C++: Block flow through all bitwise 'and' and 'or' operations. This seems to be a common source of false positives on LGTM.

2026-04-30 11:15:13 +02:00 · 2021-06-24 15:44:14 +02:00
parent e8bba78825
commit 5bfb78b583
3 changed files with 11 additions and 17 deletions
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -97,7 +97,15 @@ class UncontrolledArithConfiguration extends TaintTracking::Configuration {

  override predicate isSink(DataFlow::Node sink) { missingGuard(sink.asExpr(), _) }

-  override predicate isSanitizer(DataFlow::Node barrier) { bounded(barrier.asExpr()) }
+  override predicate isSanitizer(DataFlow::Node node) {
+    bounded(node.asExpr())
+    or
+    // If this expression is part of bitwise 'and' or 'or' operation it's likely that the value is
+    // only used as a bit pattern.
+    node.asExpr() =
+      any(BinaryBitwiseOperation op | op instanceof BitwiseOrExpr or op instanceof BitwiseAndExpr)
+          .getAnOperand*()
+  }
 }

 Expr getExpr(DataFlow::Node node) { result = [node.asExpr(), node.asDefiningArgument()] }
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/ArithmeticUncontrolled.expected
@@ -2,10 +2,6 @@ edges
 | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r |
 | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r |
 | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r |
-| test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r |
-| test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r |
-| test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r |
-| test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r |
 | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r |
 | test.cpp:8:9:8:12 | Store | test.cpp:24:11:24:18 | call to get_rand |
 | test.cpp:8:9:8:12 | call to rand | test.cpp:8:9:8:12 | Store |
@@ -25,12 +21,6 @@ nodes
 | test.c:35:5:35:5 | r | semmle.label | r |
 | test.c:44:13:44:16 | call to rand | semmle.label | call to rand |
 | test.c:45:5:45:5 | r | semmle.label | r |
-| test.c:75:13:75:19 | call to rand | semmle.label | call to rand |
-| test.c:75:13:75:19 | call to rand | semmle.label | call to rand |
-| test.c:77:9:77:9 | r | semmle.label | r |
-| test.c:81:14:81:17 | call to rand | semmle.label | call to rand |
-| test.c:81:23:81:26 | call to rand | semmle.label | call to rand |
-| test.c:83:9:83:9 | r | semmle.label | r |
 | test.c:99:14:99:19 | call to rand | semmle.label | call to rand |
 | test.c:100:5:100:5 | r | semmle.label | r |
 | test.cpp:8:9:8:12 | Store | semmle.label | Store |
@@ -51,10 +41,6 @@ nodes
 | test.c:21:17:21:17 | r | test.c:18:13:18:16 | call to rand | test.c:21:17:21:17 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:18:13:18:16 | call to rand | Uncontrolled value |
 | test.c:35:5:35:5 | r | test.c:34:13:34:18 | call to rand | test.c:35:5:35:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:34:13:34:18 | call to rand | Uncontrolled value |
 | test.c:45:5:45:5 | r | test.c:44:13:44:16 | call to rand | test.c:45:5:45:5 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.c:44:13:44:16 | call to rand | Uncontrolled value |
-| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | call to rand | Uncontrolled value |
-| test.c:77:9:77:9 | r | test.c:75:13:75:19 | call to rand | test.c:77:9:77:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:75:13:75:19 | call to rand | Uncontrolled value |
-| test.c:83:9:83:9 | r | test.c:81:14:81:17 | call to rand | test.c:83:9:83:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:81:14:81:17 | call to rand | Uncontrolled value |
-| test.c:83:9:83:9 | r | test.c:81:23:81:26 | call to rand | test.c:83:9:83:9 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:81:23:81:26 | call to rand | Uncontrolled value |
 | test.c:100:5:100:5 | r | test.c:99:14:99:19 | call to rand | test.c:100:5:100:5 | r | $@ flows to here and is used in arithmetic, potentially causing an underflow. | test.c:99:14:99:19 | call to rand | Uncontrolled value |
 | test.cpp:25:7:25:7 | r | test.cpp:8:9:8:12 | call to rand | test.cpp:25:7:25:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:8:9:8:12 | call to rand | Uncontrolled value |
 | test.cpp:31:7:31:7 | r | test.cpp:13:10:13:13 | call to rand | test.cpp:31:7:31:7 | r | $@ flows to here and is used in arithmetic, potentially causing an overflow. | test.cpp:13:10:13:13 | call to rand | Uncontrolled value |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/uncontrolled/test.c
@@ -74,13 +74,13 @@ void randomTester() {
  {
    int r = RAND2();

-    r = r - 100; // BAD
+    r = r - 100; // BAD [NOT DETECTED]
  }

  {
    int r = (rand() ^ rand());

-    r = r - 100; // BAD
+    r = r - 100; // BAD [NOT DETECTED]
  }

  {