use abstract class for decompression sinks

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/Brotli.qll

@@ -6,33 +6,22 @@ import cpp
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.security.FlowSources
 import semmle.code.cpp.commons.File
+import DecompressionBomb
 
 /**
- * A Pointer Variable is used in Flow source
+ * The `BrotliDecoderDecompress` function is used in flow sink. * Ref: https://www.brotli.org/decode.html#af68
  */
-class PointerVar extends VariableAccess {
-  PointerVar() { this.getType() instanceof PointerType }
-}
-
-/**
- * A Pointer Variable is used in Flow source
- */
-class Uint8Var extends VariableAccess {
-  Uint8Var() { this.getType() instanceof UInt8_t }
-}
-
-/**
- * The `BrotliDecoderDecompress` function is used in Flow sink
- * Ref: https://www.brotli.org/decode.html#af68
- */
-class BrotliDecoderDecompressFunction extends Function {
+class BrotliDecoderDecompressFunction extends DecompressionFunction {
   BrotliDecoderDecompressFunction() { this.hasGlobalName(["BrotliDecoderDecompress"]) }
+
+  override int getArchiveParameterIndex() { result = 1 }
 }
 
 /**
- * The `BrotliDecoderDecompressStream` function is used in Flow sink
- * Ref: https://www.brotli.org/decode.html#a234
+ * The `BrotliDecoderDecompressStream` function is used in flow sink. * Ref: https://www.brotli.org/decode.html#a234
  */
-class BrotliDecoderDecompressStreamFunction extends Function {
+class BrotliDecoderDecompressStreamFunction extends DecompressionFunction {
   BrotliDecoderDecompressStreamFunction() { this.hasGlobalName(["BrotliDecoderDecompressStream"]) }
+
+  override int getArchiveParameterIndex() { result = 2 }
 }

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/Bzip2.qll

@@ -6,45 +6,40 @@ import cpp
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.security.FlowSources
 import semmle.code.cpp.commons.File
-
-/**
- * A `bz_stream` Variable as a Flow source
- */
-class BzStreamVar extends VariableAccess {
-  BzStreamVar() { this.getType().hasName("bz_stream") }
-}
-
-/**
- * A `BZFILE` Variable as a Flow source
- */
-class BzFileVar extends VariableAccess {
-  BzFileVar() { this.getType().hasName("BZFILE") }
-}
+import DecompressionBomb
 
 /**
  * The `BZ2_bzDecompress` function as a Flow source
  */
-class BZ2BzDecompressFunction extends Function {
+class BZ2BzDecompressFunction extends DecompressionFunction {
   BZ2BzDecompressFunction() { this.hasGlobalName(["BZ2_bzDecompress"]) }
+
+  override int getArchiveParameterIndex() { result = 0 }
 }
 
 /**
  * The `BZ2_bzReadOpen` function
  */
-class BZ2BzReadOpenFunction extends Function {
+class BZ2BzReadOpenFunction extends DecompressionFunction {
   BZ2BzReadOpenFunction() { this.hasGlobalName(["BZ2_bzReadOpen"]) }
+
+  override int getArchiveParameterIndex() { result = 0 }
 }
 
 /**
- * The `BZ2_bzRead` function is used in Flow sink
+ * The `BZ2_bzRead` function is used in flow sink.
  */
-class BZ2BzReadFunction extends Function {
+class BZ2BzReadFunction extends DecompressionFunction {
   BZ2BzReadFunction() { this.hasGlobalName("BZ2_bzRead") }
+
+  override int getArchiveParameterIndex() { result = 1 }
 }
 
 /**
- * The `BZ2_bzBuffToBuffDecompress` function is used in Flow sink
+ * The `BZ2_bzBuffToBuffDecompress` function is used in flow sink.
  */
-class BZ2BzBuffToBuffDecompressFunction extends Function {
+class BZ2BzBuffToBuffDecompressFunction extends DecompressionFunction {
   BZ2BzBuffToBuffDecompressFunction() { this.hasGlobalName("BZ2_bzBuffToBuffDecompress") }
+
+  override int getArchiveParameterIndex() { result = 2 }
 }

