hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Don't use dbtypes in TaintTracking.qll

Browse Source
This commit is contained in:
Jonas Jensen
2018-08-28 11:10:32 +02:00
parent 854d0db552
commit 01dc4385cd
1 changed files with 9 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
cpp/ql/src/semmle/code/cpp/security/TaintTracking.qll
View File

@@ -521,16 +521,15 @@ private predicate methodReturningReceiver(MemberFunction method) {
Function resolveCall(Call call) {
result = call.getTarget()
or
result = unresolveElement(call).(DataSensitiveCallExpr).resolve()
result = call.(DataSensitiveCallExpr).resolve()
}
/** A data sensitive call expression. */
library abstract class DataSensitiveCallExpr extends @expr {
DataSensitiveCallExpr() { not unreachable(mkElement(this)) }
library abstract class DataSensitiveCallExpr extends Expr {
DataSensitiveCallExpr() { not unreachable(this) }
abstract Expr getSrc();
cached abstract Function resolve();
abstract string toString();
/**
* Whether `src` can flow to this call expression.
@@ -556,27 +555,21 @@ library abstract class DataSensitiveCallExpr extends @expr {
}
/** Call through a function pointer. */
library class DataSensitiveExprCall extends DataSensitiveCallExpr {
DataSensitiveExprCall() {
mkElement(this) instanceof ExprCall
}
override Expr getSrc() { result = mkElement(this).(ExprCall).getExpr() }
library class DataSensitiveExprCall extends DataSensitiveCallExpr, ExprCall {
override Expr getSrc() { result = getExpr() }
override Function resolve() {
exists(FunctionAccess fa | flowsFrom(fa, true) | result = fa.getTarget())
}
override string toString() { result = mkElement(this).toString() }
}
/** Call to a virtual function. */
library class DataSensitiveOverriddenFunctionCall extends DataSensitiveCallExpr {
library class DataSensitiveOverriddenFunctionCall extends DataSensitiveCallExpr, FunctionCall {
DataSensitiveOverriddenFunctionCall() {
exists(mkElement(this).(FunctionCall).getTarget().(VirtualFunction).getAnOverridingFunction())
exists(getTarget().(VirtualFunction).getAnOverridingFunction())
}
override Expr getSrc() { result = mkElement(this).(FunctionCall).getQualifier() }
override Expr getSrc() { result = getQualifier() }
override MemberFunction resolve() {
exists(NewExpr new |
@@ -584,11 +577,9 @@ library class DataSensitiveOverriddenFunctionCall extends DataSensitiveCallExpr
and
memberFunctionFromNewExpr(new, result)
and
result.overrides*(mkElement(this).(FunctionCall).getTarget().(VirtualFunction))
result.overrides*(getTarget().(VirtualFunction))
)
}
override string toString() { result = mkElement(this).toString() }
}
private predicate memberFunctionFromNewExpr(NewExpr new, MemberFunction f) {