mirror of
https://github.com/hohn/codeql-workshop-dataflow-c.git
synced 2025-12-16 10:33:04 +01:00
1c70a42041
GuardCondition::ensuresEq is sufficient. Update test-cases and expected results + removed a QL warning
37 lines
1.0 KiB
Plaintext
37 lines
1.0 KiB
Plaintext
import cpp
|
|
import semmle.code.cpp.dataflow.new.DataFlow
|
|
import semmle.code.cpp.controlflow.Guards
|
|
|
|
/**
|
|
* An access of a dynamic input array (of type `dyn_input_t`)
|
|
*/
|
|
class DynamicInputAccess extends ArrayExpr {
|
|
DynamicInputAccess() {
|
|
this.getArrayBase().getType().(DerivedType).getBaseType().getName() = "dyn_input_t"
|
|
}
|
|
}
|
|
|
|
/**
|
|
* A call to `DYN_INPUT_TYPE`
|
|
*/
|
|
class TypeValidationCall extends FunctionCall {
|
|
TypeValidationCall() { this.getTarget().hasName("DYN_INPUT_TYPE") }
|
|
}
|
|
|
|
/**
|
|
* Relates a `call` to a `guard`, which uses the result of the call to validate
|
|
* equality of the result of `call` against `other` to guard `block`.
|
|
*/
|
|
predicate typeValidationGuard(
|
|
GuardCondition guard, TypeValidationCall call, Expr other, BasicBlock block
|
|
) {
|
|
exists(Expr dest |
|
|
DataFlow::localExprFlow(call, dest) and
|
|
guard.ensuresEq(dest, other, 0, block, true)
|
|
)
|
|
}
|
|
|
|
from DynamicInputAccess access
|
|
where not typeValidationGuard(_, _, _, access.getBasicBlock())
|
|
select access, "Access to dynamic input array without type validation."
|