Constrain location overrides to actual sources/sinks

d10c · d10c · commit 4b1adc8d60b3 · 2025-10-16T14:19:05.000+02:00
diff --git a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -124,6 +124,7 @@ module UncontrolledArithConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSourceLocation(DataFlow::Node source) {
+    isSource(source) and
     result = [getExpr(source).getLocation(), source.getLocation()]
   }
 }
diff --git a/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql b/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
@@ -91,6 +91,7 @@ module HttpStringToUrlOpenConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSourceLocation(DataFlow::Node source) {
+    isSource(source) and
     result = [source.asIndirectExpr().getLocation(), source.getLocation()]
   }
 }
diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticTaintedQuery.qll
@@ -19,9 +19,9 @@ module ArithmeticOverflowConfig implements DataFlow::ConfigSig {
   }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(ArithExpr exp | result = exp.getLocation() | overflowSink(exp, sink.asExpr()))
+    exists(ArithExpr exp | result = [exp.getLocation(), sink.getLocation()] |
+      overflowSink(exp, sink.asExpr())
+    )
   }
 }
 
@@ -45,9 +45,9 @@ module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {
   }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(ArithExpr exp | result = exp.getLocation() | underflowSink(exp, sink.asExpr()))
+    exists(ArithExpr exp | result = [exp.getLocation(), sink.getLocation()] |
+      underflowSink(exp, sink.asExpr())
+    )
   }
 }
 
diff --git a/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll b/java/ql/lib/semmle/code/java/security/ArithmeticUncontrolledQuery.qll
@@ -25,9 +25,9 @@ module ArithmeticUncontrolledOverflowConfig implements DataFlow::ConfigSig {
   }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(ArithExpr exp | result = exp.getLocation() | overflowSink(exp, sink.asExpr()))
+    exists(ArithExpr exp | result = [exp.getLocation(), sink.getLocation()] |
+      overflowSink(exp, sink.asExpr())
+    )
   }
 }
 
@@ -48,9 +48,9 @@ module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig {
   }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(ArithExpr exp | result = exp.getLocation() | underflowSink(exp, sink.asExpr()))
+    exists(ArithExpr exp | result = [exp.getLocation(), sink.getLocation()] |
+      underflowSink(exp, sink.asExpr())
+    )
   }
 }
 
diff --git a/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll b/java/ql/lib/semmle/code/java/security/BrokenCryptoAlgorithmQuery.qll
@@ -35,9 +35,11 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(CryptoAlgoSpec c | sink.asExpr() = c.getAlgoSpec() | result = c.getLocation())
+    exists(CryptoAlgoSpec c | sink.asExpr() = c.getAlgoSpec() |
+      result = c.getLocation()
+      or
+      result = sink.getLocation()
+    )
   }
 }
 
diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll
@@ -66,9 +66,11 @@ module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {
   // ExecTainted.ql queries use the argument as the primary location;
   // ExecUnescaped.ql does not (used to prevent overlapping results).
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(Expr argument | argumentToExec(argument, sink) | result = argument.getLocation())
+    exists(Expr argument | argumentToExec(argument, sink) |
+      result = argument.getLocation()
+      or
+      result = sink.getLocation()
+    )
   }
 }
 
diff --git a/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll b/java/ql/lib/semmle/code/java/security/ConditionalBypassQuery.qll
@@ -51,9 +51,7 @@ module ConditionalBypassFlowConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
-    exists(MethodCall m, Expr e | result = [m, e].getLocation() |
+    exists(MethodCall m, Expr e | result = [[m, e].getLocation(), sink.getLocation()] |
       conditionControlsMethod(m, e) and
       sink.asExpr() = e
     )
diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll
@@ -21,10 +21,11 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
     exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess |
-      result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and
+      result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation()
+      or
+      result = sink.getLocation()
+    |
       arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation)
     )
   }
diff --git a/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll b/java/ql/lib/semmle/code/java/security/ImproperValidationOfArrayConstructionQuery.qll
@@ -18,10 +18,11 @@ module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSi
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
     exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess |
-      result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and
+      result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation()
+      or
+      result = sink.getLocation()
+    |
       arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation)
     )
   }
diff --git a/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll b/java/ql/lib/semmle/code/java/security/UnsafeDeserializationQuery.qll
@@ -313,7 +313,7 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
+    result = sink.(UnsafeDeserializationSink).getLocation()
     or
     result = sink.(UnsafeDeserializationSink).getMethodCall().getLocation()
   }
diff --git a/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll b/javascript/ql/lib/semmle/javascript/security/dataflow/ShellCommandInjectionFromEnvironmentQuery.qll
@@ -31,11 +31,9 @@ module ShellCommandInjectionFromEnvironmentConfig implements DataFlow::ConfigSig
   predicate observeDiffInformedIncrementalMode() { any() }
 
