C#: Precise data-flow for System.Threading.Tasks

hvitved · hvitved · commit c0b251ad9ef0 · 2020-10-03T11:13:45.000+02:00
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/LibraryTypeDataFlow.qll b/csharp/ql/src/semmle/code/csharp/dataflow/LibraryTypeDataFlow.qll
@@ -34,6 +34,8 @@ private newtype TAccessPath =
     or
     tail = AccessPath::singleton(_) and
     head instanceof ElementContent
+    or
+    tail = AccessPath::element()
   }
 
 /** An access path. */
@@ -1658,7 +1660,6 @@ class SystemThreadingTasksTaskFlow extends LibraryTypeDataFlow, SystemThreadingT
     (
       m.hasName("ContinueWith") and
       sourceAp = AccessPath::empty() and
-      sinkAp = AccessPath::empty() and
       (
         // flow from supplied state to supplied delegate
         exists(ConstructedDelegateType delegate, int i, int j, int k |
@@ -1670,44 +1671,44 @@ class SystemThreadingTasksTaskFlow extends LibraryTypeDataFlow, SystemThreadingT
           ) and
           delegate.getTypeArgument(k) instanceof ObjectType and
           source = TCallableFlowSourceArg(i) and
-          sink = getDelegateFlowSinkArg(m, j, k)
+          sink = getDelegateFlowSinkArg(m, j, k) and
+          sinkAp = AccessPath::empty()
         )
         or
         // flow out of supplied function
         exists(ConstructedDelegateType func, int i |
           m.getParameter(i).getType() = func and
           func.getUnboundGeneric() instanceof SystemFuncDelegateType and
           source = getDelegateFlowSourceArg(m, i) and
-          sink = TCallableFlowSinkReturn()
+          sink = TCallableFlowSinkReturn() and
+          sinkAp = AccessPath::property(any(SystemThreadingTasksTaskTClass c).getResultProperty())
         )
       )
       or
       m.hasName("FromResult") and
+      source = TCallableFlowSourceArg(0) and
       sourceAp = AccessPath::empty() and
-      sinkAp = AccessPath::empty() and
-      (
-        source = TCallableFlowSourceArg(0) and
-        sink = TCallableFlowSinkReturn()
-      )
+      sink = TCallableFlowSinkReturn() and
+      sinkAp = AccessPath::property(any(SystemThreadingTasksTaskTClass c).getResultProperty())
       or
       m.hasName("Run") and
+      m.getReturnType() = any(SystemThreadingTasksTaskTClass c).getAConstructedGeneric() and
+      m.(UnboundGenericMethod).getNumberOfTypeParameters() = 1 and
+      source = TCallableFlowSourceDelegateArg(0) and
       sourceAp = AccessPath::empty() and
-      sinkAp = AccessPath::empty() and
-      (
-        m.getReturnType() = any(SystemThreadingTasksTaskTClass c).getAConstructedGeneric() and
-        m.(UnboundGenericMethod).getNumberOfTypeParameters() = 1 and
-        source = TCallableFlowSourceDelegateArg(0) and
-        sink = TCallableFlowSinkReturn()
-      )
+      sink = TCallableFlowSinkReturn() and
+      sinkAp = AccessPath::property(any(SystemThreadingTasksTaskTClass c).getResultProperty())
       or
       m.getName().regexpMatch("WhenAll|WhenAny") and
-      sinkAp = AccessPath::empty() and
-      (
-        m.getReturnType() = any(SystemThreadingTasksTaskTClass c).getAConstructedGeneric() and
-        m.(UnboundGenericMethod).getNumberOfTypeParameters() = 1 and
-        source = getFlowSourceArg(m, _, sourceAp) and
-        sink = TCallableFlowSinkReturn()
-      )
+      m.getReturnType() = any(SystemThreadingTasksTaskTClass c).getAConstructedGeneric() and
+      m.(UnboundGenericMethod).getNumberOfTypeParameters() = 1 and
+      source = getFlowSourceArg(m, _, _) and
+      sourceAp = AccessPath::properties(any(SystemThreadingTasksTaskTClass c).getResultProperty()) and
+      sink = TCallableFlowSinkReturn() and
+      sinkAp =
+        AccessPath::cons(any(PropertyContent c |
+            c.getProperty() = any(SystemThreadingTasksTaskTClass tc).getResultProperty()
+          ), AccessPath::element())
     )
   }
 }
@@ -1717,32 +1718,38 @@ class SystemThreadingTasksTaskTFlow extends LibraryTypeDataFlow {
   SystemThreadingTasksTaskTFlow() { this instanceof SystemThreadingTasksTaskTClass }
 
