from $@.", source.getNode(),
+  "this source"

java/src/audit/templates/ForwardPartialDataflow.ql

@@ -1,7 +1,9 @@
 /**
  * @name Forward Partial Dataflow
  * @description Forward Partial Dataflow
- * @kind table
+ * @kind path-problem
+ * @precision low
+ * @problem.severity error
  * @id githubsecuritylab/forward-partial-dataflow
  * @tags template
  */
@@ -28,8 +30,9 @@ private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<
 
 int explorationLimit() { result = 10 }
 
-private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+private module PartialFlow = MyFlow::FlowExplorationFwd<explorationLimit/0>;
 
-from PartialFlow::PartialPathNode n, int dist
-where PartialFlow::partialFlow(_, n, dist)
-select dist, n
+from PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink
+where PartialFlow::partialFlow(source, sink, _)
+select sink.getNode(), source, sink, "This node receives taint from $@.", source.getNode(),
+  "this source"

java/src/audit/templates/HoistSink.ql

@@ -28,10 +28,10 @@ private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<
 
 int explorationLimit() { result = 10 }
 
-private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+private module PartialFlow = MyFlow::FlowExplorationRev<explorationLimit/0>;
 
 from PartialFlow::PartialPathNode n, int dist
 where
-  PartialFlow::partialFlowRev(n, _, dist) and
+  PartialFlow::partialFlow(n, _, dist) and
   n.getNode() instanceof DataFlow::ExplicitParameterNode
 select dist, n

python/src/audit/templates/BackwardsPartialDataFlow.ql

@@ -1,7 +1,9 @@
 /**
  * @name Backwards Partial Dataflow
  * @description Backwards Partial Dataflow
- * @kind table
+ * @kind path-problem
+ * @precision low
+ * @problem.severity error
  * @id githubsecuritylab/backwards-partial-dataflow
  * @tags template
  */
@@ -32,8 +34,9 @@ private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<
 
 int explorationLimit() { result = 10 }
 
-private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+private module PartialFlow = MyFlow::FlowExplorationRev<explorationLimit/0>;
 
-from PartialFlow::PartialPathNode n, int dist
-where PartialFlow::partialFlowRev(n, _, dist)
-select dist, n
+from PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink
+where PartialFlow::partialFlow(source, sink, _)
+select sink.getNode(), source, sink, "This node receives taint from $@.", source.getNode(),
+  "this source"

python/src/audit/templates/ForwardPartialDataflow.ql

@@ -1,7 +1,9 @@
 /**
  * @name Forward Partial Dataflow
  * @description Forward Partial Dataflow
- * @kind table
+ * @kind path-problem
+ * @precision low
+ * @problem.severity error
  * @id githubsecuritylab/forward-partial-dataflow
  * @tags template
  */
@@ -29,8 +31,9 @@ private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<
 
 int explorationLimit() { result = 10 }
 
-private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+private module PartialFlow = MyFlow::FlowExplorationFwd<explorationLimit/0>;
 
-from PartialFlow::PartialPathNode n, int dist
-where PartialFlow::partialFlow(_, n, dist)
-select dist, n
+from PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink
+where PartialFlow::partialFlow(source, sink, _)
+select sink.getNode(), source, sink, "This node receives taint from $@.", source.getNode(),
+  "this source"

python/src/audit/templates/HoistSink.ql

@@ -28,10 +28,10 @@ private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<
 
 int explorationLimit() { result = 10 }
 
-private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+private module PartialFlow = MyFlow::FlowExplorationRev<explorationLimit/0>;
 
 from PartialFlow::PartialPathNode n, int dist
 where
-  PartialFlow::partialFlowRev(n, _, dist) and
+  PartialFlow::partialFlow(n, _, dist) and
   n.getNode() instanceof DataFlow::ParameterNode
 select dist, n

ruby/src/audit/templates/BackwardsPartialDataFlow.ql

@@ -1,7 +1,9 @@
 /**
  * @name Backwards Partial Dataflow
  * @description Backwards Partial Dataflow
- * @kind table
+ * @kind path-problem
+ * @precision low
+ * @problem.severity error
  * @id githubsecuritylab/backwards-partial-dataflow
  * @tags template
  */
@@ -27,8 +29,9 @@ private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<
 
 int explorationLimit() { result = 10 }
 
-private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+private module PartialFlow = MyFlow::FlowExplorationRev<explorationLimit/0>;
 
-from PartialFlow::PartialPathNode n, int dist
-where PartialFlow::partialFlowRev(n, _, dist)
-select dist, n
+from PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink
+where PartialFlow::partialFlow(source, sink, _)
+select sink.getNode(), source, sink, "This node receives taint from $@.", source.getNode(),
+  "this source"

ruby/src/audit/templates/ForwardPartialDataflow.ql

@@ -1,7 +1,9 @@
 /**
  * @name Forward Partial Dataflow
  * @description Forward Partial Dataflow
- * @kind table
+ * @kind path-problem
+ * @precision low
+ * @problem.severity error
  * @id githubsecuritylab/forward-partial-dataflow
  * @tags template
  */
@@ -27,8 +29,9 @@ private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<
 
 int explorationLimit() { result = 10 }
 
-private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+private module PartialFlow = MyFlow::FlowExplorationFwd<explorationLimit/0>;
 
-from PartialFlow::PartialPathNode n, int dist
-where PartialFlow::partialFlow(_, n, dist)
-select dist, n
+from PartialFlow::PartialPathNode source, PartialFlow::PartialPathNode sink
+where PartialFlow::partialFlow(source, sink, _)
+select sink.getNode(), source, sink, "This node receives taint from $@.", source.getNode(),
+  "this source"

ruby/src/audit/templates/HoistSink.ql

@@ -27,10 +27,10 @@ private module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<
 
 int explorationLimit() { result = 10 }
 
-private module PartialFlow = MyFlow::FlowExploration<explorationLimit/0>;
+private module PartialFlow = MyFlow::FlowExplorationRev<explorationLimit/0>;
 
 from PartialFlow::PartialPathNode n, int dist
 where
-  PartialFlow::partialFlowRev(n, _, dist) and
+  PartialFlow::partialFlow(n, _, dist) and
   n.getNode() instanceof DataFlow::ParameterNode
 select dist, n