   Location getASelectedSinkLocation(DataFlow::Node sink) {
-    result = sink.getLocation()
-    or
     exists(DataFlow::Node node |
       isSinkWithHighlight(sink, node) and
-      result = node.getLocation()
+      result = [node.getLocation(), sink.getLocation()]
     )
   }
 }
diff --git a/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextStorageDatabaseQuery.qll
@@ -54,7 +54,11 @@ module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig {
   Location getASelectedSinkLocation(DataFlow::Node sink) {
     result = sink.(CleartextStorageDatabaseSink).getLocation()
     or
-    result = sink.(DataFlow::PostUpdateNode).getPreUpdateNode().getLocation()
+    result =
+      sink.(CleartextStorageDatabaseSink)
+          .(DataFlow::PostUpdateNode)
+          .getPreUpdateNode()
+          .getLocation()
   }
 }
 
diff --git a/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll b/swift/ql/lib/codeql/swift/security/CleartextStoragePreferencesQuery.qll
@@ -36,7 +36,11 @@ module CleartextStoragePreferencesConfig implements DataFlow::ConfigSig {
   Location getASelectedSinkLocation(DataFlow::Node sink) {
     result = sink.(CleartextStoragePreferencesSink).getLocation()
     or
-    result = sink.(DataFlow::PostUpdateNode).getPreUpdateNode().getLocation()
+    result =
+      sink.(CleartextStoragePreferencesSink)
+          .(DataFlow::PostUpdateNode)
+          .getPreUpdateNode()
+          .getLocation()
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -124,6 +124,7 @@ module UncontrolledArithConfig implements DataFlow::ConfigSig {`
`124`	`124`	`predicate observeDiffInformedIncrementalMode() { any() }`
`125`	`125`
`126`	`126`	`Location getASelectedSourceLocation(DataFlow::Node source) {`
	`127`	`+ isSource(source) and`
`127`	`128`	`result = [getExpr(source).getLocation(), source.getLocation()]`
`128`	`129`	`}`
`129`	`130`	`}`
Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,7 @@ module HttpStringToUrlOpenConfig implements DataFlow::ConfigSig {`
`91`	`91`	`predicate observeDiffInformedIncrementalMode() { any() }`
`92`	`92`
`93`	`93`	`Location getASelectedSourceLocation(DataFlow::Node source) {`
	`94`	`+ isSource(source) and`
`94`	`95`	`result = [source.asIndirectExpr().getLocation(), source.getLocation()]`
`95`	`96`	`}`
`96`	`97`	`}`
Original file line number	Diff line number	Diff line change
`@@ -19,9 +19,9 @@ module ArithmeticOverflowConfig implements DataFlow::ConfigSig {`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`Location getASelectedSinkLocation(DataFlow::Node sink) {`
`22`		`- result = sink.getLocation()`
`23`		`- or`
`24`		`- exists(ArithExpr exp \| result = exp.getLocation() \| overflowSink(exp, sink.asExpr()))`
	`22`	`+ exists(ArithExpr exp \| result = [exp.getLocation(), sink.getLocation()] \|`
	`23`	`+ overflowSink(exp, sink.asExpr())`
	`24`	`+ )`
`25`	`25`	`}`
`26`	`26`	`}`
`27`	`27`
`@@ -45,9 +45,9 @@ module ArithmeticUnderflowConfig implements DataFlow::ConfigSig {`
`45`	`45`	`}`
`46`	`46`
`47`	`47`	`Location getASelectedSinkLocation(DataFlow::Node sink) {`
`48`		`- result = sink.getLocation()`
`49`		`- or`
`50`		`- exists(ArithExpr exp \| result = exp.getLocation() \| underflowSink(exp, sink.asExpr()))`
	`48`	`+ exists(ArithExpr exp \| result = [exp.getLocation(), sink.getLocation()] \|`
	`49`	`+ underflowSink(exp, sink.asExpr())`
	`50`	`+ )`
`51`	`51`	`}`
`52`	`52`	`}`
`53`	`53`
Original file line number	Diff line number	Diff line change
`@@ -25,9 +25,9 @@ module ArithmeticUncontrolledOverflowConfig implements DataFlow::ConfigSig {`
`25`	`25`	`}`
`26`	`26`
`27`	`27`	`Location getASelectedSinkLocation(DataFlow::Node sink) {`
`28`		`- result = sink.getLocation()`
`29`		`- or`
`30`		`- exists(ArithExpr exp \| result = exp.getLocation() \| overflowSink(exp, sink.asExpr()))`
	`28`	`+ exists(ArithExpr exp \| result = [exp.getLocation(), sink.getLocation()] \|`
	`29`	`+ overflowSink(exp, sink.asExpr())`
	`30`	`+ )`
`31`	`31`	`}`
`32`	`32`	`}`
