Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dataflow: Deprecate FlowStateString. #15062

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Dataflow: Deprecate FlowStateString. #15062

wants to merge 4 commits into from
+218 −123

Conversation

aschackmull
Copy link
Contributor

Followup for #14983. I don't think we need a change note for this, as this was effectively part of the old api.

@aschackmull aschackmull added the no-change-note-required This PR does not need a change note label Dec 11, 2023
@aschackmull aschackmull marked this pull request as draft December 11, 2023 10:21
@aschackmull aschackmull force-pushed the dataflow/deprecate-flowstatestring branch from a026252 to edd6583 Compare December 11, 2023 10:28
@aschackmull aschackmull marked this pull request as ready for review December 11, 2023 10:28
@aschackmull aschackmull requested review from a team as code owners December 11, 2023 10:28
@jketema
Copy link
Contributor

jketema commented Dec 11, 2023

Fix for the coding standards tests: github/codeql-coding-standards#473

owen-mc
owen-mc previously approved these changes Dec 11, 2023
View reviewed changes
Copy link
Contributor

@owen-mc owen-mc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Go LGTM

atorralba
atorralba previously approved these changes Dec 12, 2023
View reviewed changes
Copy link
Contributor

@atorralba atorralba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Java 👍

I don't think we need a change note for this, as this was effectively part of the old api.

Agree, everything affected by this seems to be under the internal directory.

michaelnebel
michaelnebel reviewed Dec 12, 2023
View reviewed changes
Copy link
Contributor

@michaelnebel michaelnebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

C# LGTM - but there are some tests failing for other languages.

@jketema
Copy link
Contributor

jketema commented Dec 12, 2023

@aschackmull The coding standards tests are now fixed.

geoffw0
geoffw0 reviewed Dec 12, 2023
View reviewed changes
Copy link
Contributor

@geoffw0 geoffw0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 for Swift.

geoffw0
geoffw0 previously approved these changes Dec 12, 2023
View reviewed changes
@geoffw0
Copy link
Contributor

geoffw0 commented Dec 12, 2023
edited

Oh, one of the test failures is in Swift. There was briefly a version of main with failing Swift tests (that I think looked like what we have here), it's possible this PR has got unlucky with it's base commit?

@aschackmull
Copy link
Contributor Author

Oh, one of the test failures is in Swift. There was briefly a version of main with failing Swift tests (that I think looked like what we have here), it's possible this PR has got unlucky with it's base commit

Yes. I'm aware I need to rebase, and that should fix the swift test. But there's also a Java failure, so I was planning to fix that before rebasing. (No need to rerun CI twice).

yoff
yoff previously approved these changes Dec 13, 2023
View reviewed changes
Copy link
Contributor

@yoff yoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Python 👍

@aschackmull aschackmull force-pushed the dataflow/deprecate-flowstatestring branch from 7b4c0db to f2dea89 Compare December 14, 2023 14:05
@aschackmull
Copy link
Contributor Author

@atorralba could you take a look at the last commit - I've fixed the 3 java queries that had accidental exposure of FlowStateString in their extension points.

jketema
jketema previously approved these changes Dec 14, 2023
View reviewed changes
@aschackmull aschackmull force-pushed the dataflow/deprecate-flowstatestring branch from f2dea89 to 7623432 Compare December 14, 2023 14:16
atorralba
atorralba reviewed Dec 14, 2023
View reviewed changes
Copy link
Contributor

@atorralba atorralba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, so the last commit mostly LGTM.

  • ImplictPendingIntents 👍
  • Turns out that we didn't even use FlowStates in TemplateInjection, and I made those extension points "just in case" 😅. Anyway, 👍.
  • I think I followed your changes in InsufficientKeySize. AFAIU there aren't changes in the semantics (and the green tests probably confirm this), so we should be good. Still, I added a few minor comments/questions.

java/ql/lib/semmle/code/java/security/InsufficientKeySize.qll
@@ -3,32 +3,76 @@
private import semmle.code.java.security.Encryption
private import semmle.code.java.dataflow.DataFlow
private import semmle.code.java.security.internal.EncryptionKeySizes
import codeql.util.Either
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make this private?

Suggested change
import codeql.util.Either
private import codeql.util.Either

java/ql/lib/semmle/code/java/security/InsufficientKeySize.qll
MinimumKeySize() { any() }

/** Gets a textual representation of this element. */
string toString() { result = super.toString() }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OOC: why do we need this implementation of toString? And same question for AlgorithmKind.

java/ql/lib/semmle/code/java/security/InsufficientKeySize.qll
/** Holds if this sink has the specified `state`. */
predicate hasState(DataFlow::FlowState state) { state instanceof DataFlow::FlowStateEmpty }
/** Holds if this sink accepts the specified `state`. */
final predicate hasState(KeySizeState state) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couldn't this break existing implementations of InsufficientKeySizeSink overriding hasState?

java/ql/lib/semmle/code/java/security/InsufficientKeySize.qll

/** A source for an insufficient key size. */
abstract class InsufficientKeySizeSource extends DataFlow::Node {
/** Holds if this source has the specified `state`. */
predicate hasState(DataFlow::FlowState state) { state instanceof DataFlow::FlowStateEmpty }
abstract predicate hasState(KeySizeState state);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couldn't this break existing implementations of InsufficientKeySizeSource that don't override hasState?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelnebel michaelnebel michaelnebel left review comments

@atorralba atorralba atorralba left review comments

@yoff yoff yoff left review comments

@geoffw0 geoffw0 geoffw0 left review comments

@owen-mc owen-mc owen-mc left review comments

@jketema jketema jketema left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
C# C++ DataFlow Library documentation Go Java no-change-note-required This PR does not need a change note Python Ruby Swift
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@aschackmull @jketema @geoffw0 @yoff @michaelnebel @atorralba @owen-mc