   override predicate callableFlow(
-    CallableFlowSource source, CallableFlowSink sink, SourceDeclarationCallable c,
-    boolean preservesValue
+    CallableFlowSource source, AccessPath sourceAp, CallableFlowSink sink, AccessPath sinkAp,
+    SourceDeclarationCallable c, boolean preservesValue
   ) {
     (
-      constructorFlow(source, sink, c)
+      constructorFlow(source, sourceAp, sink, sinkAp, c)
       or
-      methodFlow(source, sink, c)
-      or
-      exists(Property p |
-        propertyFlow(p) and
-        source = TCallableFlowSourceQualifier() and
-        sink = TCallableFlowSinkReturn() and
-        c = p.getGetter()
-      )
+      methodFlow(source, sourceAp, sink, sinkAp, c)
     ) and
     preservesValue = true
+    or
+    exists(Property p |
+      p = this.(SystemThreadingTasksTaskTClass).getResultProperty() and
+      source = TCallableFlowSourceQualifier() and
+      sourceAp = AccessPath::empty() and
+      sink = TCallableFlowSinkReturn() and
+      sinkAp = AccessPath::empty() and
+      c = p.getGetter() and
+      preservesValue = false
+    )
   }
 
-  private predicate constructorFlow(CallableFlowSource source, CallableFlowSink sink, Constructor c) {
+  private predicate constructorFlow(
+    CallableFlowSource source, AccessPath sourceAp, CallableFlowSink sink, AccessPath sinkAp,
+    Constructor c
+  ) {
     // flow from supplied function into constructed Task
     c.getDeclaringType() = this and
-    (
-      c.getParameter(0).getType() = any(SystemFuncDelegateType t).getAConstructedGeneric() and
-      source = TCallableFlowSourceDelegateArg(0) and
-      sink = TCallableFlowSinkReturn()
-    )
+    c.getParameter(0).getType() = any(SystemFuncDelegateType t).getAConstructedGeneric() and
+    source = TCallableFlowSourceDelegateArg(0) and
+    sourceAp = AccessPath::empty() and
+    sink = TCallableFlowSinkReturn() and
+    sinkAp = AccessPath::property(this.(SystemThreadingTasksTaskTClass).getResultProperty())
     or
     // flow from supplied state to supplied delegate
     c.getDeclaringType() = this and
@@ -1752,12 +1759,15 @@ class SystemThreadingTasksTaskTFlow extends LibraryTypeDataFlow {
       func.getUnboundGeneric().(SystemFuncDelegateType).getNumberOfTypeParameters() = 2 and
       func.getTypeArgument(0) instanceof ObjectType and
       source = TCallableFlowSourceArg(1) and
-      sink = getDelegateFlowSinkArg(c, 0, 0)
+      sourceAp = AccessPath::empty() and
+      sink = getDelegateFlowSinkArg(c, 0, 0) and
+      sinkAp = AccessPath::empty()
     )
   }
 
