updated

2026-01-30 06:42:57 +01:00 · 2021-01-18 02:37:53 +03:00
parent de566da91c
commit 3251fb5c07
1 changed files with 30 additions and 20 deletions
--- a/ql/src/experimental/CWE-369/DivideByZero.ql
+++ b/ql/src/experimental/CWE-369/DivideByZero.ql
@@ -12,13 +12,23 @@

 import go
 import DataFlow::PathGraph
+import semmle.go.dataflow.internal.TaintTrackingUtil

-class DivideByZeroSanitizeGuard extends DataFlow::BarrierGuard, DataFlow::EqualityTestNode {
+class DivideByZeroSanitizeGuard extends DataFlow::BarrierGuard {
  override predicate checks(Expr e, boolean branch) {
-    exists(DataFlow::Node zero, DataFlow::Node sink |
+    exists(
+      DataFlow::Node zero, DataFlow::Node sink, DataFlow::EqualityTestNode eqNode,
+      DataFlow::RelationalComparisonNode compNode
+    |
      zero.getNumericValue() = 0 and
-      sink.getType().getUnderlyingType() instanceof SignedIntegerType and
-      this.eq(branch.booleanNot(), sink, zero) and
+      (
+        sink.getType().getUnderlyingType() instanceof SignedIntegerType or
+        sink.getType().getUnderlyingType() instanceof UnsignedIntegerType
+      ) and
+      (
+        eqNode.eq(branch.booleanNot(), sink, zero) or
+        compNode.leq(branch.booleanNot(), sink, zero, 0)
+      ) and
      globalValueNumber(DataFlow::exprNode(e)) = globalValueNumber(sink)
    )
  }
@@ -27,31 +37,31 @@ class DivideByZeroSanitizeGuard extends DataFlow::BarrierGuard, DataFlow::Equali
 class DivideByZeroCheckConfig extends TaintTracking::Configuration {
  DivideByZeroCheckConfig() { this = "DivideByZeroCheckConfig" }

-  override predicate isSource(DataFlow::Node source) {
-    exists(DataFlow::CallNode c, IntegerParser::Range ip |
-      c.getTarget() = ip and source = c.getResult(0)
-    )
-    or
-    exists(IntegerType integerType | source.getType().getUnderlyingType() = integerType)
-  }
+  override predicate isSource(DataFlow::Node source) { source instanceof UntrustedFlowSource }

-  override predicate isSink(DataFlow::Node sink) {
-    exists(IntegerType integerType, QuoExpr e |
-      sink.asExpr().getParent().(QuoExpr).getRightOperand() = e.getAnOperand() and
-      not sink.asExpr().getParent().(QuoExpr).getRightOperand().isConst() and
-      sink.getType().getUnderlyingType() = integerType
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(Function f |
+      (
+        f.getName() = "Atoi" or
+        f.getName() = "ParseInt" or
+        f.getName() = "ParseUint"
+      ) and
+      node1 = f.getACall().getArgument(0) and
+      node2 = f.getACall().getResult(0)
    )
  }

  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
    guard instanceof DivideByZeroSanitizeGuard
  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(QuoExpr e | sink.asExpr().getParent().(QuoExpr).getRightOperand() = e.getAnOperand())
+  }
 }

-from
-  DataFlow::PathNode source, DataFlow::PathNode sink, DivideByZeroCheckConfig cfg,
-  DataFlow::CallNode call
-where cfg.hasFlowPath(source, sink) and call.getResult(0) = source.getNode()
+from DataFlow::PathNode source, DataFlow::PathNode sink, DivideByZeroCheckConfig cfg
+where cfg.hasFlowPath(source, sink)
 select sink, source, sink,
  "Variable $@, which is used at division statement might be zero and leads to division by zero exception.",
  sink, sink.getNode().toString()