`33`	`33`
`@@ -48,9 +48,9 @@ module ArithmeticUncontrolledUnderflowConfig implements DataFlow::ConfigSig {`
`48`	`48`	`}`
`49`	`49`
`50`	`50`	`Location getASelectedSinkLocation(DataFlow::Node sink) {`
`51`		`- result = sink.getLocation()`
`52`		`- or`
`53`		`- exists(ArithExpr exp \| result = exp.getLocation() \| underflowSink(exp, sink.asExpr()))`
	`51`	`+ exists(ArithExpr exp \| result = [exp.getLocation(), sink.getLocation()] \|`
	`52`	`+ underflowSink(exp, sink.asExpr())`
	`53`	`+ )`
`54`	`54`	`}`
`55`	`55`	`}`
`56`	`56`
Original file line number	Diff line number	Diff line change
`@@ -35,9 +35,11 @@ module InsecureCryptoConfig implements DataFlow::ConfigSig {`
`35`	`35`	`predicate observeDiffInformedIncrementalMode() { any() }`
`36`	`36`
`37`	`37`	`Location getASelectedSinkLocation(DataFlow::Node sink) {`
`38`		`- result = sink.getLocation()`
`39`		`- or`
`40`		`- exists(CryptoAlgoSpec c \| sink.asExpr() = c.getAlgoSpec() \| result = c.getLocation())`
	`38`	`+ exists(CryptoAlgoSpec c \| sink.asExpr() = c.getAlgoSpec() \|`
	`39`	`+ result = c.getLocation()`
	`40`	`+ or`
	`41`	`+ result = sink.getLocation()`
	`42`	`+ )`
`41`	`43`	`}`
`42`	`44`	`}`
`43`	`45`
Original file line number	Diff line number	Diff line change
`@@ -66,9 +66,11 @@ module InputToArgumentToExecFlowConfig implements DataFlow::ConfigSig {`
`66`	`66`	`// ExecTainted.ql queries use the argument as the primary location;`
`67`	`67`	`// ExecUnescaped.ql does not (used to prevent overlapping results).`
`68`	`68`	`Location getASelectedSinkLocation(DataFlow::Node sink) {`
`69`		`- result = sink.getLocation()`
`70`		`- or`
`71`		`- exists(Expr argument \| argumentToExec(argument, sink) \| result = argument.getLocation())`
	`69`	`+ exists(Expr argument \| argumentToExec(argument, sink) \|`
	`70`	`+ result = argument.getLocation()`
	`71`	`+ or`
	`72`	`+ result = sink.getLocation()`
	`73`	`+ )`
`72`	`74`	`}`
`73`	`75`	`}`
`74`	`76`
Original file line number	Diff line number	Diff line change
`@@ -21,10 +21,11 @@ module BoundedFlowSourceConfig implements DataFlow::ConfigSig {`
`21`	`21`	`predicate observeDiffInformedIncrementalMode() { any() }`
`22`	`22`
`23`	`23`	`Location getASelectedSinkLocation(DataFlow::Node sink) {`
`24`		`- result = sink.getLocation()`
`25`		`- or`
`26`	`24`	`exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess \|`
`27`		`- result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and`
	`25`	`+ result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation()`
	`26`	`+ or`
	`27`	`+ result = sink.getLocation()`
	`28`	`+ \|`
`28`	`29`	`arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation)`
`29`	`30`	`)`
`30`	`31`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,10 +18,11 @@ module ImproperValidationOfArrayConstructionConfig implements DataFlow::ConfigSi`
`18`	`18`	`predicate observeDiffInformedIncrementalMode() { any() }`
`19`	`19`
`20`	`20`	`Location getASelectedSinkLocation(DataFlow::Node sink) {`
`21`		`- result = sink.getLocation()`
`22`		`- or`
`23`	`21`	`exists(ArrayCreationExpr arrayCreation, CheckableArrayAccess arrayAccess \|`
`24`		`- result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation() and`
	`22`	`+ result = [arrayCreation, arrayAccess.getIndexExpr()].getLocation()`
	`23`	`+ or`
	`24`	`+ result = sink.getLocation()`
	`25`	`+ \|`
`25`	`26`	`arrayAccess.canThrowOutOfBoundsDueToEmptyArray(sink.asExpr(), arrayCreation)`
`26`	`27`	`)`
`27`	`28`	`}`
Original file line number	Diff line number	Diff line change
`@@ -313,7 +313,7 @@ private module UnsafeDeserializationConfig implements DataFlow::ConfigSig {`
`313`	`313`	`predicate observeDiffInformedIncrementalMode() { any() }`
`314`	`314`
`315`	`315`	`Location getASelectedSinkLocation(DataFlow::Node sink) {`
`316`		`- result = sink.getLocation()`
	`316`	`+ result = sink.(UnsafeDeserializationSink).getLocation()`
`317`	`317`	`or`
`318`	`318`	`result = sink.(UnsafeDeserializationSink).getMethodCall().getLocation()`
`319`	`319`	`}`