mirror of
https://github.com/github/codeql.git
synced 2025-12-18 01:33:15 +01:00
C++: Refactor dataflow examples to use DataFlow::ConfigSig
This commit is contained in:
Jeroen Ketema
@@ -1,14 +1,10 @@
|
||||
import cpp
|
||||
import semmle.code.cpp.dataflow.new.DataFlow
|
||||
|
||||
class LiteralToGethostbynameConfiguration extends DataFlow::Configuration {
|
||||
LiteralToGethostbynameConfiguration() { this = "LiteralToGethostbynameConfiguration" }
|
||||
module LiteralToGethostbynameConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source.asIndirectExpr(1) instanceof StringLiteral }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
source.asIndirectExpr(1) instanceof StringLiteral
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(FunctionCall fc |
|
||||
sink.asIndirectExpr(1) = fc.getArgument(0) and
|
||||
fc.getTarget().hasName("gethostbyname")
|
||||
@@ -16,11 +12,11 @@ class LiteralToGethostbynameConfiguration extends DataFlow::Configuration {
|
||||
}
|
||||
}
|
||||
|
||||
from
|
||||
StringLiteral sl, FunctionCall fc, LiteralToGethostbynameConfiguration cfg, DataFlow::Node source,
|
||||
DataFlow::Node sink
|
||||
module LiteralToGethostbynameFlow = DataFlow::Make<LiteralToGethostbynameConfig>;
|
||||
|
||||
from StringLiteral sl, FunctionCall fc, DataFlow::Node source, DataFlow::Node sink
|
||||
where
|
||||
source.asIndirectExpr(1) = sl and
|
||||
sink.asIndirectExpr(1) = fc.getArgument(0) and
|
||||
cfg.hasFlow(source, sink)
|
||||
LiteralToGethostbynameFlow::hasFlow(source, sink)
|
||||
select sl, fc
|
||||
|
||||
@@ -5,12 +5,10 @@ class GetenvSource extends DataFlow::Node {
|
||||
GetenvSource() { this.asIndirectExpr(1).(FunctionCall).getTarget().hasGlobalName("getenv") }
|
||||
}
|
||||
|
||||
class GetenvToGethostbynameConfiguration extends DataFlow::Configuration {
|
||||
GetenvToGethostbynameConfiguration() { this = "GetenvToGethostbynameConfiguration" }
|
||||
module GetenvToGethostbynameConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof GetenvSource }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof GetenvSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(FunctionCall fc |
|
||||
sink.asIndirectExpr(1) = fc.getArgument(0) and
|
||||
fc.getTarget().hasName("gethostbyname")
|
||||
@@ -18,11 +16,11 @@ class GetenvToGethostbynameConfiguration extends DataFlow::Configuration {
|
||||
}
|
||||
}
|
||||
|
||||
from
|
||||
Expr getenv, FunctionCall fc, GetenvToGethostbynameConfiguration cfg, DataFlow::Node source,
|
||||
DataFlow::Node sink
|
||||
module GetenvToGethostbynameFlow = DataFlow::Make<GetenvToGethostbynameConfig>;
|
||||
|
||||
from Expr getenv, FunctionCall fc, DataFlow::Node source, DataFlow::Node sink
|
||||
where
|
||||
source.asIndirectExpr(1) = getenv and
|
||||
sink.asIndirectExpr(1) = fc.getArgument(0) and
|
||||
cfg.hasFlow(source, sink)
|
||||
GetenvToGethostbynameFlow::hasFlow(source, sink)
|
||||
select getenv, fc
|
||||
|
||||
@@ -1,17 +1,15 @@
|
||||
import cpp
|
||||
import semmle.code.cpp.dataflow.new.DataFlow
|
||||
|
||||
class EnvironmentToFileConfiguration extends DataFlow::Configuration {
|
||||
EnvironmentToFileConfiguration() { this = "EnvironmentToFileConfiguration" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) {
|
||||
module EnvironmentToFileConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
exists(Function getenv |
|
||||
source.asIndirectExpr(1).(FunctionCall).getTarget() = getenv and
|
||||
getenv.hasGlobalName("getenv")
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(FunctionCall fc |
|
||||
sink.asIndirectExpr(1) = fc.getArgument(0) and
|
||||
fc.getTarget().hasGlobalName("fopen")
|
||||
@@ -19,11 +17,11 @@ class EnvironmentToFileConfiguration extends DataFlow::Configuration {
|
||||
}
|
||||
}
|
||||
|
||||
from
|
||||
Expr getenv, Expr fopen, EnvironmentToFileConfiguration config, DataFlow::Node source,
|
||||
DataFlow::Node sink
|
||||
module EnvironmentToFileFlow = DataFlow::Make<EnvironmentToFileConfig>;
|
||||
|
||||
from Expr getenv, Expr fopen, DataFlow::Node source, DataFlow::Node sink
|
||||
where
|
||||
source.asIndirectExpr(1) = getenv and
|
||||
sink.asIndirectExpr(1) = fopen and
|
||||
config.hasFlow(source, sink)
|
||||
EnvironmentToFileFlow::hasFlow(source, sink)
|
||||
select fopen, "This 'fopen' uses data from $@.", getenv, "call to 'getenv'"
|
||||
|
||||
@@ -2,18 +2,16 @@ import cpp
|
||||
import semmle.code.cpp.controlflow.Guards
|
||||
import semmle.code.cpp.dataflow.new.TaintTracking
|
||||
|
||||
class NetworkToBufferSizeConfiguration extends TaintTracking::Configuration {
|
||||
NetworkToBufferSizeConfiguration() { this = "NetworkToBufferSizeConfiguration" }
|
||||
|
||||
override predicate isSource(DataFlow::Node node) {
|
||||
module NetworkToBufferSizeConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node node) {
|
||||
node.asExpr().(FunctionCall).getTarget().hasGlobalName("ntohl")
|
||||
}
|
||||
|
||||
override predicate isSink(DataFlow::Node node) {
|
||||
predicate isSink(DataFlow::Node node) {
|
||||
exists(ArrayExpr ae | node.asExpr() = ae.getArrayOffset())
|
||||
}
|
||||
|
||||
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
exists(Loop loop, LoopCounter lc |
|
||||
loop = lc.getALoop() and
|
||||
loop.getControllingExpr().(RelationalOperation).getGreaterOperand() = pred.asExpr()
|
||||
@@ -22,7 +20,7 @@ class NetworkToBufferSizeConfiguration extends TaintTracking::Configuration {
|
||||
)
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
predicate isBarrier(DataFlow::Node node) {
|
||||
exists(GuardCondition gc, Variable v |
|
||||
gc.getAChild*() = v.getAnAccess() and
|
||||
node.asExpr() = v.getAnAccess() and
|
||||
@@ -32,7 +30,9 @@ class NetworkToBufferSizeConfiguration extends TaintTracking::Configuration {
|
||||
}
|
||||
}
|
||||
|
||||
from DataFlow::Node ntohl, DataFlow::Node offset, NetworkToBufferSizeConfiguration conf
|
||||
where conf.hasFlow(ntohl, offset)
|
||||
module NetworkToBufferSizeFlow = TaintTracking::Make<NetworkToBufferSizeConfig>;
|
||||
|
||||
from DataFlow::Node ntohl, DataFlow::Node offset
|
||||
where NetworkToBufferSizeFlow::hasFlow(ntohl, offset)
|
||||
select offset, "This array offset may be influenced by $@.", ntohl,
|
||||
"converted data from the network"
|
||||
|
||||
Reference in New Issue
Block a user