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/DecompressionBomb.qll

@@ -0,0 +1,8 @@
+import cpp
+
+/**
+ * The Decompression Sink instances, extend this class to defind new decompression sinks.
+ */
+abstract class DecompressionFunction extends Function {
+  abstract int getArchiveParameterIndex();
+}

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/DecompressionBombs.ql

@@ -15,124 +15,16 @@ import cpp
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.security.FlowSources
 import semmle.code.cpp.commons.File
-import Bzip2
-import Brotli
-import LibArchive
-import LibMiniz
-import ZSTD
 import MiniZip
-import XZ
 import ZlibGzopen
-import ZlibUncompress
-import ZlibInflator
-import Brotli
+import DecompressionBomb
 
 module DecompressionTaintConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof FlowSource }
 
   predicate isSink(DataFlow::Node sink) {
-    exists(FunctionCall fc | fc.getTarget() instanceof BrotliDecoderDecompressStreamFunction |
-      fc.getArgument(2) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof BrotliDecoderDecompressFunction |
-      fc.getArgument(1) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof BZ2BzDecompressFunction |
-      fc.getArgument(0) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof BZ2BzReadFunction |
-      fc.getArgument(1) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof BZ2BzBuffToBuffDecompressFunction |
-      fc.getArgument(2) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof Archive_read_data_block |
-      fc.getArgument(0) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof MzUncompress |
-      fc.getArgument(0) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof MzZipReaderExtract |
-      fc.getArgument(1) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof MzInflate |
-      fc.getArgument(0) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof TinflDecompress |
-      fc.getArgument(1) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof TinflDecompressMem |
-      fc.getArgument(0) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof ZSTDDecompressFunction |
-      fc.getArgument(2) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof ZSTDDecompressDCtxFunction |
-      fc.getArgument(3) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof ZSTDDecompressStreamFunction |
-      fc.getArgument(2) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof ZSTDDecompressUsingDictFunction |
-      fc.getArgument(3) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof ZSTDDecompressUsingDDictFunction |
-      fc.getArgument(3) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof UnzReadCurrentFileFunction |
-      fc.getArgument(0) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof Mz_zip_reader_entry |
-      fc.getArgument(1) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof Mz_zip_entry |
-      fc.getArgument(1) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof LzmaStreamBufferDecodeFunction |
-      fc.getArgument(1) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof LzmaCodeFunction |
-      fc.getArgument(0) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof GzReadFunction |
-      fc.getArgument(0) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof GzFreadFunction |
-      sink.asExpr() = fc.getArgument(3)
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof GzGetsFunction |
-      sink.asExpr() = fc.getArgument(0)
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof InflateFunction |
-      fc.getArgument(0) = sink.asExpr()
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof UncompressFunction |
-      fc.getArgument(0) = sink.asExpr()
+    exists(FunctionCall fc, DecompressionFunction f | fc.getTarget() = f |
+      fc.getArgument(f.getArchiveParameterIndex()) = sink.asExpr()
     )
   }
 
@@ -158,21 +50,6 @@ module DecompressionTaintConfig implements DataFlow::ConfigSig {
       node1.asExpr() = fc.getArgument(0) and
       node2.asExpr() = fc
     )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof GzReadFunction |
-      node1.asExpr() = fc.getArgument(0) and
-      node2.asExpr() = fc.getArgument(1)
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof GzFreadFunction |
-      node1.asExpr() = fc.getArgument(3) and
-      node2.asExpr() = fc.getArgument(0)
-    )
-    or
-    exists(FunctionCall fc | fc.getTarget() instanceof GzGetsFunction |
-      node1.asExpr() = fc.getArgument(0) and
-      node1.asExpr() = fc.getArgument(1)
-    )
   }
 }
 

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/LibArchive.qll

@@ -5,21 +5,16 @@
 import cpp
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.security.FlowSources
+import DecompressionBomb
 
 /**
- * The `archive_read_new` function as a Flow source
- * create a `archive` instance
- */
-class Archive_read_new extends Function {
-  Archive_read_new() { this.hasGlobalName("archive_read_new") }
-}
-
-/**
- * The `archive_read_data*` functions are used in Flow Sink
+ * The `archive_read_data*` functions are used in flow sink.
  * [Examples](https://github.com/libarchive/libarchive/wiki/Examples)
  */
-class Archive_read_data_block extends Function {
+class Archive_read_data_block extends DecompressionFunction {
   Archive_read_data_block() {
     this.hasGlobalName(["archive_read_data_block", "archive_read_data", "archive_read_data_into_fd"])
   }
+
+  override int getArchiveParameterIndex() { result = 0 }
 }

