mirror of
https://github.com/github/codeql.git
synced 2025-12-17 01:03:14 +01:00
C++: Rename references.
This commit is contained in:
Anders Schack-Mulligen
@@ -54,7 +54,7 @@ module PrivateCleartextWrite {
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
}
|
||||
|
||||
module WriteFlow = TaintTracking::Make<WriteConfig>;
|
||||
module WriteFlow = TaintTracking::Global<WriteConfig>;
|
||||
|
||||
class PrivateDataSource extends Source {
|
||||
PrivateDataSource() { this.getExpr() instanceof PrivateDataExpr }
|
||||
|
||||
@@ -103,7 +103,7 @@ private module DefaultTaintTrackingConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
private module DefaultTaintTrackingFlow = TaintTracking::Make<DefaultTaintTrackingConfig>;
|
||||
private module DefaultTaintTrackingFlow = TaintTracking::Global<DefaultTaintTrackingConfig>;
|
||||
|
||||
private module ToGlobalVarTaintTrackingConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source = getNodeForSource(_) }
|
||||
@@ -121,13 +121,13 @@ private module ToGlobalVarTaintTrackingConfig implements DataFlow::ConfigSig {
|
||||
predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
|
||||
}
|
||||
|
||||
private module ToGlobalVarTaintTrackingFlow = TaintTracking::Make<ToGlobalVarTaintTrackingConfig>;
|
||||
private module ToGlobalVarTaintTrackingFlow = TaintTracking::Global<ToGlobalVarTaintTrackingConfig>;
|
||||
|
||||
private module FromGlobalVarTaintTrackingConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
// This set of sources should be reasonably small, which is good for
|
||||
// performance since the set of sinks is very large.
|
||||
ToGlobalVarTaintTrackingFlow::hasFlowTo(source)
|
||||
ToGlobalVarTaintTrackingFlow::flowTo(source)
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { exists(adjustedSink(sink)) }
|
||||
@@ -145,7 +145,7 @@ private module FromGlobalVarTaintTrackingConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
|
||||
private module FromGlobalVarTaintTrackingFlow =
|
||||
TaintTracking::Make<FromGlobalVarTaintTrackingConfig>;
|
||||
TaintTracking::Global<FromGlobalVarTaintTrackingConfig>;
|
||||
|
||||
private predicate readsVariable(LoadInstruction load, Variable var) {
|
||||
load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
|
||||
@@ -331,7 +331,7 @@ private import Cached
|
||||
cached
|
||||
predicate tainted(Expr source, Element tainted) {
|
||||
exists(DataFlow::Node sink |
|
||||
DefaultTaintTrackingFlow::hasFlow(getNodeForSource(source), sink) and
|
||||
DefaultTaintTrackingFlow::flow(getNodeForSource(source), sink) and
|
||||
tainted = adjustedSink(sink)
|
||||
)
|
||||
}
|
||||
@@ -360,8 +360,8 @@ predicate taintedIncludingGlobalVars(Expr source, Element tainted, string global
|
||||
DataFlow::VariableNode variableNode, GlobalOrNamespaceVariable global, DataFlow::Node sink
|
||||
|
|
||||
global = variableNode.getVariable() and
|
||||
ToGlobalVarTaintTrackingFlow::hasFlow(getNodeForSource(source), variableNode) and
|
||||
FromGlobalVarTaintTrackingFlow::hasFlow(variableNode, sink) and
|
||||
ToGlobalVarTaintTrackingFlow::flow(getNodeForSource(source), variableNode) and
|
||||
FromGlobalVarTaintTrackingFlow::flow(variableNode, sink) and
|
||||
tainted = adjustedSink(sink) and
|
||||
global = globalVarFromId(globalVar)
|
||||
)
|
||||
@@ -450,7 +450,7 @@ module TaintedWithPath {
|
||||
predicate isBarrierIn(DataFlow::Node node) { nodeIsBarrierIn(node) }
|
||||
}
|
||||
|
||||
private module AdjustedFlow = TaintTracking::Make<AdjustedConfig>;
|
||||
private module AdjustedFlow = TaintTracking::Global<AdjustedConfig>;
|
||||
|
||||
/*
|
||||
* A sink `Element` may map to multiple `DataFlowX::PathNode`s via (the
|
||||
@@ -472,7 +472,7 @@ module TaintedWithPath {
|
||||
// that makes it easiest to deal with the case where source = sink.
|
||||
TEndpointPathNode(Element e) {
|
||||
exists(DataFlow::Node sourceNode, DataFlow::Node sinkNode |
|
||||
AdjustedFlow::hasFlow(sourceNode, sinkNode)
|
||||
AdjustedFlow::flow(sourceNode, sinkNode)
|
||||
|
|
||||
sourceNode = getNodeForExpr(e) and
|
||||
exists(TaintTrackingConfiguration ttCfg | ttCfg.isSource(e))
|
||||
@@ -634,7 +634,7 @@ module TaintedWithPath {
|
||||
exists(DataFlow::Node flowSource, DataFlow::Node flowSink |
|
||||
source = sourceNode.(InitialPathNode).inner() and
|
||||
flowSource = getNodeForExpr(source) and
|
||||
AdjustedFlow::hasFlow(flowSource, flowSink) and
|
||||
AdjustedFlow::flow(flowSource, flowSink) and
|
||||
tainted = adjustedSink(flowSink) and
|
||||
tainted = sinkNode.(FinalPathNode).inner()
|
||||
)
|
||||
|
||||
@@ -399,7 +399,7 @@ module BoostorgAsio {
|
||||
import Config
|
||||
}
|
||||
|
||||
import DataFlow::Make<C>
|
||||
import DataFlow::Global<C>
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -596,7 +596,7 @@ module BoostorgAsio {
|
||||
}
|
||||
}
|
||||
|
||||
module SslContextFlowsToSetOptionFlow = DataFlow::Make<SslContextFlowsToSetOptionConfig>;
|
||||
module SslContextFlowsToSetOptionFlow = DataFlow::Global<SslContextFlowsToSetOptionConfig>;
|
||||
|
||||
/**
|
||||
* An option value that flows to the first parameter of a call to `SetOptions()`.
