Skip to main content

Module flow_inter

plsql_ir

Module flow_inter 

Source
Expand description

Single-hop inter-procedural parameter/return flow.

FLOW-002 propagates taint within one routine. This pass joins routines: when routine A calls routine B, the taint of A’s actual arguments flows into B’s formal parameters, and B’s return taint flows back to A’s call-site assignment.

Each call edge is resolved once against the callee’s RoutineFlowSummary — a single hop. The pass does NOT follow transitive chains (A→B→C) or iterate a recursive frontier; multi-hop following is a future pass and is intentionally out of scope here. A direct self-call (A→A) and any call whose callee summary is missing (external package, db-link, dynamic dispatch) are recorded as conservative FlowUnknownFacts so R13 reporting never silently drops the boundary.

Routine summaries are supplied by the caller as RoutineFlowSummary records (param taint sensitivity + return taint) so this module stays free of a hard plsql-symbols dependency.

§/oracle evidence

  • DATABASE-REFERENCE.md PL/SQL Language Reference — parameter modes (IN copies in, OUT copies back, IN OUT both) define the flow direction across a call boundary.
  • LOW-LEVEL-CATALOGS.mdALL_ARGUMENTS is the server-side authority for a routine’s formal-parameter list when the source summary is unavailable.

Structs§

CallEdgeFlow
A call site to resolve: caller invokes callee with the taint kinds of each positional actual argument.
FlowUnknownFact
Conservative boundary record (R13). Emitted whenever the pass cannot resolve a call: missing callee summary, or a direct recursion (self-call).
InterFlowResult
Result of an inter-procedural propagation run.
PropagatedReturn
RoutineFlowSummary
Per-routine flow summary the caller supplies. param_taints maps a 0-based parameter index to the taint kinds that param propagates into the body; returns_taint is the taint a caller should attribute to the call’s result.

Enums§

FlowUnknownReason

Functions§

propagate_inter
Propagate taint across call_edges using the supplied summaries. Each edge is resolved one hop against its callee summary; a direct self-call and a missing summary surface as FlowUnknownFact (R13).