Merge pull request #2707 from geoffw0/taint-format

C++: Add TaintFunction model to FormattingFunction
2026-05-10 01:10:09 +02:00 · 2020-01-29 08:20:34 +01:00
parent 9504da54d1 fc1816cbd7
commit 27b5902258
9 changed files with 295 additions and 5 deletions
--- a/cpp/ql/src/semmle/code/cpp/Parameter.qll
+++ b/cpp/ql/src/semmle/code/cpp/Parameter.qll
@@ -163,5 +163,8 @@ class Parameter extends LocalScopeVariable, @parameter {
 * An `int` that is a parameter index for some function.  This is needed for binding in certain cases.
 */
 class ParameterIndex extends int {
-  ParameterIndex() { exists(Parameter p | this = p.getIndex()) }
+  ParameterIndex() {
+    exists(Parameter p | this = p.getIndex()) or
+    exists(Call c | exists(c.getArgument(this))) // permit indexing varargs
+  }
 }
--- a/cpp/ql/src/semmle/code/cpp/models/interfaces/FormattingFunction.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/interfaces/FormattingFunction.qll
@@ -6,7 +6,8 @@
 * `FormattingFunction` to match the flow within that function.
 */

-import semmle.code.cpp.Function
+import semmle.code.cpp.models.interfaces.ArrayFunction
+import semmle.code.cpp.models.interfaces.Taint

 private Type stripTopLevelSpecifiersOnly(Type t) {
  result = stripTopLevelSpecifiersOnly(t.(SpecifiedType).getBaseType())
@@ -39,7 +40,7 @@ private Type getAFormatterWideTypeOrDefault() {
 /**
 * A standard library function that uses a `printf`-like formatting string.
 */
-abstract class FormattingFunction extends Function {
+abstract class FormattingFunction extends ArrayFunction, TaintFunction {
  /** Gets the position at which the format parameter occurs. */
  abstract int getFormatParameterIndex();

@@ -133,4 +134,33 @@ abstract class FormattingFunction extends Function {
   * Gets the position of the buffer size argument, if any.
   */
  int getSizeParameterIndex() { none() }
+
+  override predicate hasArrayWithNullTerminator(int bufParam) {
+    bufParam = getFormatParameterIndex()
+  }
+
+  override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
+    bufParam = getOutputParameterIndex() and
+    countParam = getSizeParameterIndex()
+  }
+
+  override predicate hasArrayWithUnknownSize(int bufParam) {
+    bufParam = getOutputParameterIndex() and
+    not exists(getSizeParameterIndex())
+  }
+
+  override predicate hasArrayInput(int bufParam) { bufParam = getFormatParameterIndex() }
+
+  override predicate hasArrayOutput(int bufParam) { bufParam = getOutputParameterIndex() }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    exists(int arg |
+      (
+        arg = getFormatParameterIndex() or
+        arg >= getFirstFormatArgumentIndex()
+      ) and
+      input.isParameterDeref(arg) and
+      output.isParameterDeref(getOutputParameterIndex())
+    )
+  }
 }