hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 00:35:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: This commit does two things:

Browse Source 
1. It fixes a logic error in the cannotContainString predicate.
2. It reverts the changes to the `isSource` predicate that required the external
function to be within the source root.

The change to `isSource` was meant to fix the a performance problem that occurred
because of the logic error in the cannotContainString predicate. However, now that
the logic error is fixed this is no longer necessary 🎉
This commit is contained in:
Mathias Vorreiter Pedersen
2024-03-13 22:37:03 +00:00
parent ab6e2f9364
commit 61597f5ac7
1 changed files with 7 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
View File

@@ -37,6 +37,11 @@ class UncalledFunction extends Function {
}
}
/** The `unsigned short` type. */
class UnsignedShort extends ShortType {
UnsignedShort() { this.isUnsigned() }
}
/**
* Holds if `t` cannot refer to a string. That is, it's a built-in
* or arithmetic type that is not a "`char` like" type.
@@ -51,7 +56,7 @@ predicate cannotContainString(Type t) {
not unspecified instanceof Char16Type and
not unspecified instanceof Char32Type and
// C often defines `wchar_t` as `unsigned short`
unspecified = any(ShortType short | not short.isUnsigned())
not unspecified instanceof UnsignedShort
|
unspecified instanceof ArithmeticType or
unspecified instanceof BuiltInType
@@ -63,14 +68,6 @@ predicate dataFlowOrTaintFlowFunction(Function func, FunctionOutput output) {
func.(TaintFunction).hasTaintFlow(_, output)
}
/** Holds if `func` is declared inside the source root. */
predicate isInsideSourceRoot(Function func) {
exists(File f |
f = func.getFile() and
exists(f.getRelativePath())
)
}
/**
* Holds if `node` is a non-constant source of data flow for non-const format string detection.
* This is defined as either:
@@ -119,8 +116,7 @@ predicate isNonConst(DataFlow::Node node) {
// The function's output must also not be const to be considered a non-const source
exists(Function func, CallInstruction call |
not func.hasDefinition() and
func = call.getStaticCallTarget() and
isInsideSourceRoot(func)
func = call.getStaticCallTarget()
|
// Case 1: It's a known dataflow or taintflow function with flow to the return value
call.getUnconvertedResultExpression() = node.asIndirectExpr() and