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/LibMiniz.qll

@@ -5,72 +5,44 @@
 import cpp
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.security.FlowSources
+import DecompressionBomb
 
 /**
- * A unsigned char Variable is used in Flow source
+ * The `mz_uncompress` functions are used in flow sink.
  */
-class UnsignedCharVar extends VariableAccess {
-  UnsignedCharVar() { this.getType().stripType().resolveTypedefs*() instanceof UnsignedCharType }
-}
-
-/**
- * The `mz_streamp`, `z_stream` Variables are used in Flow source
- */
-class MzStreampVar extends VariableAccess {
-  MzStreampVar() { this.getType().hasName(["mz_streamp", "z_stream"]) }
-}
-
-/**
- * A Char Variable is used in Flow source
- */
-class CharVar extends VariableAccess {
-  CharVar() { this.getType().stripType().resolveTypedefs*() instanceof CharType }
-}
-
-/**
- * A `mz_zip_archive` Variable is used in Flow source
- */
-class MzZipArchiveVar extends VariableAccess {
-  MzZipArchiveVar() { this.getType().hasName("mz_zip_archive") }
-}
-
-/**
- * The `mz_uncompress` functions are used in Flow Sink
- */
-class MzUncompress extends Function {
+class MzUncompress extends DecompressionFunction {
   MzUncompress() { this.hasGlobalName(["uncompress", "mz_uncompress", "mz_uncompress2"]) }
+
+  override int getArchiveParameterIndex() { result = 0 }
 }
 
 /**
  * A `zip handle` is used in Flow source
  */
-class MzZip extends Function {
+class MzZip extends DecompressionFunction {
   MzZip() {
     this.hasGlobalName([
         "mz_zip_reader_open", "mz_zip_reader_open_file", "mz_zip_reader_open_file_in_memory",
         "mz_zip_reader_open_buffer", "mz_zip_reader_entry_open"
       ])
   }
+
+  override int getArchiveParameterIndex() { result = 1 }
 }
 
 /**
- * The `mz_inflate` functions are used in Flow Sink
+ * The `mz_inflate` functions are used in flow sink.
  */
-class MzInflate extends Function {
+class MzInflate extends DecompressionFunction {
   MzInflate() { this.hasGlobalName(["mz_inflate", "inflate"]) }
+
+  override int getArchiveParameterIndex() { result = 0 }
 }
 
 /**
- * The `mz_inflateInit` functions are used in Flow Sink
+ * The `mz_zip_reader_extract_*` functions are used in flow sink.
  */
-class MzInflateInit extends Function {
-  MzInflateInit() { this.hasGlobalName(["inflateInit", "mz_inflateInit"]) }
-}
-
-/**
- * The `mz_zip_reader_extract_*` functions are used in Flow Sink
- */
-class MzZipReaderExtract extends Function {
+class MzZipReaderExtract extends DecompressionFunction {
   MzZipReaderExtract() {
     this.hasGlobalName([
         "mz_zip_reader_extract_file_to_heap", "mz_zip_reader_extract_to_heap",
@@ -80,23 +52,29 @@ class MzZipReaderExtract extends Function {
         "mz_zip_reader_extract_file_to_file"
       ])
   }
+
+  override int getArchiveParameterIndex() { result = 1 }
 }
 
 /**
- * The `tinfl_decompress_mem_*` functions are used in Flow Sink
+ * The `tinfl_decompress_mem_*` functions are used in flow sink.
  */
-class TinflDecompressMem extends Function {
+class TinflDecompressMem extends DecompressionFunction {
   TinflDecompressMem() {
     this.hasGlobalName([
         "tinfl_decompress_mem_to_callback", "tinfl_decompress_mem_to_mem",
         "tinfl_decompress_mem_to_heap"
       ])
   }
+
+  override int getArchiveParameterIndex() { result = 0 }
 }
 
