hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 04:39:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: add comment explaining concatenation logic

Browse Source
This commit is contained in:
Robert Marsh
2021-06-30 18:52:07 +00:00
committed by Robert Marsh
parent 6f408f949c
commit 562c8b97ad
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
View File

@@ -31,6 +31,12 @@ Expr sinkAsArgumentIndirection(DataFlow::Node sink) {
.getUnconvertedResultExpression()
}
/**
* Holds if `fst` is a string that is used in a format or concatenation function resulting in `snd`,
* and is *not* placed at the start of the resulting string. This indicates that the author did not
* expect `fst` to control what program is run if the resulting string is eventually interpreted as
* a command line, for example as an argument to `system`.
*/
predicate interestingConcatenation(DataFlow::Node fst, DataFlow::Node snd) {
exists(FormattingFunctionCall call, int index, FormatLiteral literal |
sinkAsArgumentIndirection(fst) = call.getConversionArgument(index) and