mirror of
https://github.com/github/codeql.git
synced 2025-12-21 11:16:30 +01:00
C++: Path explanations in the last two queries
For some reason I thought that these two queries were special because they manipulate `SecurityOptions` to change the taint-tracking sources. It turns out it was just the opposite: the queries used to be special because they invalidated the cache for the `tainted` predicate, but that predicate is no longer used, so these queries are no longer special.
This commit is contained in:
Jonas Jensen
@@ -2,7 +2,7 @@
|
||||
* @name Uncontrolled data in arithmetic expression
|
||||
* @description Arithmetic operations on uncontrolled data that is not
|
||||
* validated can cause overflows.
|
||||
* @kind problem
|
||||
* @kind path-problem
|
||||
* @problem.severity warning
|
||||
* @precision medium
|
||||
* @id cpp/uncontrolled-arithmetic
|
||||
@@ -15,6 +15,7 @@ import cpp
|
||||
import semmle.code.cpp.security.Overflow
|
||||
import semmle.code.cpp.security.Security
|
||||
import semmle.code.cpp.security.TaintTracking
|
||||
import TaintedWithPath
|
||||
|
||||
predicate isRandCall(FunctionCall fc) { fc.getTarget().getName() = "rand" }
|
||||
|
||||
@@ -40,9 +41,22 @@ class SecurityOptionsArith extends SecurityOptions {
|
||||
}
|
||||
}
|
||||
|
||||
predicate taintedVarAccess(Expr origin, VariableAccess va) {
|
||||
isUserInput(origin, _) and
|
||||
tainted(origin, va)
|
||||
predicate isDiv(VariableAccess va) { exists(AssignDivExpr div | div.getLValue() = va) }
|
||||
|
||||
predicate missingGuard(VariableAccess va, string effect) {
|
||||
exists(Operation op | op.getAnOperand() = va |
|
||||
missingGuardAgainstUnderflow(op, va) and effect = "underflow"
|
||||
or
|
||||
missingGuardAgainstOverflow(op, va) and effect = "overflow"
|
||||
)
|
||||
}
|
||||
|
||||
class Configuration extends TaintTrackingConfiguration {
|
||||
override predicate isSink(Element e) {
|
||||
isDiv(e)
|
||||
or
|
||||
missingGuard(e, _)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -50,19 +64,17 @@ predicate taintedVarAccess(Expr origin, VariableAccess va) {
|
||||
* range.
|
||||
*/
|
||||
predicate guardedByAssignDiv(Expr origin) {
|
||||
isUserInput(origin, _) and
|
||||
exists(AssignDivExpr div, VariableAccess va | tainted(origin, va) and div.getLValue() = va)
|
||||
exists(VariableAccess va |
|
||||
taintedWithPath(origin, va, _, _) and
|
||||
isDiv(va)
|
||||
)
|
||||
}
|
||||
|
||||
from Expr origin, Operation op, VariableAccess va, string effect
|
||||
from Expr origin, VariableAccess va, string effect, PathNode sourceNode, PathNode sinkNode
|
||||
where
|
||||
taintedVarAccess(origin, va) and
|
||||
op.getAnOperand() = va and
|
||||
(
|
||||
missingGuardAgainstUnderflow(op, va) and effect = "underflow"
|
||||
or
|
||||
missingGuardAgainstOverflow(op, va) and effect = "overflow"
|
||||
) and
|
||||
taintedWithPath(origin, va, sourceNode, sinkNode) and
|
||||
missingGuard(va, effect) and
|
||||
not guardedByAssignDiv(origin)
|
||||
select va, "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
|
||||
origin, "Uncontrolled value"
|
||||
select va, sourceNode, sinkNode,
|
||||
"$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin,
|
||||
"Uncontrolled value"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
* @name Cleartext storage of sensitive information in an SQLite database
|
||||
* @description Storing sensitive information in a non-encrypted
|
||||
* database can expose it to an attacker.