 /**
- * The `tinfl_decompress_*` functions are used in Flow Sink
+ * The `tinfl_decompress_*` functions are used in flow sink.
  */
-class TinflDecompress extends Function {
+class TinflDecompress extends DecompressionFunction {
   TinflDecompress() { this.hasGlobalName(["tinfl_decompress"]) }
+
+  override int getArchiveParameterIndex() { result = 1 }
 }

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/MiniZip.qll

@@ -5,61 +5,36 @@
 import cpp
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.security.FlowSources
+import DecompressionBomb
 
 /**
- * The `mz_zip_reader_create` function as a Flow source
- * create a `mz_zip_reader` instance
- */
-class Mz_zip_reader_create extends Function {
-  Mz_zip_reader_create() { this.hasGlobalName("mz_zip_reader_create") }
-}
-
-/**
- * The `mz_zip_create` function as a Flow source
- * create a `mz_zip` instance
- */
-class Mz_zip_create extends Function {
-  Mz_zip_create() { this.hasGlobalName("mz_zip_create") }
-}
-
-/**
- * The `mz_zip_entry` function is used in Flow source
+ * The `mz_zip_entry` function is used in flow source.
  * [docuemnt](https://github.com/zlib-ng/minizip-ng/blob/master/doc/mz_zip.md)
  */
-class Mz_zip_entry extends Function {
+class Mz_zip_entry extends DecompressionFunction {
   Mz_zip_entry() { this.hasGlobalName("mz_zip_entry_read") }
+
+  override int getArchiveParameterIndex() { result = 1 }
 }
 
 /**
- * The `mz_zip_reader_entry_*` and `mz_zip_reader_save_all` functions are used in Flow source
+ * The `mz_zip_reader_entry_*` and `mz_zip_reader_save_all` functions are used in flow source.
  * [docuemnt](https://github.com/zlib-ng/minizip-ng/blob/master/doc/mz_zip_rw.md)
  */
-class Mz_zip_reader_entry extends Function {
+class Mz_zip_reader_entry extends DecompressionFunction {
   Mz_zip_reader_entry() {
     this.hasGlobalName([
         "mz_zip_reader_entry_save", "mz_zip_reader_entry_read", "mz_zip_reader_entry_save_process",
         "mz_zip_reader_entry_save_file", "mz_zip_reader_entry_save_buffer", "mz_zip_reader_save_all"
       ])
   }
+
+  override int getArchiveParameterIndex() { result = 1 }
 }
 
 /**
- * A `unzFile` Variable as a Flow source
- */
-class UnzFileVar extends VariableAccess {
-  UnzFileVar() { this.getType().hasName("unzFile") }
-}
-
-/**
- * The `UnzOpen` function as a Flow source
+ * The `UnzOpen` function as a flow source.
  */
 class UnzOpenFunction extends Function {
   UnzOpenFunction() { this.hasGlobalName(["UnzOpen", "unzOpen64", "unzOpen2", "unzOpen2_64"]) }
 }
-
-/**
- * The `unzReadCurrentFile` function is used in Flow sink
- */
-class UnzReadCurrentFileFunction extends Function {
-  UnzReadCurrentFileFunction() { this.hasGlobalName(["unzReadCurrentFile"]) }
-}

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/XZ.qll

@@ -5,25 +5,22 @@
 import cpp
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.security.FlowSources
+import DecompressionBomb
 
 /**
- * A `lzma_stream` Variable as a Flow source
+ * The `lzma_code` function is used in flow sink.
  */
-class LzmaStreamVar extends VariableAccess {
-  LzmaStreamVar() { this.getType().hasName("lzma_stream") }
-}
-
-
-/**
- * The `lzma_code` function is used in Flow sink
- */
-class LzmaCodeFunction extends Function {
+class LzmaCodeFunction extends DecompressionFunction {
   LzmaCodeFunction() { this.hasGlobalName(["lzma_code"]) }
+
+  override int getArchiveParameterIndex() { result = 0 }
 }
 
 /**
- * The `lzma_stream_buffer_decode` function is used in Flow sink
+ * The `lzma_stream_buffer_decode` function is used in flow sink.
  */
-class LzmaStreamBufferDecodeFunction extends Function {
+class LzmaStreamBufferDecodeFunction extends DecompressionFunction {
   LzmaStreamBufferDecodeFunction() { this.hasGlobalName(["lzma_stream_buffer_decode"]) }
+
+  override int getArchiveParameterIndex() { result = 1 }
 }

