DataFlow: Add a predicate for modifying which dataflow steps participate in flow-through summaries.

MathiasVP · MathiasVP · commit 748625c7e5e5 · 2023-11-15T14:30:13.000Z
diff --git a/shared/dataflow/codeql/dataflow/DataFlow.qll b/shared/dataflow/codeql/dataflow/DataFlow.qll
@@ -170,6 +170,13 @@ signature module InputSig {
 
   predicate simpleLocalFlowStep(Node node1, Node node2);
 
+  /**
+   * Holds if the data flow step from `node1` to `node2` can be used when
+   * computing flow-through summaries.
+   */
+  bindingset[node1, node2]
+  default predicate flowThroughStepAllowed(Node node1, Node node2) { any() }
+
   /**
    * Holds if data can flow from `node1` to `node2` through a non-local step
    * that does not follow a call edge. For example, a step through a global
diff --git a/shared/dataflow/codeql/dataflow/internal/DataFlowImplCommon.qll b/shared/dataflow/codeql/dataflow/internal/DataFlowImplCommon.qll
@@ -551,7 +551,8 @@ module MakeImplCommon<InputSig Lang> {
           // local flow
           exists(Node mid |
             parameterValueFlowCand(p, mid, read) and
-            simpleLocalFlowStep(mid, node)
+            simpleLocalFlowStep(mid, node) and
+            flowThroughStepAllowed(mid, node)
           )
           or
           // read
@@ -670,7 +671,8 @@ module MakeImplCommon<InputSig Lang> {
           // local flow
           exists(Node mid |
             parameterValueFlow(p, mid, read) and
-            simpleLocalFlowStep(mid, node)
+            simpleLocalFlowStep(mid, node) and
+            flowThroughStepAllowed(mid, node)
           )
           or
           // read
