From 61ce7252e659bc346965a28581c6042b2c3f6daa Mon Sep 17 00:00:00 2001 From: Mathias Vorreiter Pedersen Date: Tue, 30 Apr 2024 16:12:54 +0100 Subject: [PATCH] C++: Update the alert message in 'cpp/iterator-to-expired-container'. --- .../CWE/CWE-416/IteratorToExpiredContainer.ql | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql b/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql index 51dfd3478ac..139555cfa1d 100644 --- a/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql +++ b/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql @@ -62,10 +62,9 @@ DataFlow::Node getADestroyedNode(DataFlow::Node n) { ) } -predicate destroyedToBeginSink(DataFlow::Node sink, FunctionCall fc) { +predicate destroyedToBeginSink(DataFlow::Node sink) { exists(CallInstruction call | call = sink.asOperand().(ThisArgumentOperand).getCall() and - fc = call.getUnconvertedResultExpression() and call.getStaticCallTarget() instanceof BeginOrEndFunction ) } @@ -90,7 +89,7 @@ private predicate qualifierToDestroyed(DataFlow::Node node1, DataFlow::Node node module Config0 implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { qualifierToDestroyed(_, source) } - predicate isSink(DataFlow::Node sink) { destroyedToBeginSink(sink, _) } + predicate isSink(DataFlow::Node sink) { destroyedToBeginSink(sink) } } module Flow0 = DataFlow::Global; @@ -150,9 +149,9 @@ module Config implements DataFlow::StateConfigSig { module Flow = DataFlow::GlobalWithState; -from Flow::PathNode source, Flow::PathNode sink, FunctionCall beginOrEnd, DataFlow::Node mid +from Flow::PathNode source, Flow::PathNode sink, DataFlow::Node mid where Flow::flowPath(source, sink) and - destroyedToBeginSink(sink.getNode(), beginOrEnd) and + destroyedToBeginSink(sink.getNode()) and sink.getState() = Config::DestroyedToBegin(mid) -select mid, "This object is destroyed before $@ is called.", beginOrEnd, beginOrEnd.toString() +select mid, "This object is destroyed at the end of the full-expression."