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/ZSTD.qll

@@ -6,52 +6,49 @@ import cpp
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.security.FlowSources
 import semmle.code.cpp.commons.File
+import DecompressionBomb
 
 /**
- * A ZSTD_inBuffer Variable as a Flow source
+ * The `ZSTD_decompress`  function is used in flow sink.
  */
-class ZSTDinBufferVar extends VariableAccess {
-  ZSTDinBufferVar() { this.getType().hasName("ZSTD_inBuffer") }
-}
-
-/**
- * A ZSTD_inBuffer_s Variable as a Flow source
- */
-class ZSTDinBufferSVar extends VariableAccess {
-  ZSTDinBufferSVar() { this.getType().hasName("ZSTD_inBuffer_s") }
-}
-
-/**
- * The `ZSTD_decompress`  function is used in Flow sink
- */
-class ZSTDDecompressFunction extends Function {
+class ZSTDDecompressFunction extends DecompressionFunction {
   ZSTDDecompressFunction() { this.hasGlobalName(["ZSTD_decompress"]) }
+
+  override int getArchiveParameterIndex() { result = 2 }
 }
 
 /**
- * The `ZSTD_decompressDCtx` function is used in Flow sink
+ * The `ZSTD_decompressDCtx` function is used in flow sink.
  */
-class ZSTDDecompressDCtxFunction extends Function {
+class ZSTDDecompressDCtxFunction extends DecompressionFunction {
   ZSTDDecompressDCtxFunction() { this.hasGlobalName(["ZSTD_decompressDCtx"]) }
+
+  override int getArchiveParameterIndex() { result = 3 }
 }
 
 /**
- * The `ZSTD_decompressStream` function is used in Flow sink
+ * The `ZSTD_decompressStream` function is used in flow sink.
  */
-class ZSTDDecompressStreamFunction extends Function {
+class ZSTDDecompressStreamFunction extends DecompressionFunction {
   ZSTDDecompressStreamFunction() { this.hasGlobalName(["ZSTD_decompressStream"]) }
+
+  override int getArchiveParameterIndex() { result = 2 }
 }
 
 /**
- * The `ZSTD_decompress_usingDDict` function is used in Flow sink
+ * The `ZSTD_decompress_usingDDict` function is used in flow sink.
  */
-class ZSTDDecompressUsingDictFunction extends Function {
+class ZSTDDecompressUsingDictFunction extends DecompressionFunction {
   ZSTDDecompressUsingDictFunction() { this.hasGlobalName(["ZSTD_decompress_usingDDict"]) }
+
+  override int getArchiveParameterIndex() { result = 3 }
 }
 
 /**
- * The `ZSTD_decompress_usingDDict` function is used in Flow sink
+ * The `ZSTD_decompress_usingDDict` function is used in flow sink.
  */
-class ZSTDDecompressUsingDDictFunction extends Function {
+class ZSTDDecompressUsingDDictFunction extends DecompressionFunction {
   ZSTDDecompressUsingDDictFunction() { this.hasGlobalName(["ZSTD_decompress_usingDDict"]) }
+
+  override int getArchiveParameterIndex() { result = 3 }
 }

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/ZlibGzopen.qll

@@ -5,25 +5,43 @@
 import cpp
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.security.FlowSources
+import DecompressionBomb
 
 /**
- * A `gzFile` Variable as a Flow source
- */
-class GzFileVar extends VariableAccess {
-  GzFileVar() { this.getType().hasName("gzFile") }
-}
-
-/**
- * The `gzopen` function as a Flow source
+ * The `gzfread` function is used in flow sink.
  *
- * `gzopen(const char *path, const char *mode)`
+ * `gzfread(voidp buf, z_size_t size, z_size_t nitems, gzFile file)`
  */
-class GzopenFunction extends Function {
-  GzopenFunction() { this.hasGlobalName("gzopen") }
+class GzFreadFunction extends DecompressionFunction {
+  GzFreadFunction() { this.hasGlobalName("gzfread") }
+
+  override int getArchiveParameterIndex() { result = 3 }
 }
 
