CodeQl Java to detect flows from some input to a Class member

[yuval-piiano]

Hi,

I am trying to write a codeql flow query to detect if and when some user input is reaching a specific Field in a class.
when tracking calls to the field setter I am getting the expected results -

 override predicate isSink(DataFlow::Node sink) { 
    exists(MethodAccess call, SetterMethod method , Field field |
      
      call.getMethod() = method and
      sink.asExpr() = call.getAnArgument()  and
      method.accesses(field) and 
      field.getName() = "myField"
      
    )

(the calls to setMyField(value) I am interested in)

However it is possible to set fields not via setters and I would like to capture these instances too, I tried using this :

override predicate isSink(DataFlow::Node sink) { 
exists(FieldWrite write | 
    write.getRhs() = sink.asExpr())
}

but it doesn't return anything, what am I doing wrong?
Thanks,
Yuval

[MathiasVP]

Hi @yuval-piiano,

That isSink definition looks right to me. Of course, you still need to restrict the write to be a write to the myField field, but if you're getting 0 results with this definition already it leads me to think something else is wrong.

Have you read the "Checking sources and sinks" section of https://codeql.github.com/docs/writing-codeql-queries/debugging-data-flow-queries-using-partial-flow/#checking-sources-and-sinks?

[yuval-piiano]

Thank you!
this helped me find the problem (which was indeed in another part of the query )