C++: Add localExprFlow and localExprTaint

This is for ODASA-8053.
2026-05-05 05:35:13 +02:00 · 2019-08-23 09:24:09 +02:00
parent 00fe4734ac
commit 63311739a5
4 changed files with 23 additions and 0 deletions
--- a/change-notes/1.23/analysis-cpp.md
+++ b/change-notes/1.23/analysis-cpp.md
@@ -25,3 +25,6 @@ The following changes in version 1.23 affect C/C++ analysis in all applications.
  picture of the partial flow paths from a given source. The feature is
  disabled by default and can be enabled for individual configurations by
  overriding `int explorationLimit()`.
+* There is now a `DataFlow::localExprFlow` predicate and a
+  `TaintTracking::localExprTaint` predicate to make it easy to use the most
+  common case of local data flow and taint: from one `Expr` to another.
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowUtil.qll
@@ -490,6 +490,12 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
 */
 predicate localFlow(Node source, Node sink) { localFlowStep*(source, sink) }

+/**
+ * Holds if data can flow from `e1` to `e2` in zero or more
+ * local (intra-procedural) steps.
+ */
+predicate localExprFlow(Expr e1, Expr e2) { localFlow(exprNode(e1), exprNode(e2)) }
+
 /**
 * Holds if the initial value of `v`, if it is a source, flows to `var`.
 */
--- a/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/dataflow/internal/TaintTrackingUtil.qll
@@ -80,6 +80,14 @@ predicate localTaint(DataFlow::Node source, DataFlow::Node sink) {
  localTaintStep*(source, sink)
 }

+/**
+ * Holds if taint can flow from `e1` to `e2` in zero or more
+ * local (intra-procedural) steps.
+ */
+predicate localExprTaint(Expr e1, Expr e2) {
+  localTaint(DataFlow::exprNode(e1), DataFlow::exprNode(e2))
+}
+
 /**
 * Holds if we do not propagate taint from `fromExpr` to `toExpr`
 * even though `toExpr` is the AST parent of `fromExpr`.
--- a/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -178,6 +178,12 @@ predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) {
 */
 predicate localFlow(Node source, Node sink) { localFlowStep*(source, sink) }

+/**
+ * Holds if data can flow from `e1` to `e2` in zero or more
+ * local (intra-procedural) steps.
+ */
+predicate localExprFlow(Expr e1, Expr e2) { localFlow(exprNode(e1), exprNode(e2)) }
+
 /**
 * A guard that validates some expression.
 *