Python: Fix hasFlowPath default implementation of isSink/2

RasmusWL · RasmusWL · commit 36bb5f54cebe · 2019-10-10T15:34:54.000+02:00
If hasFlowPath was used, and isSink/2 was not overridden, hasFlowPath(src, sink) would not use isSink/1 to restrict the allowed TaintSink. This resulted in false-positives when we had flows with unrelated TaintSinks. FP: https://lgtm.com/projects/g/graphite-project/graphite-web/snapshot/1a8e7ffc2eab2210a73f30b03e9cdeb520a02057/files/webapp/graphite/dashboard/views.py#x2d486922081db956:1 Fixes #2081
diff --git a/python/ql/src/semmle/python/dataflow/Configuration.qll b/python/ql/src/semmle/python/dataflow/Configuration.qll
@@ -51,6 +51,7 @@ module TaintTracking {
          */
         predicate isSink(DataFlow::Node node, TaintKind kind) {
             exists(TaintSink sink |
+                this.isSink(sink) and
                 node.asCfgNode() = sink and
                 sink.sinks(kind)
             )

Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,7 @@ module TaintTracking {`
`51`	`51`	`*/`
`52`	`52`	`predicate isSink(DataFlow::Node node, TaintKind kind) {`
`53`	`53`	`exists(TaintSink sink \|`
	`54`	`+ this.isSink(sink) and`
`54`	`55`	`node.asCfgNode() = sink and`
`55`	`56`	`sink.sinks(kind)`
`56`	`57`	`)`