|
||||
@@ -640,5 +640,5 @@ module BoostorgAsio {
|
||||
}
|
||||
}
|
||||
|
||||
module SslOptionFlow = DataFlow::Make<SslOptionConfig>;
|
||||
module SslOptionFlow = DataFlow::Global<SslOptionConfig>;
|
||||
}
|
||||
|
||||
@@ -84,11 +84,11 @@ module OverflowDestinationConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module OverflowDestination = TaintTracking::Make<OverflowDestinationConfig>;
|
||||
module OverflowDestination = TaintTracking::Global<OverflowDestinationConfig>;
|
||||
|
||||
from FunctionCall fc, OverflowDestination::PathNode source, OverflowDestination::PathNode sink
|
||||
where
|
||||
OverflowDestination::hasFlowPath(source, sink) and
|
||||
OverflowDestination::flowPath(source, sink) and
|
||||
sourceSized(fc, sink.getNode().asIndirectConvertedExpr())
|
||||
select fc, source, sink,
|
||||
"To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size."
|
||||
|
||||
@@ -80,9 +80,9 @@ predicate introducesNewField(Class derived, Class base) {
|
||||
)
|
||||
}
|
||||
|
||||
module CastToPointerArithFlow = DataFlow::MakeWithState<CastToPointerArithFlowConfig>;
|
||||
module CastToPointerArithFlow = DataFlow::GlobalWithState<CastToPointerArithFlowConfig>;
|
||||
|
||||
from CastToPointerArithFlow::PathNode source, CastToPointerArithFlow::PathNode sink
|
||||
where CastToPointerArithFlow::hasFlowPath(source, sink)
|
||||
where CastToPointerArithFlow::flowPath(source, sink)
|
||||
select sink, source, sink, "This pointer arithmetic may be done with the wrong type because of $@.",
|
||||
source, "this cast"
|
||||
|
||||
@@ -146,13 +146,13 @@ module NonConstFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isBarrier(DataFlow::Node node) { isBarrierNode(node) }
|
||||
}
|
||||
|
||||
module NonConstFlow = TaintTracking::Make<NonConstFlowConfig>;
|
||||
module NonConstFlow = TaintTracking::Global<NonConstFlowConfig>;
|
||||
|
||||
from FormattingFunctionCall call, Expr formatString
|
||||
where
|
||||
call.getArgument(call.getFormatParameterIndex()) = formatString and
|
||||
exists(DataFlow::Node sink |
|
||||
NonConstFlow::hasFlowTo(sink) and
|
||||
NonConstFlow::flowTo(sink) and
|
||||
isSinkImpl(sink, formatString)
|
||||
)
|
||||
select formatString,
|
||||
|
||||
@@ -16,7 +16,7 @@ import LeapYear
|
||||
|
||||
from Expr source, Expr sink
|
||||
where
|
||||
PossibleYearArithmeticOperationCheckFlow::hasFlow(DataFlow::exprNode(source),
|
||||
PossibleYearArithmeticOperationCheckFlow::flow(DataFlow::exprNode(source),
|
||||
DataFlow::exprNode(sink))
|
||||
select sink,
|
||||
"An arithmetic operation $@ that uses a constant value of 365 ends up modifying this date/time, without considering leap year scenarios.",
|
||||
|
||||
@@ -231,7 +231,7 @@ private module LeapYearCheckConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module LeapYearCheckFlow = DataFlow::Make<LeapYearCheckConfig>;
|
||||
module LeapYearCheckFlow = DataFlow::Global<LeapYearCheckConfig>;
|
||||
|
||||
/**
|
||||
* Data flow configuration for finding an operation with hardcoded 365 that will flow into
|
||||
@@ -284,7 +284,7 @@ private module FiletimeYearArithmeticOperationCheckConfig implements DataFlow::C
|
||||
}
|
||||
|
||||
module FiletimeYearArithmeticOperationCheckFlow =
|
||||
DataFlow::Make<FiletimeYearArithmeticOperationCheckConfig>;
|
||||
DataFlow::Global<FiletimeYearArithmeticOperationCheckConfig>;
|
||||
|
||||
/**
|
||||
* Taint configuration for finding an operation with hardcoded 365 that will flow into any known date/time field.
