hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 05:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

CPP: Fix dubious [old] taint library results involving strlen.

Browse Source
This commit is contained in:
Geoffrey White
2019-01-30 15:55:04 +00:00
parent 8c75e730e4
commit 0b85966b31
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
cpp/ql/src/semmle/code/cpp/security/TaintTracking.qll
View File

@@ -247,7 +247,11 @@ predicate insideFunctionValueMoveTo(Element src, Element dest)
// Expressions computed from tainted data are also tainted
or exists(FunctionCall call | dest = call and isPureFunction(call.getTarget().getName()) |
call.getAnArgument() = src and
forall(Expr arg | arg = call.getAnArgument() | arg = src or predictable(arg))
forall(Expr arg | arg = call.getAnArgument() | arg = src or predictable(arg)) and
// flow through `strlen` tends to cause dubious results, if the length is
// bounded.
not call.getTarget().getName() = "strlen"
)
or exists(Element a, Element b |
moveToDependingOnSide(a, b) and