   private predicate methodFlow(
-    CallableFlowSource source, CallableFlowSink sink, SourceDeclarationMethod m
+    CallableFlowSource source, AccessPath sourceAp, CallableFlowSink sink, AccessPath sinkAp,
+    SourceDeclarationMethod m
   ) {
     m.getDeclaringType() = this and
     m.hasName("ContinueWith") and
@@ -1774,28 +1784,30 @@ class SystemThreadingTasksTaskTFlow extends LibraryTypeDataFlow {
           delegate.getTypeArgument(j) instanceof ObjectType and
           m.getParameter(k).getType() instanceof ObjectType and
           source = TCallableFlowSourceArg(k) and
-          sink = getDelegateFlowSinkArg(m, i, j)
+          sourceAp = AccessPath::empty() and
+          sink = getDelegateFlowSinkArg(m, i, j) and
+          sinkAp = AccessPath::empty()
         )
         or
         // flow from this task to supplied delegate
         delegate.getTypeArgument(j) = this and
         source = TCallableFlowSourceQualifier() and
-        sink = getDelegateFlowSinkArg(m, i, j)
+        sourceAp = AccessPath::empty() and
+        sink = getDelegateFlowSinkArg(m, i, j) and
+        sinkAp = AccessPath::empty()
       )
       or
       // flow out of supplied function
       exists(ConstructedDelegateType func, int i |
         m.getParameter(i).getType() = func and
         func.getUnboundGeneric() instanceof SystemFuncDelegateType and
         source = getDelegateFlowSourceArg(m, i) and
-        sink = TCallableFlowSinkReturn()
+        sourceAp = AccessPath::empty() and
+        sink = TCallableFlowSinkReturn() and
+        sinkAp = AccessPath::property(this.(SystemThreadingTasksTaskTClass).getResultProperty())
       )
     )
   }
-
-  private predicate propertyFlow(Property p) {
-    p = this.(SystemThreadingTasksTaskTClass).getResultProperty()
-  }
 }
 
 /** Data flow for `System.Threading.Tasks.TaskFactory`(`<TResult>`). */
@@ -1806,15 +1818,16 @@ class SystemThreadingTasksFactoryFlow extends LibraryTypeDataFlow {
   }
 
   override predicate callableFlow(
-    CallableFlowSource source, CallableFlowSink sink, SourceDeclarationCallable c,
-    boolean preservesValue
+    CallableFlowSource source, AccessPath sourceAp, CallableFlowSink sink, AccessPath sinkAp,
+    SourceDeclarationCallable c, boolean preservesValue
   ) {
-    methodFlow(source, sink, c) and
+    methodFlow(source, sourceAp, sink, sinkAp, c) and
     preservesValue = true
   }
 
   private predicate methodFlow(
-    CallableFlowSource source, CallableFlowSink sink, SourceDeclarationMethod m
+    CallableFlowSource source, AccessPath sourceAp, CallableFlowSink sink, AccessPath sinkAp,
+    SourceDeclarationMethod m
   ) {
     m.getDeclaringType() = this and
     (
@@ -1831,15 +1844,19 @@ class SystemThreadingTasksFactoryFlow extends LibraryTypeDataFlow {
             delegate.getUnboundGeneric() instanceof SystemFuncDelegateType
           ) and
           source = TCallableFlowSourceArg(i) and
-          sink = getDelegateFlowSinkArg(m, j, k)
+          sourceAp = AccessPath::empty() and
+          sink = getDelegateFlowSinkArg(m, j, k) and
+          sinkAp = AccessPath::empty()
         )
         or
         // flow out of supplied function
         exists(ConstructedDelegateType func, int i |
           m.getParameter(i).getType() = func and
           func.getUnboundGeneric() instanceof SystemFuncDelegateType and
           source = getDelegateFlowSourceArg(m, i) and
-          sink = TCallableFlowSinkReturn()
+          sourceAp = AccessPath::empty() and
+          sink = TCallableFlowSinkReturn() and
+          sinkAp = AccessPath::property(any(SystemThreadingTasksTaskTClass c).getResultProperty())
         )
       )
       or
@@ -1855,15 +1872,19 @@ class SystemThreadingTasksFactoryFlow extends LibraryTypeDataFlow {
           ) and
           delegate.getTypeArgument(k) instanceof ObjectType and
           source = TCallableFlowSourceArg(i) and
-          sink = getDelegateFlowSinkArg(m, j, k)
+          sourceAp = AccessPath::empty() and
+          sink = getDelegateFlowSinkArg(m, j, k) and
+          sinkAp = AccessPath::empty()
         )
         or
         // flow out of supplied function
         exists(ConstructedDelegateType func, int i |
           m.getParameter(i).getType() = func and
           func.getUnboundGeneric() instanceof SystemFuncDelegateType and
           source = getDelegateFlowSourceArg(m, i) and
-          sink = TCallableFlowSinkReturn()
+          sourceAp = AccessPath::empty() and
+          sink = TCallableFlowSinkReturn() and
+          sinkAp = AccessPath::property(any(SystemThreadingTasksTaskTClass c).getResultProperty())
         )
       )
     )
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -16,6 +16,7 @@ private import semmle.code.csharp.dispatch.Dispatch
 private import semmle.code.csharp.frameworks.EntityFramework
 private import semmle.code.csharp.frameworks.NHibernate
 private import semmle.code.csharp.frameworks.system.Collections
+private import semmle.code.csharp.frameworks.system.threading.Tasks
 