|
||||
@@ -372,4 +372,4 @@ private module PossibleYearArithmeticOperationCheckConfig implements DataFlow::C
|
||||
}
|
||||
|
||||
module PossibleYearArithmeticOperationCheckFlow =
|
||||
TaintTracking::Make<PossibleYearArithmeticOperationCheckConfig>;
|
||||
TaintTracking::Global<PossibleYearArithmeticOperationCheckConfig>;
|
||||
|
||||
@@ -31,7 +31,7 @@ where
|
||||
// If there is a data flow from the variable that was modified to a function that seems to check for leap year
|
||||
exists(VariableAccess source, ChecksForLeapYearFunctionCall fc |
|
||||
source = var.getAnAccess() and
|
||||
LeapYearCheckFlow::hasFlow(DataFlow::exprNode(source),
|
||||
LeapYearCheckFlow::flow(DataFlow::exprNode(source),
|
||||
DataFlow::exprNode(fc.getAnArgument()))
|
||||
)
|
||||
or
|
||||
@@ -39,7 +39,7 @@ where
|
||||
exists(VariableAccess vacheck, YearFieldAccess yfacheck, ChecksForLeapYearFunctionCall fc |
|
||||
vacheck = var.getAnAccess() and
|
||||
yfacheck.getQualifier() = vacheck and
|
||||
LeapYearCheckFlow::hasFlow(DataFlow::exprNode(yfacheck),
|
||||
LeapYearCheckFlow::flow(DataFlow::exprNode(yfacheck),
|
||||
DataFlow::exprNode(fc.getAnArgument()))
|
||||
)
|
||||
or
|
||||
|
||||
@@ -12,5 +12,5 @@ import cpp
|
||||
import NtohlArrayNoBound
|
||||
|
||||
from DataFlow::Node source, DataFlow::Node sink
|
||||
where NetworkToBufferSizeFlow::hasFlow(source, sink)
|
||||
where NetworkToBufferSizeFlow::flow(source, sink)
|
||||
select sink, "Unchecked use of data from network function $@.", source, source.toString()
|
||||
|
||||
@@ -161,4 +161,4 @@ private module NetworkToBufferSizeConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module NetworkToBufferSizeFlow = DataFlow::Make<NetworkToBufferSizeConfig>;
|
||||
module NetworkToBufferSizeFlow = DataFlow::Global<NetworkToBufferSizeConfig>;
|
||||
|
||||
@@ -25,17 +25,17 @@ module ExistsAnyFlowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module ExistsAnyFlow = DataFlow::Make<ExistsAnyFlowConfig>;
|
||||
module ExistsAnyFlow = DataFlow::Global<ExistsAnyFlowConfig>;
|
||||
|
||||
bindingset[flag]
|
||||
predicate isOptionSet(ConstructorCall cc, int flag, FunctionCall fcSetOptions) {
|
||||
exists(VariableAccess contextSetOptions |
|
||||
ExistsAnyFlow::hasFlow(DataFlow::exprNode(cc), DataFlow::exprNode(contextSetOptions)) and
|
||||
ExistsAnyFlow::flow(DataFlow::exprNode(cc), DataFlow::exprNode(contextSetOptions)) and
|
||||
exists(BoostorgAsio::SslSetOptionsFunction f | f.getACallToThisFunction() = fcSetOptions |
|
||||
contextSetOptions = fcSetOptions.getQualifier() and
|
||||
forall(Expr optionArgument, Expr optionArgumentSource |
|
||||
optionArgument = fcSetOptions.getArgument(0) and
|
||||
BoostorgAsio::SslOptionFlow::hasFlow(DataFlow::exprNode(optionArgumentSource),
|
||||
BoostorgAsio::SslOptionFlow::flow(DataFlow::exprNode(optionArgumentSource),
|
||||
DataFlow::exprNode(optionArgument))
|
||||
|
|
||||
optionArgument.getValue().toInt().bitShiftRight(16).bitAnd(flag) = flag
|
||||
@@ -49,7 +49,7 @@ predicate isOptionNotSet(ConstructorCall cc, int flag) { not isOptionSet(cc, fla
|
||||
|
||||
from Expr protocolSource, Expr protocolSink, ConstructorCall cc, Expr e, string msg
|
||||
where
|
||||
BoostorgAsio::SslContextCallTlsProtocolFlow::hasFlow(DataFlow::exprNode(protocolSource),
|
||||
BoostorgAsio::SslContextCallTlsProtocolFlow::flow(DataFlow::exprNode(protocolSource),
|
||||
DataFlow::exprNode(protocolSink)) and
|
||||
cc.getArgument(0) = protocolSink and
|
||||
(
|
||||
|
||||
@@ -14,12 +14,12 @@ import semmle.code.cpp.security.boostorg.asio.protocols
|
||||
|
||||
from Expr protocolSource, Expr protocolSink, ConstructorCall cc
|
||||
where
|
||||
BoostorgAsio::SslContextCallFlow::hasFlow(DataFlow::exprNode(protocolSource),
|
||||
BoostorgAsio::SslContextCallFlow::flow(DataFlow::exprNode(protocolSource),
|
||||
DataFlow::exprNode(protocolSink)) and
|
||||
not BoostorgAsio::SslContextCallTlsProtocolFlow::hasFlow(DataFlow::exprNode(protocolSource),
|
||||
not BoostorgAsio::SslContextCallTlsProtocolFlow::flow(DataFlow::exprNode(protocolSource),
|
||||
DataFlow::exprNode(protocolSink)) and
|
||||
cc.getArgument(0) = protocolSink and
|
||||
BoostorgAsio::SslContextCallBannedProtocolFlow::hasFlow(DataFlow::exprNode(protocolSource),
|
||||
BoostorgAsio::SslContextCallBannedProtocolFlow::flow(DataFlow::exprNode(protocolSource),
|
||||
DataFlow::exprNode(protocolSink))
|
||||
select protocolSink, "Usage of $@ specifying a deprecated hardcoded protocol $@ in function $@.",
|
||||
cc, "boost::asio::ssl::context::context", protocolSource, protocolSource.toString(),
|
||||
|
||||
@@ -10,10 +10,10 @@ import ExternalAPIsSpecific
|
||||
|
||||
/** A node representing untrusted data being passed to an external API. */
|
||||
class UntrustedExternalApiDataNode extends ExternalApiDataNode {
|
||||
UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::hasFlow(_, this) }
|
||||
UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flow(_, this) }
|
||||
|
||||
/** Gets a source of untrusted data which is passed to this external API data node. */
|
||||
DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::hasFlow(result, this) }
|
||||
DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for UntrustedExternalApiDataNode */
|
||||
|
||||
@@ -73,4 +73,4 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
|
||||
}
|
||||
|
||||
module UntrustedDataToExternalApiFlow = TaintTracking::Make<UntrustedDataToExternalApiConfig>;
|
||||
module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;
|
||||
|
||||
@@ -16,7 +16,7 @@ import semmle.code.cpp.security.FlowSources
|
||||
import UntrustedDataToExternalApiFlow::PathGraph
|
||||
|
||||
from UntrustedDataToExternalApiFlow::PathNode source, UntrustedDataToExternalApiFlow::PathNode sink
|
||||
where UntrustedDataToExternalApiFlow::hasFlowPath(source, sink)
|
||||
where UntrustedDataToExternalApiFlow::flowPath(source, sink)
|
||||
select sink, source, sink,
|
||||
"Call to " + sink.getNode().(ExternalApiDataNode).getExternalFunction().toString() +
|
||||
" with untrusted data from $@.", source, source.getNode().(RemoteFlowSource).getSourceType()
|
||||
|
||||
@@ -15,7 +15,7 @@ import ExternalAPIs
|
||||
import UntrustedDataToExternalApiFlow::PathGraph
|
||||
|
||||
from UntrustedDataToExternalApiFlow::PathNode source, UntrustedDataToExternalApiFlow::PathNode sink
|
||||
where UntrustedDataToExternalApiFlow::hasFlowPath(source, sink)
|
||||
where UntrustedDataToExternalApiFlow::flowPath(source, sink)
|
||||
select sink, source, sink,
|
||||
"Call to " + sink.getNode().(ExternalApiDataNode).getExternalFunction().toString() +
|
||||
" with untrusted data from $@.", source, source.toString()
|
||||
|
||||
@@ -10,10 +10,10 @@ import ExternalAPIsSpecific
|
||||
|
||||
/** A node representing untrusted data being passed to an external API. */
|
||||
class UntrustedExternalApiDataNode extends ExternalApiDataNode {
|
||||
UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::hasFlow(_, this) }
|
||||
UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flow(_, this) }
|
||||
|
||||
/** Gets a source of untrusted data which is passed to this external API data node. */
|
||||
DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::hasFlow(result, this) }
|
||||
DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }
|
||||
}
|
||||
|
||||
/** DEPRECATED: Alias for UntrustedExternalApiDataNode */
|
||||
|
||||
@@ -63,4 +63,4 @@ private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
|
||||
}
|
||||
|
||||
module UntrustedDataToExternalApiFlow = TaintTracking::Make<UntrustedDataToExternalApiConfig>;
|
||||
module UntrustedDataToExternalApiFlow = TaintTracking::Global<UntrustedDataToExternalApiConfig>;
|
||||
|
||||
@@ -90,7 +90,7 @@ module TaintedPathConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module TaintedPath = TaintTracking::Make<TaintedPathConfig>;
|
||||
module TaintedPath = TaintTracking::Global<TaintedPathConfig>;
|
||||
|
||||
from
|
||||
FileFunction fileFunction, Expr taintedArg, FlowSource taintSource,
|
||||
@@ -98,7 +98,7 @@ from
|
||||
where
|
||||
taintedArg = sinkNode.getNode().asIndirectArgument() and
|
||||
fileFunction.outermostWrapperFunctionCall(taintedArg, callChain) and
|
||||
TaintedPath::hasFlowPath(sourceNode, sinkNode) and
|
||||
TaintedPath::flowPath(sourceNode, sinkNode) and
|
||||
taintSource = sourceNode.getNode()
|
||||
select taintedArg, sourceNode, sinkNode,
|
||||
"This argument to a file access function is derived from $@ and then passed to " + callChain + ".",
|
||||
|
||||
@@ -76,7 +76,7 @@ class ExecState extends TExecState {
|
||||
DataFlow::Node getOutgoingNode() { result = outgoing }
|
||||
|
||||
/** Holds if this is a possible `ExecState` for `sink`. */
|
||||
predicate isFeasibleForSink(DataFlow::Node sink) { ExecState::hasFlow(outgoing, sink) }
|
||||
predicate isFeasibleForSink(DataFlow::Node sink) { ExecState::flow(outgoing, sink) }
|
||||
|
||||
string toString() { result = "ExecState" }
|
||||
}
|
||||
@@ -109,7 +109,7 @@ module ExecStateConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module ExecState = TaintTracking::Make<ExecStateConfig>;
|
||||
module ExecState = TaintTracking::Global<ExecStateConfig>;
|
||||
|
||||
module ExecTaintConfig implements DataFlow::StateConfigSig {
|
||||
class FlowState = TState;
|
||||
@@ -141,13 +141,13 @@ module ExecTaintConfig implements DataFlow::StateConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module ExecTaint = TaintTracking::MakeWithState<ExecTaintConfig>;
|
||||
module ExecTaint = TaintTracking::GlobalWithState<ExecTaintConfig>;
|
||||
|
||||
from
|
||||
ExecTaint::PathNode sourceNode, ExecTaint::PathNode sinkNode, string taintCause, string callChain,
|
||||
DataFlow::Node concatResult, Expr command
|
||||
where
|
||||
ExecTaint::hasFlowPath(sourceNode, sinkNode) and
|
||||
ExecTaint::flowPath(sourceNode, sinkNode) and
|
||||
taintCause = sourceNode.getNode().(FlowSource).getSourceType() and
|
||||
isSinkImpl(sinkNode.getNode(), command, callChain) and
|
||||
concatResult = sinkNode.getState().(ExecState).getOutgoingNode()
|
||||
|
||||
@@ -114,13 +114,13 @@ module ImproperArrayIndexValidationConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module ImproperArrayIndexValidation = TaintTracking::Make<ImproperArrayIndexValidationConfig>;
