hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 11:46:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Use asExpr, not getConvertedResultExpression

Browse Source 
We designed the IR's `DataFlow::Node.asExpr` very carefully so that it's
suitable for taint tracking, but then we didn't use it in
`DefaultTaintTracking.qll`. This meant that the sources in
`ArithmeticWithExtremeValues.ql` didn't get associated with any
`Instruction` and thus didn't propagate anywhere.

With this commit, the mapping of `Expr`-based sources to IR data-flow
nodes uses `asExpr`.
This commit is contained in:
Jonas Jensen
2020-01-23 15:28:42 +01:00
parent ceeb9ab718
commit 5eeb5c6e67
1 changed files with 19 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
cpp/ql/src/semmle/code/cpp/ir/dataflow/DefaultTaintTracking.qll
View File

@@ -19,33 +19,29 @@ private predicate predictableInstruction(Instruction instr) {
predictableInstruction(instr.(UnaryInstruction).getUnary()) predictableInstruction(instr.(UnaryInstruction).getUnary())
} }
private predicate userInputInstruction(Instruction instr) { private class DefaultTaintTrackingCfg extends DataFlow::Configuration {
DefaultTaintTrackingCfg() { this = "DefaultTaintTrackingCfg" }
override predicate isSource(DataFlow::Node source) {
exists(CallInstruction ci, WriteSideEffectInstruction wsei | exists(CallInstruction ci, WriteSideEffectInstruction wsei |
userInputArgument(ci.getConvertedResultExpression(), wsei.getIndex()) and userInputArgument(ci.getConvertedResultExpression(), wsei.getIndex()) and
instr = wsei and source.asInstruction() = wsei and
wsei.getPrimaryInstruction() = ci wsei.getPrimaryInstruction() = ci
) )
or or
userInputReturned(instr.getConvertedResultExpression()) userInputReturned(source.asExpr())
or or
isUserInput(instr.getConvertedResultExpression(), _) isUserInput(source.asExpr(), _)
or or
instr.getConvertedResultExpression() instanceof EnvironmentRead source.asExpr() instanceof EnvironmentRead
or or
instr source.asInstruction()
.(LoadInstruction) .(LoadInstruction)
.getSourceAddress() .getSourceAddress()
.(VariableAddressInstruction) .(VariableAddressInstruction)
.getASTVariable() .getASTVariable()
.hasName("argv") and .hasName("argv") and
instr.getEnclosingFunction().hasGlobalName("main") source.asInstruction().getEnclosingFunction().hasGlobalName("main")
}
private class DefaultTaintTrackingCfg extends DataFlow::Configuration {
DefaultTaintTrackingCfg() { this = "DefaultTaintTrackingCfg" }
override predicate isSource(DataFlow::Node source) {
userInputInstruction(source.asInstruction())
} }
override predicate isSink(DataFlow::Node sink) { any() } override predicate isSink(DataFlow::Node sink) { any() }