Skip to main content

Module flow

plsql_ir

Module flow 

Source
Expand description

Value-flow, taint, constant, value-set, and string-shape models.

Downstream SAST and lineage layers reason about how values propagate, not just whether a name binds. This module defines the shapes those passes share so they all speak the same vocabulary:

  • TaintKind — the family of taint a value carries (user-supplied, dynamic-SQL, db-link, file-system, …).
  • ConstantValue — when a value is provably constant, its wire form (number / string / bool / null).
  • ValueSet — abstract domain summarising the set of values a name might hold (Top / OneOf / Range / Bottom).
  • StringShape — abstract domain for string values (literal / interpolated-with-prefix / fully-opaque).
  • ValueFlow — the per-name aggregate the passes return.

Population happens in the intra- / inter-procedural flow passes. This module ships the types + serde + small helpers so the consumers (SAST, bindings, doc) program against a stable surface today.

§/oracle evidence

  • DATABASE-REFERENCE.md PL/SQL Language Reference — the bind-variable + parameter-mode chapters drive how taint enters a routine. DBMS_ASSERT (see LOW-LEVEL-CATALOGS.md supplied-packages) is the sanctioned cleanser.

Structs§

Taint
Taint state. kinds lists the live (uncleansed) taint sources that flow into the value — a bound sanitiser (e.g. a DBMS_ASSERT.* call) removes the kinds it cleanses, so a sanitized value carries no live kind. cleansed_by records which sanitisers fired anywhere in the value’s derivation (kept for reporting, not for the alarm). SAST emits a finding iff kinds is non-empty. Tracking live kinds (rather than all-seen kinds gated on an empty cleansed_by) binds cleansing to the sanitized sub-expression, so taint concatenated alongside a sanitized operand still alarms (e.g. DBMS_ASSERT.ENQUOTE_LITERAL('x') || p_user).
ValueFlow
Per-name aggregate flow report.

Enums§

ConstantValue
When the value is provably constant, its wire form. Variants use struct-form fields so the serde tag = "kind" adjacent- encoding doesn’t trip on newtypes carrying String / primitive payloads.
StringShape
Abstract domain for string values. Powers SAST rules around dynamic-SQL composition + URL / file-path opening.
TaintCleanser
TaintKind
ValueSet
Abstract domain summarising the set of values a name might hold. The lattice is Bottom < Range / OneOf < Top — passes refine Top toward the more specific variants as they accumulate evidence.