 /**
- * The `gzdopen` function as a Flow source
+ * The `gzgets` function is used in flow sink.
+ *
+ * `gzgets(gzFile file, char *buf, int len)`
+ */
+class GzGetsFunction extends DecompressionFunction {
+  GzGetsFunction() { this.hasGlobalName("gzgets") }
+
+  override int getArchiveParameterIndex() { result = 0 }
+}
+
+/**
+ * The `gzread` function is used in flow sink.
+ *
+ * `gzread(gzFile file, voidp buf, unsigned len)`
+ */
+class GzReadFunction extends DecompressionFunction {
+  GzReadFunction() { this.hasGlobalName("gzread") }
+
+  override int getArchiveParameterIndex() { result = 1 }
+}
+
+/**
+ * The `gzdopen` function.
  *
  * `gzdopen(int fd, const char *mode)`
  */
@@ -32,44 +50,10 @@ class GzdopenFunction extends Function {
 }
 
 /**
- * The `gzfread` function is used in Flow sink
+ * The `gzopen` function.
  *
- * `gzfread(voidp buf, z_size_t size, z_size_t nitems, gzFile file)`
+ * `gzopen(const char *path, const char *mode)`
  */
-class GzFreadFunction extends Function {
-  GzFreadFunction() { this.hasGlobalName("gzfread") }
-}
-
-/**
- * The `gzgets` function is used in Flow sink.
- *
- * `gzgets(gzFile file, char *buf, int len)`
- */
-class GzGetsFunction extends Function {
-  GzGetsFunction() { this.hasGlobalName("gzgets") }
-}
-
-/**
- * The `gzread` function is used in Flow sink
- *
- * `gzread(gzFile file, voidp buf, unsigned len)`
- */
-class GzReadFunction extends Function {
-  GzReadFunction() { this.hasGlobalName("gzread") }
-}
-
-predicate isSource(DataFlow::Node source) {
-  exists(FunctionCall fc | fc.getTarget() instanceof GzopenFunction |
-    fc.getArgument(0) = source.asExpr() and
-    // arg 0 can be a path string whichwe must do following check
-    not fc.getArgument(0).isConstant()
-  )
-  or
-  // IDK whether it is good to use all file decriptors function returns as source or not
-  // because we can do more sanitization from fd function sources
-  exists(FunctionCall fc | fc.getTarget() instanceof GzdopenFunction |
-    fc.getArgument(0) = source.asExpr()
-  )
-  or
-  source.asExpr() instanceof GzFileVar
+class GzopenFunction extends Function {
+  GzopenFunction() { this.hasGlobalName("gzopen") }
 }

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/ZlibInflator.qll

@@ -5,21 +5,17 @@
 import cpp
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.security.FlowSources
+import DecompressionBomb
 
 /**
- * A `z_stream` Variable as a Flow source
- */
-class ZStreamVar extends VariableAccess {
-  ZStreamVar() { this.getType().hasName("z_stream") }
-}
-
-/**
- * The `inflate`/`inflateSync` functions are used in Flow sink
+ * The `inflate` and `inflateSync` functions are used in flow sink.
  *
  * `inflate(z_streamp strm, int flush)`
  *
  * `inflateSync(z_streamp strm)`
  */
-class InflateFunction extends Function {
+class InflateFunction extends DecompressionFunction {
   InflateFunction() { this.hasGlobalName(["inflate", "inflateSync"]) }
+
+  override int getArchiveParameterIndex() { result = 0 }
 }

cpp/ql/src/experimental/query-tests/Security/CWE/CWE-409/ZlibUncompress.qll

@@ -5,17 +5,13 @@
 import cpp
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import semmle.code.cpp.security.FlowSources
+import DecompressionBomb
 
 /**
- * A Bytef Variable as a Flow source
+ * The `uncompress`/`uncompress2` function is used in flow sink.
  */
-class BytefVar extends VariableAccess {
-  BytefVar() { this.getType().hasName("Bytef") }
-}
-
-/**
- * The `uncompress`/`uncompress2` function is used in Flow sink
- */
-class UncompressFunction extends Function {
+class UncompressFunction extends DecompressionFunction {
   UncompressFunction() { this.hasGlobalName(["uncompress", "uncompress2"]) }
+
+  override int getArchiveParameterIndex() { result = 0 }
 }