 abstract class NodeImpl extends Node {
   /** Do not call: use `getEnclosingCallable()` instead. */
@@ -154,10 +155,6 @@ module LocalFlow {
         scope = e2 and
         isSuccessor = true
         or
-        e1 = e2.(AwaitExpr).getExpr() and
-        scope = e2 and
-        isSuccessor = true
-        or
         // An `=` expression, where the result of the expression is used
         e2 =
           any(AssignExpr ae |
@@ -679,6 +676,11 @@ private module Cached {
     storeStepLibrary(node1, c, node2)
   }
 
+  pragma[nomagic]
+  private PropertyContent getResultContent() {
+    result.getProperty() = any(SystemThreadingTasksTaskTClass c_).getResultProperty()
+  }
+
   /**
    * Holds if data can flow from `node1` to `node2` via a read of content `c`.
    */
@@ -699,6 +701,10 @@ private module Cached {
         node2.(SsaDefinitionNode).getDefinition() = def and
         c instanceof ElementContent
       )
+      or
+      x.hasNodePath(node1, node2) and
+      node2.asExpr().(AwaitExpr).getExpr() = node1.asExpr() and
+      c = getResultContent()
     )
     or
     readStepLibrary(node1, c, node2)
@@ -2180,6 +2186,11 @@ private class ReadStepConfiguration extends ControlFlowReachabilityConfiguration
     isSuccessor = true and
     arrayRead(e1, e2) and
     scope = e2
+    or
+    exactScope = false and
+    e1 = e2.(AwaitExpr).getExpr() and
+    scope = e2 and
+    isSuccessor = true
   }
 
