Shared: Provenance-based filtering of flow summaries

hvitved · hvitved · commit 4c7c9c352ea0 · 2025-12-17T20:45:21.000+01:00
diff --git a/shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll b/shared/dataflow/codeql/dataflow/internal/FlowSummaryImpl.qll
@@ -21,6 +21,10 @@ signature module InputSig<LocationSig Location, DF::InputSig<Location> Lang> {
     string toString();
   }
 
+  /** Holds if a generated summary is allowed for `c`. */
+  bindingset[c]
+  default predicate allowGeneratedSummary(SummarizedCallableBase c) { any() }
+
   /**
    * A base class of elements that are candidates for flow source modeling.
    */
@@ -289,55 +293,25 @@ module Make<
        *
        * `preservesValue` indicates whether this is a value-preserving step or a taint-step.
        *
-       * If `model` is non-empty then it indicates the provenance of the model
-       * defining this flow.
+       * `p` indicates the provenance of the flow.
+       *
+       * `isExact` indicates whether there exists a model for which this callable is an exact
+       * match, that is, no overriding was used to identify this callable from the model.
+       *
+       * If `model` is non-empty then it indicates the origin of the model defining this flow.
        */
       pragma[nomagic]
       abstract predicate propagatesFlow(
-        string input, string output, boolean preservesValue, string model
+        string input, string output, boolean preservesValue, Provenance p, boolean isExact,
+        string model
       );
 
-      /**
-       * Holds if there exists a generated summary that applies to this callable.
-       */
-      final predicate hasGeneratedModel() {
-        exists(Provenance p | p.isGenerated() and this.hasProvenance(p))
-      }
-
-      /**
-       * Holds if all the summaries that apply to this callable are auto generated and not manually created.
-       * That is, only apply generated models, when there are no manual models.
-       */
-      final predicate applyGeneratedModel() {
-        this.hasGeneratedModel() and
-        not this.hasManualModel()
-      }
-
       /**
        * Holds if there exists a manual summary that applies to this callable.
        */
       final predicate hasManualModel() {
-        exists(Provenance p | p.isManual() and this.hasProvenance(p))
+        any(Provenance p | this.propagatesFlow(_, _, _, p, _, _)).isManual()
       }
-
-      /**
-       * Holds if there exists a manual summary that applies to this callable.
-       * Always apply manual models if they exist.
-       */
-      final predicate applyManualModel() { this.hasManualModel() }
-
-      /**
-       * Holds if there exists a summary that applies to this callable
-       * that has provenance `provenance`.
-       */
-      predicate hasProvenance(Provenance provenance) { provenance = "manual" }
-
-      /**
-       * Holds if there exists a model for which this callable is an exact
-       * match, that is, no overriding was used to identify this callable from
-       * the model.
-       */
-      predicate hasExactModel() { none() }
     }
 
     /** A source element. */
@@ -647,7 +621,7 @@ module Make<
       SummarizedCallableImpl callable, SummaryComponentStack input, SummaryComponentStack output,
       string whichOne
     ) {
-      callable.propagatesFlow(input, output, _, _) and
+      callable.propagatesFlow(input, output, _, _, _, _) and
       (
         not isSupportedInputStack(input) and whichOne = "input"
         or
@@ -688,9 +662,9 @@ module Make<
 
     private predicate summarySpec(string spec) {
       exists(SummarizedCallable c |
-        c.propagatesFlow(spec, _, _, _)
+        c.propagatesFlow(spec, _, _, _, _, _)
         or
-        c.propagatesFlow(_, spec, _, _)
+        c.propagatesFlow(_, spec, _, _, _, _)
       )
       or
       isRelevantSource(_, spec, _, _, _)
@@ -857,13 +831,9 @@ module Make<
      *
      * ```ql
      * private class CAdapter extends SummarizedCallable instanceof C {
-     *   override predicate propagatesFlow(string input, string output, boolean preservesValue, string model) {
+     *   override predicate propagatesFlow(string input, string output, boolean preservesValue, Provenance p, string model) {
      *     none()
      *   }
-     *
-     *   override predicate hasProvenance(Provenance provenance) {
-     *     C.super.hasProvenance(provenance)
-     *   }
      * }
      * ```
      */
@@ -897,32 +867,26 @@ module Make<
       pragma[nomagic]
       abstract predicate propagatesFlow(
         SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue,
-        string model
+        Provenance p, boolean isExact, string model
       );
-
-      /**
-       * Holds if there exists a summary that applies to this callable
-       * that has provenance `provenance`.
-       */
-      abstract predicate hasProvenance(Provenance provenance);
     }
 