|
||||
module ImproperArrayIndexValidation = TaintTracking::Global<ImproperArrayIndexValidationConfig>;
|
||||
|
||||
from
|
||||
ImproperArrayIndexValidation::PathNode source, ImproperArrayIndexValidation::PathNode sink,
|
||||
string sourceType
|
||||
where
|
||||
ImproperArrayIndexValidation::hasFlowPath(source, sink) and
|
||||
ImproperArrayIndexValidation::flowPath(source, sink) and
|
||||
isFlowSource(source.getNode(), sourceType)
|
||||
select sink.getNode(), source, sink,
|
||||
"An array indexing expression depends on $@ that might be outside the bounds of the array.",
|
||||
|
||||
@@ -122,7 +122,7 @@ module UncontrolledArithConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module UncontrolledArith = TaintTracking::Make<UncontrolledArithConfig>;
|
||||
module UncontrolledArith = TaintTracking::Global<UncontrolledArithConfig>;
|
||||
|
||||
/** Gets the expression that corresponds to `node`, if any. */
|
||||
Expr getExpr(DataFlow::Node node) { result = [node.asExpr(), node.asDefiningArgument()] }
|
||||
@@ -131,7 +131,7 @@ from
|
||||
UncontrolledArith::PathNode source, UncontrolledArith::PathNode sink, VariableAccess va,
|
||||
string effect
|
||||
where
|
||||
UncontrolledArith::hasFlowPath(source, sink) and
|
||||
UncontrolledArith::flowPath(source, sink) and
|
||||
sink.getNode().asExpr() = va and
|
||||
missingGuard(va, effect)
|
||||
select sink.getNode(), source, sink,
|
||||
|
||||
@@ -95,14 +95,14 @@ module TaintedAllocationSizeConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module TaintedAllocationSize = TaintTracking::Make<TaintedAllocationSizeConfig>;
|
||||
module TaintedAllocationSize = TaintTracking::Global<TaintedAllocationSizeConfig>;
|
||||
|
||||
from
|
||||
Expr alloc, TaintedAllocationSize::PathNode source, TaintedAllocationSize::PathNode sink,
|
||||
string taintCause
|
||||
where
|
||||
isFlowSource(source.getNode(), taintCause) and
|
||||
TaintedAllocationSize::hasFlowPath(source, sink) and
|
||||
TaintedAllocationSize::flowPath(source, sink) and
|
||||
allocSink(alloc, sink.getNode())
|
||||
select alloc, source, sink, "This allocation size is derived from $@ and might overflow.",
|
||||
source.getNode(), "user input (" + taintCause + ")"
|
||||
|
||||
@@ -33,14 +33,14 @@ module VerifyResultConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module VerifyResult = DataFlow::Make<VerifyResultConfig>;
|
||||
module VerifyResult = DataFlow::Global<VerifyResultConfig>;
|
||||
|
||||
from
|
||||
DataFlow::Node source, DataFlow::Node sink1, DataFlow::Node sink2, GuardCondition guard, Expr c1,
|
||||
Expr c2, boolean testIsTrue
|
||||
where
|
||||
VerifyResult::hasFlow(source, sink1) and
|
||||
VerifyResult::hasFlow(source, sink2) and
|
||||
VerifyResult::flow(source, sink1) and
|
||||
VerifyResult::flow(source, sink2) and
|
||||
guard.comparesEq(sink1.asExpr(), c1, 0, false, testIsTrue) and // (value != c1) => testIsTrue
|
||||
guard.comparesEq(sink2.asExpr(), c2, 0, false, testIsTrue) and // (value != c2) => testIsTrue
|
||||
c1.getValue().toInt() = 0 and
|
||||
|
||||
@@ -49,7 +49,7 @@ module ToBufferConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _) }
|
||||
}
|
||||
|
||||
module ToBufferFlow = TaintTracking::Make<ToBufferConfig>;
|
||||
module ToBufferFlow = TaintTracking::Global<ToBufferConfig>;
|
||||
|
||||
predicate isSinkImpl(DataFlow::Node sink, SensitiveBufferWrite w) {
|
||||
w.getASource() = sink.asIndirectExpr()
|
||||
@@ -59,7 +59,7 @@ from
|
||||
SensitiveBufferWrite w, ToBufferFlow::PathNode sourceNode, ToBufferFlow::PathNode sinkNode,
|
||||
FlowSource source
|
||||
where
|
||||
ToBufferFlow::hasFlowPath(sourceNode, sinkNode) and
|
||||
ToBufferFlow::flowPath(sourceNode, sinkNode) and
|
||||
sourceNode.getNode() = source and
|
||||
isSinkImpl(sinkNode.getNode(), w)
|
||||
select w, sourceNode, sinkNode,
|
||||
|
||||
@@ -33,7 +33,7 @@ module FromSensitiveConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module FromSensitiveFlow = TaintTracking::Make<FromSensitiveConfig>;
|
||||
module FromSensitiveFlow = TaintTracking::Global<FromSensitiveConfig>;
|
||||
|
||||
predicate isSinkImpl(DataFlow::Node sink, FileWrite w, Expr dest) {
|
||||
exists(Expr e |
|
||||
@@ -81,7 +81,7 @@ from
|
||||
SensitiveExpr source, FromSensitiveFlow::PathNode sourceNode, FromSensitiveFlow::PathNode midNode,
|
||||
FileWrite w, Expr dest
|
||||
where
|
||||
FromSensitiveFlow::hasFlowPath(sourceNode, midNode) and
|
||||
FromSensitiveFlow::flowPath(sourceNode, midNode) and
|
||||
isSourceImpl(sourceNode.getNode(), source) and
|
||||
isSinkImpl(midNode.getNode(), w, dest)
|
||||
select w, sourceNode, midNode,
|
||||
|
||||
@@ -250,13 +250,13 @@ module FromSensitiveConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module FromSensitiveFlow = TaintTracking::Make<FromSensitiveConfig>;
|
||||
module FromSensitiveFlow = TaintTracking::Global<FromSensitiveConfig>;
|
||||
|
||||
/**
|
||||
* A taint flow configuration for flow from a sensitive expression to an encryption operation.
