hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 13:45:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Repair the 'FlowSources' library in preparation for IR-based use-use dataflow.

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2022-10-14 14:52:29 +02:00
parent d62ae96763
commit 01a81a9c56
1 changed files with 15 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll
View File

@@ -6,6 +6,7 @@ import cpp
import semmle.code.cpp.ir.dataflow.DataFlow
private import semmle.code.cpp.ir.IR
import semmle.code.cpp.models.interfaces.FlowSource
private import semmle.code.cpp.ir.dataflow.internal.ModelUtil
/** A data flow source of user input, whether local or remote. */
abstract class FlowSource extends DataFlow::Node {
@@ -19,68 +20,28 @@ abstract class RemoteFlowSource extends FlowSource { }
/** A data flow source of local user input. */
abstract class LocalFlowSource extends FlowSource { }
private class RemoteReturnSource extends RemoteFlowSource {
private class RemoteModelSource extends RemoteFlowSource {
string sourceType;
RemoteReturnSource() {
exists(RemoteFlowSourceFunction func, CallInstruction instr, FunctionOutput output |
this.asInstruction() = instr and
instr.getStaticCallTarget() = func and
RemoteModelSource() {
exists(CallInstruction call, RemoteFlowSourceFunction func, FunctionOutput output |
call.getStaticCallTarget() = func and
func.hasRemoteFlowSource(output, sourceType) and
(
output.isReturnValue()
or
output.isReturnValueDeref()
)
this = callOutput(call, output)
)
}
override string getSourceType() { result = sourceType }
}
private class RemoteParameterSource extends RemoteFlowSource {
private class LocalModelSource extends LocalFlowSource {
string sourceType;
RemoteParameterSource() {
exists(RemoteFlowSourceFunction func, WriteSideEffectInstruction instr, FunctionOutput output |
this.asInstruction() = instr and
instr.getPrimaryInstruction().(CallInstruction).getStaticCallTarget() = func and
func.hasRemoteFlowSource(output, sourceType) and
output.isParameterDerefOrQualifierObject(instr.getIndex())
)
}
override string getSourceType() { result = sourceType }
}
private class LocalReturnSource extends LocalFlowSource {
string sourceType;
LocalReturnSource() {
exists(LocalFlowSourceFunction func, CallInstruction instr, FunctionOutput output |
this.asInstruction() = instr and
instr.getStaticCallTarget() = func and
LocalModelSource() {
exists(CallInstruction call, LocalFlowSourceFunction func, FunctionOutput output |
call.getStaticCallTarget() = func and
func.hasLocalFlowSource(output, sourceType) and
(
output.isReturnValue()
or
output.isReturnValueDeref()
)
)
}
override string getSourceType() { result = sourceType }
}
private class LocalParameterSource extends LocalFlowSource {
string sourceType;
LocalParameterSource() {
exists(LocalFlowSourceFunction func, WriteSideEffectInstruction instr, FunctionOutput output |
this.asInstruction() = instr and
instr.getPrimaryInstruction().(CallInstruction).getStaticCallTarget() = func and
func.hasLocalFlowSource(output, sourceType) and
output.isParameterDerefOrQualifierObject(instr.getIndex())
this = callOutput(call, output)
)
}
@@ -109,18 +70,10 @@ private class RemoteParameterSink extends RemoteFlowSink {
string sourceType;
RemoteParameterSink() {
exists(RemoteFlowSinkFunction func, FunctionInput input, CallInstruction call, int index |
func.hasRemoteFlowSink(input, sourceType) and call.getStaticCallTarget() = func
|
exists(ReadSideEffectInstruction read |
call = read.getPrimaryInstruction() and
read.getIndex() = index and
this.asOperand() = read.getSideEffectOperand() and
input.isParameterDerefOrQualifierObject(index)
)
or
input.isParameterOrQualifierAddress(index) and
this.asOperand() = call.getArgumentOperand(index)
exists(CallInstruction call, RemoteFlowSinkFunction func, FunctionInput input |
call.getStaticCallTarget() = func and
func.hasRemoteFlowSink(input, sourceType) and
this = callInput(call, input)
)
}