|
||||
* @kind problem
|
||||
* @kind path-problem
|
||||
* @problem.severity warning
|
||||
* @precision medium
|
||||
* @id cpp/cleartext-storage-database
|
||||
@@ -13,6 +13,7 @@
|
||||
import cpp
|
||||
import semmle.code.cpp.security.SensitiveExprs
|
||||
import semmle.code.cpp.security.TaintTracking
|
||||
import TaintedWithPath
|
||||
|
||||
class UserInputIsSensitiveExpr extends SecurityOptions {
|
||||
override predicate isUserInput(Expr expr, string cause) {
|
||||
@@ -32,10 +33,21 @@ predicate sqlite_encryption_used() {
|
||||
any(FunctionCall fc).getTarget().getName().matches("sqlite%\\_key\\_%")
|
||||
}
|
||||
|
||||
from SensitiveExpr taintSource, Expr taintedArg, SqliteFunctionCall sqliteCall
|
||||
class Configuration extends TaintTrackingConfiguration {
|
||||
override predicate isSink(Element taintedArg) {
|
||||
exists(SqliteFunctionCall sqliteCall |
|
||||
taintedArg = sqliteCall.getASource() and
|
||||
not sqlite_encryption_used()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
from
|
||||
SensitiveExpr taintSource, Expr taintedArg, SqliteFunctionCall sqliteCall, PathNode sourceNode,
|
||||
PathNode sinkNode
|
||||
where
|
||||
tainted(taintSource, taintedArg) and
|
||||
taintedArg = sqliteCall.getASource() and
|
||||
not sqlite_encryption_used()
|
||||
select sqliteCall, "This SQLite call may store $@ in a non-encrypted SQLite database", taintSource,
|
||||
taintedWithPath(taintSource, taintedArg, sourceNode, sinkNode) and
|
||||
taintedArg = sqliteCall.getASource()
|
||||
select sqliteCall, sourceNode, sinkNode,
|
||||
"This SQLite call may store $@ in a non-encrypted SQLite database", taintSource,
|
||||
"sensitive information"
|
||||
|
||||
@@ -1,9 +1,112 @@
|
||||
| test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
|
||||
| test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
|
||||
| test.c:40:5:40:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:39:13:39:21 | ... % ... | Uncontrolled value |
|
||||
| test.c:45:5:45:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | Uncontrolled value |
|
||||
| test.c:56:5:56:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:54:13:54:16 | call to rand | Uncontrolled value |
|
||||
| test.c:67:5:67:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:66:13:66:16 | call to rand | Uncontrolled value |
|
||||
| test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | ... ^ ... | Uncontrolled value |
|
||||
| test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
|
||||
| test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
|
||||
edges
|
||||
| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
|
||||
| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
|
||||
| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
|
||||
| test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
|
||||
| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
|
||||
| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
|
||||
| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
|
||||
| test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
|
||||
| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
|
||||
| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
|
||||
| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
|
||||
| test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r |
|
||||
| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
|
||||
| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
|
||||
| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
|
||||
| test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
|
||||
| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
|
||||
| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
|
||||
| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
|
||||
| test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r |
|
||||
| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
|
||||
| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
|
||||
| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
|
||||
| test.c:60:13:60:16 | call to rand | test.c:61:5:61:5 | r |
|
||||
| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
|
||||
| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
|
||||
| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
|
||||
| test.c:60:13:60:16 | call to rand | test.c:62:5:62:5 | r |
|
||||
| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
|
||||
| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
|
||||
| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
|
||||
| test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r |
|
||||
| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
|
||||
| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
|
||||
| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
|
||||
| test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r |
|
||||
| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
|
||||
| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
|
||||
| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
|
||||
| test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
|
||||
| test.cpp:8:9:8:12 | Store | test.cpp:24:11:24:18 | call to get_rand |
|
||||
| test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
|
||||
| test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
|
||||
| test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
|
||||
| test.cpp:24:11:24:18 | call to get_rand | test.cpp:25:7:25:7 | r |
|
||||
nodes
|
||||
| test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
|
||||
| test.c:18:13:18:16 | call to rand | semmle.label | call to rand |
|
||||
| test.c:21:17:21:17 | r | semmle.label | r |
|
||||
| test.c:21:17:21:17 | r | semmle.label | r |
|
||||
| test.c:21:17:21:17 | r | semmle.label | r |
|
||||
| test.c:34:13:34:18 | call to rand | semmle.label | call to rand |
|
||||
| test.c:34:13:34:18 | call to rand | semmle.label | call to rand |
|
||||
| test.c:35:5:35:5 | r | semmle.label | r |
|
||||
| test.c:35:5:35:5 | r | semmle.label | r |
|
||||
| test.c:35:5:35:5 | r | semmle.label | r |
|
||||
| test.c:39:13:39:21 | ... % ... | semmle.label | ... % ... |
|
||||
| test.c:39:13:39:21 | ... % ... | semmle.label | ... % ... |
|
||||
| test.c:40:5:40:5 | r | semmle.label | r |
|
||||
| test.c:40:5:40:5 | r | semmle.label | r |
|
||||
| test.c:40:5:40:5 | r | semmle.label | r |
|
||||
| test.c:44:13:44:16 | call to rand | semmle.label | call to rand |
|
||||
| test.c:44:13:44:16 | call to rand | semmle.label | call to rand |
|
||||
| test.c:45:5:45:5 | r | semmle.label | r |
|
||||
| test.c:45:5:45:5 | r | semmle.label | r |
|
||||
| test.c:45:5:45:5 | r | semmle.label | r |
|
||||
| test.c:54:13:54:16 | call to rand | semmle.label | call to rand |
|
||||
| test.c:54:13:54:16 | call to rand | semmle.label | call to rand |
|
||||
| test.c:56:5:56:5 | r | semmle.label | r |
|
||||
| test.c:56:5:56:5 | r | semmle.label | r |
|
||||
| test.c:56:5:56:5 | r | semmle.label | r |
|
||||
| test.c:60:13:60:16 | call to rand | semmle.label | call to rand |
|
||||
| test.c:60:13:60:16 | call to rand | semmle.label | call to rand |
|
||||
| test.c:61:5:61:5 | r | semmle.label | r |
|
||||
| test.c:61:5:61:5 | r | semmle.label | r |
|
||||
| test.c:61:5:61:5 | r | semmle.label | r |
|
||||
| test.c:62:5:62:5 | r | semmle.label | r |
|
||||
| test.c:62:5:62:5 | r | semmle.label | r |
|
||||
| test.c:62:5:62:5 | r | semmle.label | r |
|
||||
| test.c:66:13:66:16 | call to rand | semmle.label | call to rand |
|
||||
| test.c:66:13:66:16 | call to rand | semmle.label | call to rand |
|
||||
| test.c:67:5:67:5 | r | semmle.label | r |
|
||||
| test.c:67:5:67:5 | r | semmle.label | r |
|
||||
| test.c:67:5:67:5 | r | semmle.label | r |
|
||||
| test.c:75:13:75:19 | ... ^ ... | semmle.label | ... ^ ... |
|
||||
| test.c:75:13:75:19 | ... ^ ... | semmle.label | ... ^ ... |
|
||||
| test.c:77:9:77:9 | r | semmle.label | r |
|
||||
| test.c:77:9:77:9 | r | semmle.label | r |
|
||||
| test.c:77:9:77:9 | r | semmle.label | r |
|
||||
| test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
|
||||
| test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
|
||||
| test.c:100:5:100:5 | r | semmle.label | r |
|
||||
| test.c:100:5:100:5 | r | semmle.label | r |
|
||||
| test.c:100:5:100:5 | r | semmle.label | r |
|
||||
| test.cpp:8:9:8:12 | Store | semmle.label | Store |
|
||||
| test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
|
||||
| test.cpp:8:9:8:12 | call to rand | semmle.label | call to rand |
|
||||
| test.cpp:24:11:24:18 | call to get_rand | semmle.label | call to get_rand |
|
||||
| test.cpp:25:7:25:7 | r | semmle.label | r |
|
||||
| test.cpp:25:7:25:7 | r | semmle.label | r |
|
||||
| test.cpp:25:7:25:7 | r | semmle.label | r |
|
||||
#select
|
||||
| test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
|
||||
| test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
|
||||
| test.c:40:5:40:5 | r | test.c:39:13:39:21 | ... % ... | test.c:40:5:40:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:39:13:39:21 | ... % ... | Uncontrolled value |
|
||||
| test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | Uncontrolled value |
|
||||
| test.c:56:5:56:5 | r | test.c:54:13:54:16 | call to rand | test.c:56:5:56:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:54:13:54:16 | call to rand | Uncontrolled value |
|
||||
| test.c:67:5:67:5 | r | test.c:66:13:66:16 | call to rand | test.c:67:5:67:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:66:13:66:16 | call to rand | Uncontrolled value |
|
||||
| test.c:77:9:77:9 | r | test.c:75:13:75:19 | ... ^ ... | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | ... ^ ... | Uncontrolled value |
|
||||
| test.c:100:5:100:5 | r | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
|
||||
| test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
|
||||
|
||||
Reference in New Issue
Block a user