hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 17:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Add a taint model for 'fopen' and accept test changes.

Browse Source
This commit is contained in:
Mathias Vorreiter Pedersen
2024-10-09 14:40:26 +01:00
parent 201842d2f9
commit 338e82064e
3 changed files with 19 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
cpp/ql/lib/semmle/code/cpp/models/implementations/Fopen.qll
View File

@@ -7,7 +7,7 @@ import semmle.code.cpp.models.interfaces.Alias
import semmle.code.cpp.models.interfaces.SideEffect
/** The function `fopen` and friends. */
private class Fopen extends Function, AliasFunction, SideEffectFunction {
private class Fopen extends Function, AliasFunction, SideEffectFunction, TaintFunction {
Fopen() {
this.hasGlobalOrStdName(["fopen", "fopen_s", "freopen"])
or
@@ -47,4 +47,19 @@ private class Fopen extends Function, AliasFunction, SideEffectFunction {
i = 0 and
buffer = true
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
this.hasGlobalOrStdName(["fopen", "freopen", "_wfopen", "_fsopen", "_wfsopen"]) and
input.isParameterDeref(0) and
output.isReturnValueDeref()
or
// The out parameter is a pointer to a `FILE*`.
this.hasGlobalOrStdName(["fopen_s"]) and
input.isParameterDeref(1) and
output.isParameterDeref(0, 2)
or
this.hasGlobalName(["_open", "_wopen"]) and
input.isParameterDeref(0) and
output.isReturnValue()
}
}