hohn/codeql-sample-polkit
1
0
Fork 0
mirror of https://github.com/hohn/codeql-sample-polkit.git synced 2025-12-16 13:53:04 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
1e8971afab61073f4b7b36c162ab5c51a61b2c97
codeql-sample-polkit/PrintCFG-false-successor.ql
Michael Hohn 1e8971afab Add a two-color CFG to illustrate the branches following the first for-loop 
This includes the scripts, dgml, and pdf output
2022-03-05 18:07:10 -08:00

35 lines
1.1 KiB
Plaintext
Raw Blame History

/**
* @name Print part of the CFG
* @description Outputs a subset of the control flow graph
* @id cpp/example/polkit/cfg-false-successor
* @kind graph
*/
import cpp
query predicate edges(ControlFlowNode n1, ControlFlowNode n2) {
exists(
RelationalOperation cmp, Parameter argc, ControlFlowNode startFrom, Variable n, ForStmt forloop
|
// minimal restriction: start from comparison
argc.getName() = "argc" and
argc.getAnAccess() = cmp.getAnOperand().getAChild*() and
n.getAnAccess() = cmp.getAnOperand().getAChild*() and
not n instanceof Parameter and
n.getName() = "n" and
forloop.getCondition() = cmp and
forloop.getControlFlowScope().getName() = "main" and
//
startFrom = cmp.getAFalseSuccessor() and
startFrom.getASuccessor*() = n1 and
//
n1.getASuccessor() = n2 and
n1.getControlFlowScope().getName() = "main" and
// polkit has many `main` functions, grab the one from pkexec.c
n1.getLocation().getFile().getBaseName() = "pkexec.c"
)
}
// For reference, see the file
// db/polkit-0.119.db/tmp/polkit/src/programs/pkexec.c
// (after extracting src.zip)
Reference in New Issue View Git Blame Copy Permalink