|
||||
*/
|
||||
module ToEncryptionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { FromSensitiveFlow::hasFlow(source, _) }
|
||||
predicate isSource(DataFlow::Node source) { FromSensitiveFlow::flow(source, _) }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { isSinkEncrypt(sink, _) }
|
||||
|
||||
@@ -271,7 +271,7 @@ module ToEncryptionConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module ToEncryptionFlow = TaintTracking::Make<ToEncryptionConfig>;
|
||||
module ToEncryptionFlow = TaintTracking::Global<ToEncryptionConfig>;
|
||||
|
||||
/**
|
||||
* A taint flow configuration for flow from an encryption operation to a network operation.
|
||||
@@ -279,25 +279,25 @@ module ToEncryptionFlow = TaintTracking::Make<ToEncryptionConfig>;
|
||||
module FromEncryptionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { isSinkEncrypt(source, _) }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { FromSensitiveFlow::hasFlowTo(sink) }
|
||||
predicate isSink(DataFlow::Node sink) { FromSensitiveFlow::flowTo(sink) }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) {
|
||||
node.asExpr().getUnspecifiedType() instanceof IntegralType
|
||||
}
|
||||
}
|
||||
|
||||
module FromEncryptionFlow = TaintTracking::Make<FromEncryptionConfig>;
|
||||
module FromEncryptionFlow = TaintTracking::Global<FromEncryptionConfig>;
|
||||
|
||||
from
|
||||
FromSensitiveFlow::PathNode source, FromSensitiveFlow::PathNode sink,
|
||||
NetworkSendRecv networkSendRecv, string msg
|
||||
where
|
||||
// flow from sensitive -> network data
|
||||
FromSensitiveFlow::hasFlowPath(source, sink) and
|
||||
FromSensitiveFlow::flowPath(source, sink) and
|
||||
isSinkSendRecv(sink.getNode(), networkSendRecv) and
|
||||
// no flow from sensitive -> evidence of encryption
|
||||
not ToEncryptionFlow::hasFlow(source.getNode(), _) and
|
||||
not FromEncryptionFlow::hasFlowTo(sink.getNode()) and
|
||||
not ToEncryptionFlow::flow(source.getNode(), _) and
|
||||
not FromEncryptionFlow::flowTo(sink.getNode()) and
|
||||
// construct result
|
||||
if networkSendRecv instanceof NetworkSend
|
||||
then
|
||||
|
||||
@@ -125,13 +125,13 @@ module FromSensitiveConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module FromSensitiveFlow = TaintTracking::Make<FromSensitiveConfig>;
|
||||
module FromSensitiveFlow = TaintTracking::Global<FromSensitiveConfig>;
|
||||
|
||||
from
|
||||
SensitiveExpr sensitive, FromSensitiveFlow::PathNode source, FromSensitiveFlow::PathNode sink,
|
||||
SqliteFunctionCall sqliteCall
|
||||
where
|
||||
FromSensitiveFlow::hasFlowPath(source, sink) and
|
||||
FromSensitiveFlow::flowPath(source, sink) and
|
||||
isSourceImpl(source.getNode(), sensitive) and
|
||||
isSinkImpl(sink.getNode(), sqliteCall, _)
|
||||
select sqliteCall, source, sink,
|
||||
|
||||
@@ -89,10 +89,10 @@ module HttpStringToUrlOpenConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module HttpStringToUrlOpen = TaintTracking::Make<HttpStringToUrlOpenConfig>;
|
||||
module HttpStringToUrlOpen = TaintTracking::Global<HttpStringToUrlOpenConfig>;
|
||||
|
||||
from HttpStringToUrlOpen::PathNode source, HttpStringToUrlOpen::PathNode sink, HttpStringLiteral str
|
||||
where
|
||||
HttpStringToUrlOpen::hasFlowPath(source, sink) and
|
||||
HttpStringToUrlOpen::flowPath(source, sink) and
|
||||
str = source.getNode().asIndirectExpr()
|
||||
select str, source, sink, "This URL may be constructed with the HTTP protocol."
|
||||
|
||||
@@ -46,13 +46,13 @@ module KeyStrengthFlowConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module KeyStrengthFlow = DataFlow::Make<KeyStrengthFlowConfig>;
|
||||
module KeyStrengthFlow = DataFlow::Global<KeyStrengthFlowConfig>;
|
||||
|
||||
from
|
||||
KeyStrengthFlow::PathNode source, KeyStrengthFlow::PathNode sink, FunctionCall fc, int param,
|
||||
string name, int minimumBits, int bits
|
||||
where
|
||||
KeyStrengthFlow::hasFlowPath(source, sink) and
|
||||
KeyStrengthFlow::flowPath(source, sink) and
|
||||
sink.getNode().asExpr() = fc.getArgument(param) and
|
||||
fc.getTarget().hasGlobalName(name) and
|
||||
minimumBits = getMinimumKeyStrength(name, param) and
|
||||
|
||||
@@ -64,7 +64,7 @@ module NullAppNameCreateProcessFunctionConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module NullAppNameCreateProcessFunction = DataFlow::Make<NullAppNameCreateProcessFunctionConfig>;
|
||||
module NullAppNameCreateProcessFunction = DataFlow::Global<NullAppNameCreateProcessFunctionConfig>;
|
||||
|
||||
/**
|
||||
* Dataflow that detects a call to CreateProcess with an unquoted commandLine argument
|
||||
@@ -85,7 +85,7 @@ module QuotedCommandInCreateProcessFunctionConfig implements DataFlow::ConfigSig
|
||||
}
|
||||
|
||||
module QuotedCommandInCreateProcessFunction =
|
||||
DataFlow::Make<QuotedCommandInCreateProcessFunctionConfig>;
|
||||
DataFlow::Global<QuotedCommandInCreateProcessFunctionConfig>;
|
||||
|
||||
bindingset[s]
|
||||
predicate isQuotedOrNoSpaceApplicationNameOnCmd(string s) {
|
||||
@@ -98,12 +98,12 @@ from CreateProcessFunctionCall call, string msg1, string msg2
|
||||
where
|
||||
exists(Expr appName |
|
||||
appName = call.getArgument(call.getApplicationNameArgumentId()) and
|
||||
NullAppNameCreateProcessFunction::hasFlowToExpr(appName) and
|
||||
NullAppNameCreateProcessFunction::flowToExpr(appName) and
|
||||
msg1 = call.toString() + " with lpApplicationName == NULL (" + appName + ")"
|
||||
) and
|
||||
exists(Expr cmd |
|
||||
cmd = call.getArgument(call.getCommandLineArgumentId()) and
|
||||
QuotedCommandInCreateProcessFunction::hasFlowToExpr(cmd) and
|
||||
QuotedCommandInCreateProcessFunction::flowToExpr(cmd) and
|
||||
msg2 =
|
||||
" and with an unquoted lpCommandLine (" + cmd +
|
||||
") introduces a security vulnerability if the path contains spaces."
