hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 10:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Wire up models to DefaultTaintTracking

Browse Source 
This adds support for arg-to-arg and arg-to-return taint.
This commit is contained in:
Jonas Jensen
2020-01-21 12:04:45 +01:00
parent fa00e96ba8
commit 6d46e4d946
3 changed files with 68 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/defaulttainttracking.cpp
View File

@@ -13,13 +13,13 @@ int main(int argc, char *argv[]) {
int taintedInt = atoi(getenv("VAR"));
taintedInt++; // BUG: `taintedInt` isn't marked as tainted. Only `++` is.
sink(_strdup(getenv("VAR"))); // BUG: no taint
sink(_strdup(getenv("VAR")));
sink(strdup(getenv("VAR")));
sink(unmodeled_function(getenv("VAR")));
char untainted_buf[100] = "";
char buf[100] = "VAR = ";
sink(strcat(buf, getenv("VAR"))); // BUG: no taint
sink(strcat(buf, getenv("VAR")));
sink(buf); // BUG: no taint
sink(untainted_buf); // the two buffers would be conflated if we added flow through partial chi inputs