Filter result by number of steps in path

[Hug0Vincent]

Is it possible to filter path-based problem query results by the number of steps in the path from the source to the sink? I have numerous results, making it impossible to display them all in VSCode. I want to retain only those paths with a length of 30 steps or fewer. Is this feasible? In VSCode, the number of steps is displayed, but I'm unsure if I can directly filter this in my CodeQL query.

[Hug0Vincent]

I made this but is there a better way to do this ? Because it takes a lot of time on some databases. I tried to pass an integer as a parameter but I got some issues regarding inlining / recursion and constraints.

int pathLengthBetweenNodes(MyFlow::PathNode src, MyFlow::PathNode dst) {
  (result = 0 and src = dst)
  or
  exists(MyFlow::PathNode intermediate |
      intermediate.getASuccessor() = dst and
      result <= 42 and
      result = pathLengthBetweenNodes(src, intermediate) + 1
    )
}

module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<..>

from MyFlow::PathNode source, MyFlow::PathNode sink
where MyFlow::flowPath(source, sink)
pathLengthBetweenNodes(source, sink) <= 42
select sink.getNode(), source, sink, "Sample TaintTracking query"

[owen-mc]

The CodeQL query doesn't have any access to the path length. It doesn't actually construct any paths - this is done in a later step, before the results are shown in VS code. The closest thing that I can think of is that when using partial flow (where you specify the source but not the sink, or vice versa) you can specify some kind of length (I think it might be steps into function calls.) But using partial flow generally increases the number of results massively, so probably wouldn't help you.

Note that there are two slightly different things here: you might have lots of results, with one path each, or you might have one result with lots of paths. By default only 4 paths are constructed and shown for each result, though this can be adjusted. So I assume what you are seeing is lots of results. And you say that there are too many to show in VS code? Could you share more about what the query you are running is? Is it possible to apply some heuristic to reduce the number of results, other than path length?

[Hug0Vincent]

Thank you for your response. I've already narrowed it down to one path in VSCode and was hoping for alternative solutions. I'm attempting to construct a query to identify C# deserialization gadget chains. The query is quite complex as it is, so I would completely understand if you're unable to assist due to time constraints.

There are numerous dangerous sinks that could be harmful in this scenario, and for some formatters like Json.NET, there are many sources—almost every setter for each valid type. The query performs well on my test database but doesn't scale effectively with certain real DLLs. If you're interested in taking a look, here:

• sources
• sinks
• query
• additional steps

However, please don't feel obligated; I don't want to take up too much of your time with this.

[owen-mc]

You could try setting the field flow branch limit lower than the default value (which I think is 2). Instructions here (but use 1 or 0, rather than 5000). In some situations this can stop explosions in the number of paths (at the cost of missing some paths).

Update: the default value is 2 for all languages except for cpp, where it is 3.

[Hug0Vincent]

I saw this option and also the accessPathlimit but I don't understand their meaning. Is fieldFlowBranchLimit supposed to limit field access like object.Field1.Field2.Field3 ? And I can't find documentation for accessPathlimit.