C++: Add a TaintFunction model to FormattingFunction.

2026-04-28 02:05:14 +02:00 · 2020-01-24 17:25:09 +00:00
parent 1d46971bb7
commit 30580e97dc
5 changed files with 22 additions and 2 deletions
--- a/cpp/ql/src/semmle/code/cpp/models/interfaces/FormattingFunction.qll
+++ b/cpp/ql/src/semmle/code/cpp/models/interfaces/FormattingFunction.qll
@@ -7,6 +7,7 @@
 */

 import semmle.code.cpp.models.interfaces.ArrayFunction
+import semmle.code.cpp.models.interfaces.Taint

 private Type stripTopLevelSpecifiersOnly(Type t) {
  result = stripTopLevelSpecifiersOnly(t.(SpecifiedType).getBaseType())
@@ -39,7 +40,7 @@ private Type getAFormatterWideTypeOrDefault() {
 /**
 * A standard library function that uses a `printf`-like formatting string.
 */
-abstract class FormattingFunction extends ArrayFunction {
+abstract class FormattingFunction extends ArrayFunction, TaintFunction {
  /** Gets the position at which the format parameter occurs. */
  abstract int getFormatParameterIndex();

@@ -155,4 +156,9 @@ abstract class FormattingFunction extends ArrayFunction {
  predicate hasArrayOutput(int bufParam) {
  	bufParam = getOutputParameterIndex()
  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isParameterDeref(getFormatParameterIndex()) and
+    output.isParameterDeref(getOutputParameterIndex())
+  }
 }
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/format.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/format.cpp
@@ -55,7 +55,7 @@ void test1()
 	{
 		char buffer[256] = {0};
 		sink(snprintf(buffer, 256, string::source(), "Hello."));
-		sink(buffer); // tainted [NOT DETECTED]
+		sink(buffer); // tainted
 	}
 	{
 		char buffer[256] = {0};
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -11,50 +11,62 @@
 | format.cpp:46:21:46:24 | {...} | format.cpp:48:8:48:13 | buffer |  |
 | format.cpp:46:23:46:23 | 0 | format.cpp:46:21:46:24 | {...} | TAINT |
 | format.cpp:47:17:47:22 | ref arg buffer | format.cpp:48:8:48:13 | buffer |  |
+| format.cpp:47:30:47:33 | %s | format.cpp:47:17:47:22 | ref arg buffer | TAINT |
 | format.cpp:51:21:51:24 | {...} | format.cpp:52:17:52:22 | buffer |  |
 | format.cpp:51:21:51:24 | {...} | format.cpp:53:8:53:13 | buffer |  |
 | format.cpp:51:23:51:23 | 0 | format.cpp:51:21:51:24 | {...} | TAINT |
 | format.cpp:52:17:52:22 | ref arg buffer | format.cpp:53:8:53:13 | buffer |  |
+| format.cpp:52:30:52:33 | %s | format.cpp:52:17:52:22 | ref arg buffer | TAINT |
 | format.cpp:56:21:56:24 | {...} | format.cpp:57:17:57:22 | buffer |  |
 | format.cpp:56:21:56:24 | {...} | format.cpp:58:8:58:13 | buffer |  |
 | format.cpp:56:23:56:23 | 0 | format.cpp:56:21:56:24 | {...} | TAINT |
 | format.cpp:57:17:57:22 | ref arg buffer | format.cpp:58:8:58:13 | buffer |  |
+| format.cpp:57:30:57:43 | call to source | format.cpp:57:17:57:22 | ref arg buffer | TAINT |
 | format.cpp:61:21:61:24 | {...} | format.cpp:62:17:62:22 | buffer |  |
 | format.cpp:61:21:61:24 | {...} | format.cpp:63:8:63:13 | buffer |  |
 | format.cpp:61:23:61:23 | 0 | format.cpp:61:21:61:24 | {...} | TAINT |
 | format.cpp:62:17:62:22 | ref arg buffer | format.cpp:63:8:63:13 | buffer |  |
+| format.cpp:62:30:62:39 | %s %s %s | format.cpp:62:17:62:22 | ref arg buffer | TAINT |
 | format.cpp:66:21:66:24 | {...} | format.cpp:67:17:67:22 | buffer |  |
 | format.cpp:66:21:66:24 | {...} | format.cpp:68:8:68:13 | buffer |  |
 | format.cpp:66:23:66:23 | 0 | format.cpp:66:21:66:24 | {...} | TAINT |
 | format.cpp:67:17:67:22 | ref arg buffer | format.cpp:68:8:68:13 | buffer |  |
+| format.cpp:67:30:67:35 | %.*s | format.cpp:67:17:67:22 | ref arg buffer | TAINT |
