Shared support for alert filtering

cklin · cklin · commit 1c48bd52ade6 · 2024-08-16T11:02:40.000-07:00
diff --git a/shared/dataflow/codeql/dataflow/DataFlow.qll b/shared/dataflow/codeql/dataflow/DataFlow.qll
@@ -437,6 +437,9 @@ module Configs<LocationSig Location, InputSig<Location> Lang> {
      * is not visualized (as it is in a `path-problem` query).
      */
     default predicate includeHiddenNodes() { none() }
+    //
+    // If you add a predicate to ConfigSig, please also add a corresponding
+    // passthrough alias to FilteredConfig below.
   }
 
   /** An input configuration for data flow using flow state. */
@@ -559,6 +562,9 @@ module Configs<LocationSig Location, InputSig<Location> Lang> {
      * is not visualized (as it is in a `path-problem` query).
      */
     default predicate includeHiddenNodes() { none() }
+    //
+    // If you add a predicate to StateConfigSig, please also add a corresponding
+    // passthrough alias to FilteredStateConfig below.
   }
 }
 
@@ -835,4 +841,166 @@ module DataFlowMake<LocationSig Location, InputSig<Location> Lang> {
       }
     }
   }
+
+  /**
+   * This wrapper applies alert filters to an existing `ConfigSig` module. It is intended to be used
+   * in the specific case where both the dataflow sources and the dataflow sinks are presented in
+   * the query result, so we need to apply the alert filter on either the source or the sink (which
+   * is what this wrapper does).
+   */
+  module FilteredConfig<ConfigSig Config> implements ConfigSig {
+    private import codeql.util.AlertFiltering
+
+    private module AlertFiltering = AlertFilteringImpl<Location>;
+
+    pragma[noinline]
+    private predicate hasFilteredSource() {
+      exists(Node n | Config::isSource(n) | AlertFiltering::filterByLocation(n.getLocation()))
+    }
+
+    pragma[noinline]
+    private predicate hasFilteredSink() {
+      exists(Node n | Config::isSink(n) | AlertFiltering::filterByLocation(n.getLocation()))
+    }
+
+    predicate isSource(Node source) {
+      Config::isSource(source) and
+      (
+        // If there are filtered sinks, we need to pass through all sources to preserve all alerts
+        // with filtered sinks. Otherwise the only alerts of interest are those with filtered
+        // sources, so we can perform the source filtering right here.
+        hasFilteredSink() or
+        AlertFiltering::filterByLocation(source.getLocation())
+      )
+    }
+
+    predicate isSink(Node sink) {
+      Config::isSink(sink) and
+      (
+        // If there are filtered sources, we need to pass through all sinks to preserve all alerts
+        // with filtered sources. Otherwise the only alerts of interest are those with filtered
+        // sinks, so we can perform the sink filtering right here.
+        hasFilteredSource() or
+        AlertFiltering::filterByLocation(sink.getLocation())
+      )
+    }
+
+    predicate isBarrier = Config::isBarrier/1;
+
+    predicate isBarrierIn = Config::isBarrierIn/1;
+
+    predicate isBarrierOut = Config::isBarrierOut/1;
+
+    predicate isAdditionalFlowStep = Config::isAdditionalFlowStep/2;
+
+    predicate allowImplicitRead = Config::allowImplicitRead/2;
+
+    predicate neverSkip = Config::neverSkip/1;
+
+    predicate fieldFlowBranchLimit = Config::fieldFlowBranchLimit/0;
+
+    predicate accessPathLimit = Config::accessPathLimit/0;
+
+    predicate getAFeature = Config::getAFeature/0;
+
+    predicate sourceGrouping = Config::sourceGrouping/2;
+
+    predicate sinkGrouping = Config::sinkGrouping/2;
+
+    predicate includeHiddenNodes = Config::includeHiddenNodes/0;
+  }
+
+  /**
+   * This wrapper applies alert filters to an existing `StateConfigSig` module. It is intended to be
+   * used in the specific case where both the dataflow sources and the dataflow sinks are present in
+   * the query result, so we need to apply the alert filter on either the source or the sink (which
+   * is what this wrapper does).
+   */
+  module FilteredStateConfig<StateConfigSig Config> implements StateConfigSig {
+    private import codeql.util.AlertFiltering
+
+    private module AlertFiltering = AlertFilteringImpl<Location>;
+
+    class FlowState = Config::FlowState;
+
+    pragma[noinline]
+    private predicate hasFilteredSource() {
+      exists(Node n | Config::isSource(n, _) | AlertFiltering::filterByLocation(n.getLocation()))
+    }
+
+    pragma[noinline]
+    private predicate hasFilteredSink() {
+      exists(Node n |
+        Config::isSink(n, _) or
+        Config::isSink(n)
+      |
+        AlertFiltering::filterByLocation(n.getLocation())
