hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-02 20:30:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Docs: Update data flow documentation to the new API.

Browse Source
This commit is contained in:
Anders Schack-Mulligen
2023-07-13 09:21:12 +02:00
parent a0e96594d8
commit 2947f176ef
18 changed files with 352 additions and 431 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
docs/codeql/ql-training/cpp/global-data-flow-cpp.rst
View File

@@ -62,8 +62,8 @@ The library class ``SecurityOptions`` provides a (configurable) model of what co
import semmle.code.cpp.security.Security
class TaintedFormatConfig extends TaintTracking::Configuration {
override predicate isSource(DataFlow::Node source) {
module TaintedFormatConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
exists (SecurityOptions opts |
opts.isUserInput(source.asExpr(), _)
)
@@ -85,8 +85,8 @@ Use the ``FormattingFunction`` class to fill in the definition of ``isSink``.
import semmle.code.cpp.security.Security
class TaintedFormatConfig extends TaintTracking::Configuration {
override predicate isSink(DataFlow::Node sink) {
module TaintedFormatConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) {
/* Fill me in */
}
...
@@ -105,8 +105,8 @@ Use the ``FormattingFunction`` class, we can write the sink as:
import semmle.code.cpp.security.Security
class TaintedFormatConfig extends TaintTracking::Configuration {
override predicate isSink(DataFlow::Node sink) {
module TaintedFormatConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) {
exists (FormattingFunction ff, Call c |
c.getTarget() = ff and
c.getArgument(ff.getFormatParameterIndex()) = sink.asExpr()
@@ -132,9 +132,8 @@ Add an additional taint step that (heuristically) taints a local variable if it
.. code-block:: ql
class TaintedFormatConfig extends TaintTracking::Configuration {
override predicate isAdditionalTaintStep(DataFlow::Node pred,
DataFlow::Node succ) {
module TaintedFormatConfig implements DataFlow::ConfigSig {
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
exists (Call c, Expr arg, LocalVariable lv |
arg = c.getAnArgument() and
arg = pred.asExpr() and
@@ -153,8 +152,8 @@ Add a sanitizer, stopping propagation at parameters of formatting functions, to
.. code-block:: ql
class TaintedFormatConfig extends TaintTracking::Configuration {
override predicate isSanitizer(DataFlow::Node nd) {
module TaintedFormatConfig implements DataFlow::ConfigSig {
predicate isBarrier(DataFlow::Node nd) {
exists (FormattingFunction ff, int idx |
idx = ff.getFormatParameterIndex() and
nd = DataFlow::parameterNode(ff.getParameter(idx))