hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: No taint between field and struct

Browse Source 
To compensate for the lack of field flow, the taint tracking library has
previously considered taint to flow from fields to their containing
structs and back again from the structs to any of their fields. This
leads to false flow between unrelated fields and is not needed now that
we have proper flow through fields.
This commit is contained in:
Jonas Jensen
2019-08-21 11:57:12 +02:00
parent c2d1a52b39
commit 2f4ed45dac
3 changed files with 4 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
View File

@@ -86,6 +86,10 @@ private predicate noFlowFromChildExpr(Expr e) {
e instanceof SizeofOperator
or
e instanceof AlignofOperator
or
e instanceof ClassAggregateLiteral
or
e instanceof FieldAccess
}
private predicate exprToDefinitionByReferenceStep(Expr exprIn, Expr argOut) {

26
cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
View File

@@ -1,25 +1,9 @@
| file://:0:0:0:0 | t | taint.cpp:235:11:239:2 | {...} | TAINT |
| file://:0:0:0:0 | t | taint.cpp:243:11:246:2 | {...} | TAINT |
| file://:0:0:0:0 | this | file://:0:0:0:0 | t | TAINT |
| file://:0:0:0:0 | this | file://:0:0:0:0 | t | TAINT |
| file://:0:0:0:0 | this | file://:0:0:0:0 | t | TAINT |
| file://:0:0:0:0 | this | file://:0:0:0:0 | t | TAINT |
| file://:0:0:0:0 | this | file://:0:0:0:0 | this | |
| file://:0:0:0:0 | this | file://:0:0:0:0 | this | |
| file://:0:0:0:0 | this | file://:0:0:0:0 | this | |
| file://:0:0:0:0 | this | file://:0:0:0:0 | this | |
| file://:0:0:0:0 | this | file://:0:0:0:0 | this | |
| file://:0:0:0:0 | this | file://:0:0:0:0 | this | |
| file://:0:0:0:0 | this | file://:0:0:0:0 | u | TAINT |
| file://:0:0:0:0 | this | file://:0:0:0:0 | u | TAINT |
| file://:0:0:0:0 | this | file://:0:0:0:0 | u | TAINT |
| file://:0:0:0:0 | this | file://:0:0:0:0 | v | TAINT |
| file://:0:0:0:0 | this | taint.cpp:72:3:72:3 | c | TAINT |
| file://:0:0:0:0 | this | taint.cpp:73:3:73:3 | d | TAINT |
| file://:0:0:0:0 | this | taint.cpp:77:3:77:3 | d | TAINT |
| file://:0:0:0:0 | u | taint.cpp:235:11:239:2 | {...} | TAINT |
| file://:0:0:0:0 | u | taint.cpp:243:11:246:2 | {...} | TAINT |
| file://:0:0:0:0 | v | taint.cpp:235:11:239:2 | {...} | TAINT |
| taint.cpp:4:27:4:33 | source1 | taint.cpp:6:13:6:19 | source1 | |
| taint.cpp:4:40:4:45 | clean1 | taint.cpp:5:8:5:13 | clean1 | |
| taint.cpp:4:40:4:45 | clean1 | taint.cpp:6:3:6:8 | clean1 | |
@@ -87,14 +71,6 @@
| taint.cpp:86:2:86:4 | mc1 [post update] | taint.cpp:89:7:89:9 | mc1 | |
| taint.cpp:86:2:86:4 | mc1 [post update] | taint.cpp:90:7:90:9 | mc1 | |
| taint.cpp:86:2:86:4 | mc1 [post update] | taint.cpp:91:7:91:9 | mc1 | |
| taint.cpp:88:7:88:9 | mc1 | taint.cpp:88:11:88:11 | a | TAINT |
| taint.cpp:89:7:89:9 | mc1 | taint.cpp:89:11:89:11 | b | TAINT |
| taint.cpp:90:7:90:9 | mc1 | taint.cpp:90:11:90:11 | c | TAINT |
| taint.cpp:91:7:91:9 | mc1 | taint.cpp:91:11:91:11 | d | TAINT |
| taint.cpp:92:7:92:9 | mc2 | taint.cpp:92:11:92:11 | a | TAINT |
| taint.cpp:93:7:93:9 | mc2 | taint.cpp:93:11:93:11 | b | TAINT |
| taint.cpp:94:7:94:9 | mc2 | taint.cpp:94:11:94:11 | c | TAINT |
| taint.cpp:95:7:95:9 | mc2 | taint.cpp:95:11:95:11 | d | TAINT |
| taint.cpp:100:21:100:21 | i | taint.cpp:106:7:106:7 | i | |
| taint.cpp:100:21:100:21 | i | taint.cpp:110:12:110:12 | i | |
| taint.cpp:100:21:100:21 | i | taint.cpp:112:12:112:12 | i | |
@@ -220,8 +196,6 @@
| taint.cpp:228:11:228:11 | `this` parameter in (constructor) | taint.cpp:243:11:243:11 | constructor init of field t [pre-this] | |
| taint.cpp:228:11:232:2 | [...](...){...} | taint.cpp:233:7:233:7 | a | |
| taint.cpp:228:11:232:2 | {...} | taint.cpp:228:11:232:2 | [...](...){...} | |
| taint.cpp:228:12:228:12 | t | taint.cpp:228:11:232:2 | {...} | TAINT |
| taint.cpp:228:15:228:15 | u | taint.cpp:228:11:232:2 | {...} | TAINT |
| taint.cpp:228:17:228:17 | `this` parameter in operator() | file://:0:0:0:0 | this | |
| taint.cpp:228:17:228:17 | `this` parameter in operator() | file://:0:0:0:0 | this | |
| taint.cpp:235:11:235:11 | Unknown literal | taint.cpp:235:11:235:11 | constructor init of field t | TAINT |

3
cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
View File

@@ -1,9 +1,6 @@
| file://:0:0:0:0 | t | taint.cpp:223:10:223:15 | call to source |
| file://:0:0:0:0 | t | taint.cpp:223:10:223:15 | call to source |
| file://:0:0:0:0 | t | taint.cpp:223:10:223:15 | call to source |
| file://:0:0:0:0 | u | taint.cpp:223:10:223:15 | call to source |
| file://:0:0:0:0 | u | taint.cpp:223:10:223:15 | call to source |
| file://:0:0:0:0 | u | taint.cpp:223:10:223:15 | call to source |
| taint.cpp:8:8:8:13 | clean1 | taint.cpp:4:27:4:33 | source1 |
| taint.cpp:16:8:16:14 | source1 | taint.cpp:12:22:12:27 | call to source |
| taint.cpp:17:8:17:16 | ++ ... | taint.cpp:12:22:12:27 | call to source |