|
||||
|
||||
@@ -30,15 +30,15 @@ module ExposedSystemDataConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module ExposedSystemData = TaintTracking::Make<ExposedSystemDataConfig>;
|
||||
module ExposedSystemData = TaintTracking::Global<ExposedSystemDataConfig>;
|
||||
|
||||
from ExposedSystemData::PathNode source, ExposedSystemData::PathNode sink
|
||||
where
|
||||
ExposedSystemData::hasFlowPath(source, sink) and
|
||||
ExposedSystemData::flowPath(source, sink) and
|
||||
not exists(
|
||||
DataFlow::Node alt // remove duplicate results on conversions
|
||||
|
|
||||
ExposedSystemData::hasFlow(source.getNode(), alt) and
|
||||
ExposedSystemData::flow(source.getNode(), alt) and
|
||||
alt.asConvertedExpr() = sink.getNode().asIndirectExpr() and
|
||||
alt != sink.getNode()
|
||||
)
|
||||
|
||||
@@ -51,9 +51,9 @@ module PotentiallyExposedSystemDataConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module PotentiallyExposedSystemData = TaintTracking::Make<PotentiallyExposedSystemDataConfig>;
|
||||
module PotentiallyExposedSystemData = TaintTracking::Global<PotentiallyExposedSystemDataConfig>;
|
||||
|
||||
from PotentiallyExposedSystemData::PathNode source, PotentiallyExposedSystemData::PathNode sink
|
||||
where PotentiallyExposedSystemData::hasFlowPath(source, sink)
|
||||
where PotentiallyExposedSystemData::flowPath(source, sink)
|
||||
select sink, source, sink, "This operation potentially exposes sensitive system data from $@.",
|
||||
source, source.getNode().toString()
|
||||
|
||||
@@ -45,9 +45,9 @@ module XxeConfig implements DataFlow::StateConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module XxeFlow = DataFlow::MakeWithState<XxeConfig>;
|
||||
module XxeFlow = DataFlow::GlobalWithState<XxeConfig>;
|
||||
|
||||
from XxeFlow::PathNode source, XxeFlow::PathNode sink
|
||||
where XxeFlow::hasFlowPath(source, sink)
|
||||
where XxeFlow::flowPath(source, sink)
|
||||
select sink, source, sink,
|
||||
"This $@ is not configured to prevent an XML external entity (XXE) attack.", source, "XML parser"
|
||||
|
||||
@@ -39,7 +39,7 @@ module NullDaclConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module NullDaclFlow = DataFlow::Make<NullDaclConfig>;
|
||||
module NullDaclFlow = DataFlow::Global<NullDaclConfig>;
|
||||
|
||||
/**
|
||||
* Dataflow that detects a call to SetSecurityDescriptorDacl with a pDacl
|
||||
@@ -70,7 +70,7 @@ module NonNullDaclConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module NonNullDaclFlow = DataFlow::Make<NonNullDaclConfig>;
|
||||
module NonNullDaclFlow = DataFlow::Global<NonNullDaclConfig>;
|
||||
|
||||
from SetSecurityDescriptorDaclFunctionCall call, string message
|
||||
where
|
||||
@@ -88,7 +88,7 @@ where
|
||||
" that is set to NULL will result in an unprotected object."
|
||||
|
|
||||
var = call.getArgument(2) and
|
||||
NullDaclFlow::hasFlowToExpr(var) and
|
||||
not NonNullDaclFlow::hasFlowToExpr(var)
|
||||
NullDaclFlow::flowToExpr(var) and
|
||||
not NonNullDaclFlow::flowToExpr(var)
|
||||
)
|
||||
select call, message
|
||||
|
||||
@@ -50,9 +50,9 @@ module WordexpTaintConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module WordexpTaint = TaintTracking::Make<WordexpTaintConfig>;
|
||||
module WordexpTaint = TaintTracking::Global<WordexpTaintConfig>;
|
||||
|
||||
from WordexpTaint::PathNode sourceNode, WordexpTaint::PathNode sinkNode
|
||||
where WordexpTaint::hasFlowPath(sourceNode, sinkNode)
|
||||
where WordexpTaint::flowPath(sourceNode, sinkNode)
|
||||
select sinkNode.getNode(), sourceNode, sinkNode,
|
||||
"Using user-supplied data in a `wordexp` command, without disabling command substitution, can make code vulnerable to command injection."
