C++: Add a taint model for 'fopen' and accept test changes.

2026-04-21 15:05:56 +02:00 · 2024-10-09 14:40:26 +01:00
parent 201842d2f9
commit 338e82064e
3 changed files with 19 additions and 3 deletions
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Fopen.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Fopen.qll
@@ -7,7 +7,7 @@ import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect

 /** The function `fopen` and friends. */
-private class Fopen extends Function, AliasFunction, SideEffectFunction {
+private class Fopen extends Function, AliasFunction, SideEffectFunction, TaintFunction {
  Fopen() {
    this.hasGlobalOrStdName(["fopen", "fopen_s", "freopen"])
    or
@@ -47,4 +47,19 @@ private class Fopen extends Function, AliasFunction, SideEffectFunction {
    i = 0 and
    buffer = true
  }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    this.hasGlobalOrStdName(["fopen", "freopen", "_wfopen", "_fsopen", "_wfsopen"]) and
+    input.isParameterDeref(0) and
+    output.isReturnValueDeref()
+    or
+    // The out parameter is a pointer to a `FILE*`.
+    this.hasGlobalOrStdName(["fopen_s"]) and
+    input.isParameterDeref(1) and
+    output.isParameterDeref(0, 2)
+    or
+    this.hasGlobalName(["_open", "_wopen"]) and
+    input.isParameterDeref(0) and
+    output.isReturnValue()
+  }
 }
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected
@@ -6588,6 +6588,7 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | taint.cpp:785:23:785:28 | source | taint.cpp:786:18:786:23 | source |  |
 | taint.cpp:785:23:785:28 | source | taint.cpp:790:15:790:20 | source |  |
 | taint.cpp:786:12:786:16 | call to fopen | taint.cpp:787:7:787:7 | f |  |
+| taint.cpp:786:18:786:23 | source | taint.cpp:786:12:786:16 | call to fopen | TAINT |
 | taint.cpp:789:8:789:9 | f2 | taint.cpp:790:11:790:12 | f2 |  |
 | taint.cpp:789:8:789:9 | f2 | taint.cpp:791:7:791:8 | f2 |  |
 | taint.cpp:790:10:790:12 | ref arg & ... | taint.cpp:790:11:790:12 | f2 [inner post update] |  |
--- a/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
+++ b/cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp
@@ -784,9 +784,9 @@ int fopen_s(FILE** pFile, const char *filename, const char *mode);

 void fopen_test(char* source) {
 	FILE* f = fopen(source, "r");
-	sink(f); // $ MISSING: ast,ir
+	sink(f); // $ ast,ir

 	FILE* f2;
 	fopen_s(&f2, source, "r");
-	sink(f2); // $ ast MISSING: ir
+	sink(f2); // $ ast,ir
 }