 | format.cpp:72:21:72:24 | {...} | format.cpp:73:17:73:22 | buffer |  |
 | format.cpp:72:21:72:24 | {...} | format.cpp:74:8:74:13 | buffer |  |
 | format.cpp:72:23:72:23 | 0 | format.cpp:72:21:72:24 | {...} | TAINT |
 | format.cpp:73:17:73:22 | ref arg buffer | format.cpp:74:8:74:13 | buffer |  |
+| format.cpp:73:30:73:33 | %i | format.cpp:73:17:73:22 | ref arg buffer | TAINT |
 | format.cpp:77:21:77:24 | {...} | format.cpp:78:17:78:22 | buffer |  |
 | format.cpp:77:21:77:24 | {...} | format.cpp:79:8:79:13 | buffer |  |
 | format.cpp:77:23:77:23 | 0 | format.cpp:77:21:77:24 | {...} | TAINT |
 | format.cpp:78:17:78:22 | ref arg buffer | format.cpp:79:8:79:13 | buffer |  |
+| format.cpp:78:30:78:33 | %i | format.cpp:78:17:78:22 | ref arg buffer | TAINT |
 | format.cpp:82:21:82:24 | {...} | format.cpp:83:17:83:22 | buffer |  |
 | format.cpp:82:21:82:24 | {...} | format.cpp:84:8:84:13 | buffer |  |
 | format.cpp:82:23:82:23 | 0 | format.cpp:82:21:82:24 | {...} | TAINT |
 | format.cpp:83:17:83:22 | ref arg buffer | format.cpp:84:8:84:13 | buffer |  |
+| format.cpp:83:30:83:35 | %.*s | format.cpp:83:17:83:22 | ref arg buffer | TAINT |
 | format.cpp:88:21:88:24 | {...} | format.cpp:89:17:89:22 | buffer |  |
 | format.cpp:88:21:88:24 | {...} | format.cpp:90:8:90:13 | buffer |  |
 | format.cpp:88:23:88:23 | 0 | format.cpp:88:21:88:24 | {...} | TAINT |
 | format.cpp:89:17:89:22 | ref arg buffer | format.cpp:90:8:90:13 | buffer |  |
+| format.cpp:89:30:89:33 | %p | format.cpp:89:17:89:22 | ref arg buffer | TAINT |
 | format.cpp:94:21:94:24 | {...} | format.cpp:95:16:95:21 | buffer |  |
 | format.cpp:94:21:94:24 | {...} | format.cpp:96:8:96:13 | buffer |  |
 | format.cpp:94:23:94:23 | 0 | format.cpp:94:21:94:24 | {...} | TAINT |
 | format.cpp:95:16:95:21 | ref arg buffer | format.cpp:96:8:96:13 | buffer |  |
+| format.cpp:95:24:95:27 | %s | format.cpp:95:16:95:21 | ref arg buffer | TAINT |
 | format.cpp:99:21:99:24 | {...} | format.cpp:100:16:100:21 | buffer |  |
 | format.cpp:99:21:99:24 | {...} | format.cpp:101:8:101:13 | buffer |  |
 | format.cpp:99:23:99:23 | 0 | format.cpp:99:21:99:24 | {...} | TAINT |
 | format.cpp:100:16:100:21 | ref arg buffer | format.cpp:101:8:101:13 | buffer |  |
+| format.cpp:100:24:100:28 | %ls | format.cpp:100:16:100:21 | ref arg buffer | TAINT |
 | format.cpp:104:25:104:28 | {...} | format.cpp:105:17:105:23 | wbuffer |  |
 | format.cpp:104:25:104:28 | {...} | format.cpp:106:8:106:14 | wbuffer |  |
 | format.cpp:104:27:104:27 | 0 | format.cpp:104:25:104:28 | {...} | TAINT |
 | format.cpp:105:17:105:23 | ref arg wbuffer | format.cpp:106:8:106:14 | wbuffer |  |
+| format.cpp:105:31:105:35 | %s | format.cpp:105:17:105:23 | ref arg wbuffer | TAINT |
 | format.cpp:109:21:109:24 | {...} | format.cpp:110:18:110:23 | buffer |  |
 | format.cpp:109:21:109:24 | {...} | format.cpp:111:8:111:13 | buffer |  |
 | format.cpp:109:23:109:23 | 0 | format.cpp:109:21:109:24 | {...} | TAINT |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected
@@ -1,3 +1,4 @@
+| format.cpp:58:8:58:13 | buffer | format.cpp:57:30:57:43 | call to source |
 | taint.cpp:8:8:8:13 | clean1 | taint.cpp:4:27:4:33 | source1 |
 | taint.cpp:16:8:16:14 | source1 | taint.cpp:12:22:12:27 | call to source |
 | taint.cpp:17:8:17:16 | ++ ... | taint.cpp:12:22:12:27 | call to source |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected
@@ -1,3 +1,4 @@
+| format.cpp:58:8:58:13 | format.cpp:57:30:57:43 | AST only |
 | taint.cpp:41:7:41:13 | taint.cpp:35:12:35:17 | AST only |
 | taint.cpp:42:7:42:13 | taint.cpp:35:12:35:17 | AST only |
 | taint.cpp:43:7:43:13 | taint.cpp:37:22:37:27 | AST only |