   override predicate candidateDef(
diff --git a/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll b/csharp/ql/src/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll
@@ -95,6 +95,10 @@ private class LocalTaintExprStepConfiguration extends ControlFlowReachabilityCon
           scope = e2 and
           isSuccessor = true
         )
+      or
+      e1 = e2.(AwaitExpr).getExpr() and
+      scope = e2 and
+      isSuccessor = true
     )
   }
 }
diff --git a/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected b/csharp/ql/test/library-tests/dataflow/global/DataFlowPath.expected
@@ -180,8 +180,13 @@ edges
 | GlobalDataFlow.cs:217:22:217:28 | access to local variable tainted [[]] : String | GlobalDataFlow.cs:324:32:324:42 | sinkParam11 : String |
 | GlobalDataFlow.cs:217:22:217:49 | call to method Select [[]] : String | GlobalDataFlow.cs:217:22:217:57 | call to method First : String |
 | GlobalDataFlow.cs:217:22:217:57 | call to method First : String | GlobalDataFlow.cs:218:15:218:20 | access to local variable sink26 |
-| GlobalDataFlow.cs:238:35:238:48 | "taint source" : String | GlobalDataFlow.cs:240:15:240:20 | access to local variable sink41 |
-| GlobalDataFlow.cs:238:35:238:48 | "taint source" : String | GlobalDataFlow.cs:242:15:242:20 | access to local variable sink42 |
+| GlobalDataFlow.cs:238:20:238:49 | call to method Run [Result] : String | GlobalDataFlow.cs:239:22:239:25 | access to local variable task [Result] : String |
+| GlobalDataFlow.cs:238:20:238:49 | call to method Run [Result] : String | GlobalDataFlow.cs:241:28:241:31 | access to local variable task [Result] : String |
+| GlobalDataFlow.cs:238:35:238:48 | "taint source" : String | GlobalDataFlow.cs:238:20:238:49 | call to method Run [Result] : String |
+| GlobalDataFlow.cs:239:22:239:25 | access to local variable task [Result] : String | GlobalDataFlow.cs:239:22:239:32 | access to property Result : String |
+| GlobalDataFlow.cs:239:22:239:32 | access to property Result : String | GlobalDataFlow.cs:240:15:240:20 | access to local variable sink41 |
+| GlobalDataFlow.cs:241:22:241:31 | await ... : String | GlobalDataFlow.cs:242:15:242:20 | access to local variable sink42 |
+| GlobalDataFlow.cs:241:28:241:31 | access to local variable task [Result] : String | GlobalDataFlow.cs:241:22:241:31 | await ... : String |
 | GlobalDataFlow.cs:254:26:254:35 | sinkParam0 : String | GlobalDataFlow.cs:256:16:256:25 | access to parameter sinkParam0 : String |
 | GlobalDataFlow.cs:254:26:254:35 | sinkParam0 : String | GlobalDataFlow.cs:257:15:257:24 | access to parameter sinkParam0 |
 | GlobalDataFlow.cs:256:16:256:25 | access to parameter sinkParam0 : String | GlobalDataFlow.cs:254:26:254:35 | sinkParam0 : String |
@@ -367,8 +372,13 @@ nodes
 | GlobalDataFlow.cs:217:22:217:49 | call to method Select [[]] : String | semmle.label | call to method Select [[]] : String |
 | GlobalDataFlow.cs:217:22:217:57 | call to method First : String | semmle.label | call to method First : String |
 | GlobalDataFlow.cs:218:15:218:20 | access to local variable sink26 | semmle.label | access to local variable sink26 |
+| GlobalDataFlow.cs:238:20:238:49 | call to method Run [Result] : String | semmle.label | call to method Run [Result] : String |
 | GlobalDataFlow.cs:238:35:238:48 | "taint source" : String | semmle.label | "taint source" : String |
+| GlobalDataFlow.cs:239:22:239:25 | access to local variable task [Result] : String | semmle.label | access to local variable task [Result] : String |
+| GlobalDataFlow.cs:239:22:239:32 | access to property Result : String | semmle.label | access to property Result : String |
 | GlobalDataFlow.cs:240:15:240:20 | access to local variable sink41 | semmle.label | access to local variable sink41 |
+| GlobalDataFlow.cs:241:22:241:31 | await ... : String | semmle.label | await ... : String |
+| GlobalDataFlow.cs:241:28:241:31 | access to local variable task [Result] : String | semmle.label | access to local variable task [Result] : String |
 | GlobalDataFlow.cs:242:15:242:20 | access to local variable sink42 | semmle.label | access to local variable sink42 |
 | GlobalDataFlow.cs:254:26:254:35 | sinkParam0 : String | semmle.label | sinkParam0 : String |
 | GlobalDataFlow.cs:256:16:256:25 | access to parameter sinkParam0 : String | semmle.label | access to parameter sinkParam0 : String |
diff --git a/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected b/csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.expected
diff --git a/csharp/ql/test/library-tests/dataflow/library/LibraryTypeDataFlow.expected b/csharp/ql/test/library-tests/dataflow/library/LibraryTypeDataFlow.expected

Original file line number	Diff line number	Diff line change
`@@ -95,6 +95,10 @@ private class LocalTaintExprStepConfiguration extends ControlFlowReachabilityCon`
`95`	`95`	`scope = e2 and`
`96`	`96`	`isSuccessor = true`
`97`	`97`	`)`
	`98`	`+ or`
	`99`	`+ e1 = e2.(AwaitExpr).getExpr() and`
	`100`	`+ scope = e2 and`
	`101`	`+ isSuccessor = true`
`98`	`102`	`)`
`99`	`103`	`}`
`100`	`104`	`}`