+      )
+    }
+
+    predicate isSource(Node source, FlowState state) {
+      Config::isSource(source, state) and
+      (
+        // If there are filtered sinks, we need to pass through all sources to preserve all alerts
+        // with filtered sinks. Otherwise the only alerts of interest are those with filtered
+        // sources, so we can perform the source filtering right here.
+        hasFilteredSink() or
+        AlertFiltering::filterByLocation(source.getLocation())
+      )
+    }
+
+    predicate isSink(Node sink, FlowState state) {
+      Config::isSink(sink, state) and
+      (
+        // If there are filtered sources, we need to pass through all sinks to preserve all alerts
+        // with filtered sources. Otherwise the only alerts of interest are those with filtered
+        // sinks, so we can perform the sink filtering right here.
+        hasFilteredSource() or
+        AlertFiltering::filterByLocation(sink.getLocation())
+      )
+    }
+
+    predicate isSink(Node sink) {
+      Config::isSink(sink) and
+      (
+        // If there are filtered sources, we need to pass through all sinks to preserve all alerts
+        // with filtered sources. Otherwise the only alerts of interest are those with filtered
+        // sinks, so we can perform the sink filtering right here.
+        hasFilteredSource() or
+        AlertFiltering::filterByLocation(sink.getLocation())
+      )
+    }
+
+    predicate isBarrier = Config::isBarrier/1;
+
+    predicate isBarrier = Config::isBarrier/2;
+
+    predicate isBarrierIn = Config::isBarrierIn/1;
+
+    predicate isBarrierIn = Config::isBarrierIn/2;
+
+    predicate isBarrierOut = Config::isBarrierOut/1;
+
+    predicate isBarrierOut = Config::isBarrierOut/2;
+
+    predicate isAdditionalFlowStep = Config::isAdditionalFlowStep/2;
+
+    predicate isAdditionalFlowStep = Config::isAdditionalFlowStep/4;
+
+    predicate allowImplicitRead = Config::allowImplicitRead/2;
+
+    predicate neverSkip = Config::neverSkip/1;
+
+    predicate fieldFlowBranchLimit = Config::fieldFlowBranchLimit/0;
+
+    predicate accessPathLimit = Config::accessPathLimit/0;
+
+    predicate getAFeature = Config::getAFeature/0;
+
+    predicate sourceGrouping = Config::sourceGrouping/2;
+
+    predicate sinkGrouping = Config::sinkGrouping/2;
+
+    predicate includeHiddenNodes = Config::includeHiddenNodes/0;
+  }
 }
diff --git a/shared/util/codeql/util/AlertFiltering.qll b/shared/util/codeql/util/AlertFiltering.qll
@@ -0,0 +1,40 @@
+/**
+ * Provides the `restrictAlertsTo` extensible predicate to restrict alerts to specific source
+ * locations, and the `AlertFilteringImpl` parameterized module to apply the filtering.
+ */
+
+private import codeql.util.Location
+
+/**
+ * Restricts alerts to a specific location in specific files.
+ *
+ * If this predicate is empty, accept all alerts. Otherwise, accept alerts only at the specified
+ * locations. Note that alert restrictions apply only to the start line of an alert (even if the
+ * alert location spans multiple lines) because alerts are displayed on their start lines.
+ *
+ * - filePath: Absolute path of the file to restrict alerts to.
+ * - startLine: Start line number (starting with 1, inclusive) to restrict alerts to.
+ * - endLine: End line number (starting with 1, inclusive) to restrict alerts to.
+ *
+ * If startLine and endLine are both 0, accept alerts anywhere in the file.
+ */
+extensible predicate restrictAlertsTo(string filePath, int startLine, int endLine);
+
+/** Module for applying alert location filtering. */
+module AlertFilteringImpl<LocationSig Location> {
+  /** Applies alert filtering to the given location. */
+  bindingset[location]
+  predicate filterByLocation(Location location) {
+    not restrictAlertsTo(_, _, _)
+    or
+    exists(string filePath, int startLine, int endLine |
+      restrictAlertsTo(filePath, startLine, endLine)
+    |
+      startLine = 0 and
+      endLine = 0 and
+      location.hasLocationInfo(filePath, _, _, _, _)
+      or
+      location.hasLocationInfo(filePath, [startLine .. endLine], _, _, _)
+    )
+  }
+}
diff --git a/shared/util/ext/default-alert-filter.yml b/shared/util/ext/default-alert-filter.yml
@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/util
+      extensible: restrictAlertsTo
+    # Empty predicate means no restrictions on alert locations
+    data: []
diff --git a/shared/util/qlpack.yml b/shared/util/qlpack.yml
@@ -3,4 +3,6 @@ version: 1.0.6-dev
 groups: shared
 library: true
 dependencies: null
+dataExtensions:
+  - ext/*.yml
 warnOnImplicitThis: true