     pragma[nomagic]
     private predicate summary(
       SummarizedCallableImpl c, SummaryComponentStack input, SummaryComponentStack output,
       boolean preservesValue, string model
     ) {
-      c.propagatesFlow(input, output, preservesValue, model)
+      c.propagatesFlow(input, output, preservesValue, _, _, model)
       or
       // observe side effects of callbacks on input arguments
-      c.propagatesFlow(output, input, preservesValue, model) and
+      c.propagatesFlow(output, input, preservesValue, _, _, model) and
       preservesValue = true and
       isCallbackParameter(input) and
       isContentOfArgument(output, _)
       or
       // flow from the receiver of a callback into the instance-parameter
       exists(SummaryComponentStack s, SummaryComponentStack callbackRef |
-        c.propagatesFlow(s, _, _, model) or c.propagatesFlow(_, s, _, model)
+        c.propagatesFlow(s, _, _, _, _, model) or c.propagatesFlow(_, s, _, _, _, model)
       |
         callbackRef = s.drop(_) and
         (isCallbackParameter(callbackRef) or callbackRef.head() = TReturnSummaryComponent(_)) and
@@ -948,8 +912,8 @@ module Make<
         SummaryComponentStack mid, boolean preservesValue1, boolean preservesValue2, string model1,
         string model2
       |
-        c.propagatesFlow(input, mid, preservesValue1, model1) and
-        c.propagatesFlow(mid, output, preservesValue2, model2) and
+        c.propagatesFlow(input, mid, preservesValue1, _, _, model1) and
+        c.propagatesFlow(mid, output, preservesValue2, _, _, model2) and
         mid.drop(mid.length() - 2) =
           SummaryComponentStack::push(TParameterSummaryComponent(_),
             SummaryComponentStack::singleton(TArgumentSummaryComponent(_))) and
@@ -2048,18 +2012,25 @@ module Make<
       {
         override predicate propagatesFlow(
           SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue,
-          string model
+          Provenance p, boolean isExact, string model
         ) {
           exists(AccessPath inSpec, AccessPath outSpec |
-            SummarizedCallable.super.propagatesFlow(inSpec, outSpec, preservesValue, model) and
+            SummarizedCallable.super
+                .propagatesFlow(inSpec, outSpec, preservesValue, p, isExact, model) and
             interpretSpec(inSpec, input) and
             interpretSpec(outSpec, output)
+          |
+            p.isManual()
+            or
+            p.isGenerated() and
+            not exists(Provenance manual | manual.isManual() |
+              SummarizedCallable.super.propagatesFlow(_, _, _, manual, _, _)
+              or
+              neutralElement(this, "summary", manual, _)
+            ) and
+            allowGeneratedSummary(this)
           )
         }
-
-        override predicate hasProvenance(Provenance provenance) {
-          SummarizedCallable.super.hasProvenance(provenance)
-        }
       }
 
       /** Holds if component `c` of specification `spec` cannot be parsed. */
@@ -2492,7 +2463,8 @@ module Make<
       string getCallableCsv();
 
       predicate relevantSummary(
-        SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
+        SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue,
+        Provenance p
       );
     }
 
@@ -2505,13 +2477,6 @@ module Make<
         preservesValue = false and result = "taint"
       }
 
-      private string renderProvenance(SummarizedCallable c) {
-        exists(Provenance p | p.isManual() and c.hasProvenance(p) and result = p.toString())
-        or
-        not c.applyManualModel() and
-        c.hasProvenance(result)
-      }
-
       /**
        * Holds if there exists a relevant summary callable with information roughly corresponding to `csv`.
        * Used for testing.
@@ -2521,15 +2486,15 @@ module Make<
       query predicate summary(string csv) {
         exists(
           RelevantSummarizedCallable c, SummaryComponentStack input, SummaryComponentStack output,
-          boolean preservesValue
+          boolean preservesValue, Provenance p
         |
-          c.relevantSummary(input, output, preservesValue) and
+          c.relevantSummary(input, output, preservesValue, p) and
           csv =
             c.getCallableCsv() // Callable information
               + input.getMadRepresentation() + ";" // input
               + output.getMadRepresentation() + ";" // output
               + renderKind(preservesValue) + ";" // kind
-              + renderProvenance(c) // provenance
+              + p // provenance
         )
       }
     }
