fix some flowstate bug which Had caused to FP

Author: am0o0

go/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql

@@ -27,17 +27,12 @@ module DecompressionBombs implements DataFlow::StateConfigSig {
       //   or
       // exists(Parameter p | p.getARead() = source | p.hasQualifiedName("io", "Reader"))
     ) and
-    state =
-      [
-        "ZstdNewReader", "XzNewReader", "GzipNewReader", "S2NewReader", "SnapyNewReader",
-        "ZlibNewReader", "FlateNewReader", "Bzip2NewReader", "ZipOpenReader", "IOMethods",
-        "ZipKlauspost"
-      ]
+    state = ""
     or
     exists(DataFlow::Function f |
       (
         f.hasQualifiedName("archive/zip", ["OpenReader", "NewReader"]) and
-        state = ""
+        state = "ZipOpenReader"
         or
         f.hasQualifiedName("github.com/klauspost/compress/zip", ["NewReader", "OpenReader"]) and
         state = "ZipKlauspost"
@@ -145,24 +140,6 @@ module DecompressionBombs implements DataFlow::StateConfigSig {
       ]
   }
 
-  predicate isBarrier(DataFlow::Node node, FlowState state) {
-    //here I want to the CopyN return value be compared with < or > but I can't reach the tainted result
-    // exists(DataFlow::Function f | f.hasQualifiedName("io", "CopyN") |
-    //   node = f.getACall().getArgument([0, 1]) and
-    //   TaintTracking::localExprTaint(f.getACall().getResult(_).asExpr(),
-    //     any(RelationalComparisonExpr e).getAChildExpr*())
-    // )
-    // or
-    exists(DataFlow::Function f | f.hasQualifiedName("io", "LimitReader") |
-      node = f.getACall().getArgument(0) and f.getACall().getArgument(1).isConst()
-    ) and
-    state =
-      [
-        "ZstdNewReader", "XzNewReader", "GzipNewReader", "S2NewReader", "SnapyNewReader",
-        "ZlibNewReader", "FlateNewReader", "Bzip2NewReader", "ZipOpenReader", "ZipKlauspost"
-      ]
-  }
-
   predicate isAdditionalFlowStep(DataFlow::Node fromNode, DataFlow::Node toNode) {
     exists(DataFlow::FieldReadNode fi |
       fi.getType().hasQualifiedName("github.com/klauspost/compress/zip", "Reader")
@@ -291,6 +268,25 @@ module DecompressionBombs implements DataFlow::StateConfigSig {
       toState = "S2NewReader"
     )
   }
+
+  predicate isBarrier(DataFlow::Node node, FlowState state) {
+    // //here I want to the CopyN return value be compared with < or > but I can't reach the tainted result
+    // // exists(DataFlow::Function f | f.hasQualifiedName("io", "CopyN") |
+    // //   node = f.getACall().getArgument([0, 1]) and
+    // //   TaintTracking::localExprTaint(f.getACall().getResult(_).asExpr(),
+    // //     any(RelationalComparisonExpr e).getAChildExpr*())
+    // // )
+    // // or
+    // exists(DataFlow::Function f | f.hasQualifiedName("io", "LimitReader") |
+    //   node = f.getACall().getArgument(0) and f.getACall().getArgument(1).isConst()
+    // ) and
+    // state =
+    //   [
+    //     "ZstdNewReader", "XzNewReader", "GzipNewReader", "S2NewReader", "SnapyNewReader",
+    //     "ZlibNewReader", "FlateNewReader", "Bzip2NewReader", "ZipOpenReader", "ZipKlauspost"
+    //   ]
+    none()
+  }
 }
 
 // // here I want to the CopyN return value be compared with < or > but I can't reach the tainted result
@@ -310,5 +306,5 @@ import DecompressionBombsFlow::PathGraph
 
 from DecompressionBombsFlow::PathNode source, DecompressionBombsFlow::PathNode sink
 where DecompressionBombsFlow::flowPath(source, sink)
-select sink.getNode(), source, sink, "This file extraction $@.", source.getNode(),
-  "decompressing data controlling output size"
+select sink.getNode(), source, sink, "This decompression $@.", source.getNode(),
+  "decompressing compressed data without managing output size"