|
||||
|
||||
@@ -32,10 +32,10 @@ module MultToAllocConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module MultToAlloc = DataFlow::Make<MultToAllocConfig>;
|
||||
module MultToAlloc = DataFlow::Global<MultToAllocConfig>;
|
||||
|
||||
from MultToAlloc::PathNode source, MultToAlloc::PathNode sink
|
||||
where MultToAlloc::hasFlowPath(source, sink)
|
||||
where MultToAlloc::flowPath(source, sink)
|
||||
select sink, source, sink,
|
||||
"Potentially overflowing value from $@ is used in the size of this allocation.", source,
|
||||
"multiplication"
|
||||
|
||||
@@ -43,7 +43,7 @@ module FieldAddressToPointerArithmeticConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module FieldAddressToPointerArithmeticFlow = DataFlow::Make<FieldAddressToPointerArithmeticConfig>;
|
||||
module FieldAddressToPointerArithmeticFlow = DataFlow::Global<FieldAddressToPointerArithmeticConfig>;
|
||||
|
||||
predicate isFieldAddressSource(Field f, DataFlow::Node source) {
|
||||
source.asInstruction().(FieldAddressInstruction).getField() = f
|
||||
@@ -70,7 +70,7 @@ predicate isInvalidPointerDerefSink(DataFlow::Node sink, Instruction i, string o
|
||||
|
||||
predicate isConstantSizeOverflowSource(Field f, PointerAddInstruction pai, int delta) {
|
||||
exists(int size, int bound, DataFlow::Node source, DataFlow::InstructionNode sink |
|
||||
FieldAddressToPointerArithmeticFlow::hasFlow(source, sink) and
|
||||
FieldAddressToPointerArithmeticFlow::flow(source, sink) and
|
||||
isFieldAddressSource(f, source) and
|
||||
pai.getLeft() = sink.asInstruction() and
|
||||
f.getUnspecifiedType().(ArrayType).getArraySize() = size and
|
||||
@@ -90,13 +90,13 @@ module PointerArithmeticToDerefConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink(sink, _, _) }
|
||||
}
|
||||
|
||||
module PointerArithmeticToDerefFlow = DataFlow::Make<PointerArithmeticToDerefConfig>;
|
||||
module PointerArithmeticToDerefFlow = DataFlow::Global<PointerArithmeticToDerefConfig>;
|
||||
|
||||
from
|
||||
Field f, PointerArithmeticToDerefFlow::PathNode source,
|
||||
PointerArithmeticToDerefFlow::PathNode sink, Instruction deref, string operation, int delta
|
||||
where
|
||||
PointerArithmeticToDerefFlow::hasFlowPath(source, sink) and
|
||||
PointerArithmeticToDerefFlow::flowPath(source, sink) and
|
||||
isInvalidPointerDerefSink(sink.getNode(), deref, operation) and
|
||||
isConstantSizeOverflowSource(f, source.getNode().asInstruction(), delta)
|
||||
select source, source, sink,
|
||||
|
||||
@@ -209,7 +209,7 @@ module InvalidPointerToDerefConfig implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { isInvalidPointerDerefSink(sink, _, _) }
|
||||
}
|
||||
|
||||
module InvalidPointerToDerefFlow = DataFlow::Make<InvalidPointerToDerefConfig>;
|
||||
module InvalidPointerToDerefFlow = DataFlow::Global<InvalidPointerToDerefConfig>;
|
||||
|
||||
/**
|
||||
* Holds if `pai` is a pointer-arithmetic operation and `source` is a dataflow node with a
|
||||
@@ -241,7 +241,7 @@ newtype TMergedPathNode =
|
||||
// pointer, but we want to raise an alert at the dereference.
|
||||
TPathNodeSink(Instruction i) {
|
||||
exists(DataFlow::Node n |
|
||||
InvalidPointerToDerefFlow::hasFlow(_, n) and
|
||||
InvalidPointerToDerefFlow::flow(_, n) and
|
||||
isInvalidPointerDerefSink(n, i, _)
|
||||
)
|
||||
}
|
||||
@@ -349,7 +349,7 @@ predicate hasFlowPath(
|
||||
|
|
||||
conf1.hasFlowPath(source1.asPathNode1(), _, sink1, _) and
|
||||
joinOn1(pai, sink1, source3) and
|
||||
InvalidPointerToDerefFlow::hasFlowPath(source3, sink3) and
|
||||
InvalidPointerToDerefFlow::flowPath(source3, sink3) and
|
||||
joinOn2(sink3, sink.asSinkNode(), operation)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -16,7 +16,7 @@ import experimental.semmle.code.cpp.security.PrivateCleartextWrite::PrivateClear
|
||||
import WriteFlow::PathGraph
|
||||
|
||||
from WriteFlow::PathNode source, WriteFlow::PathNode sink
|
||||
where WriteFlow::hasFlowPath(source, sink)
|
||||
where WriteFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink,
|
||||
"This write into the external location '" + sink.getNode() +
|
||||
"' may contain unencrypted data from $@.", source, "this source of private data."
|
||||
|
||||
@@ -12,11 +12,11 @@ module LiteralToGethostbynameConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module LiteralToGethostbynameFlow = DataFlow::Make<LiteralToGethostbynameConfig>;
|
||||
module LiteralToGethostbynameFlow = DataFlow::Global<LiteralToGethostbynameConfig>;
|
||||
|
||||
from StringLiteral sl, FunctionCall fc, DataFlow::Node source, DataFlow::Node sink
|
||||
where
|
||||
source.asIndirectExpr(1) = sl and
|
||||
sink.asIndirectExpr(1) = fc.getArgument(0) and
|
||||
LiteralToGethostbynameFlow::hasFlow(source, sink)
|
||||
LiteralToGethostbynameFlow::flow(source, sink)
|
||||
select sl, fc
|
||||
|
||||
@@ -16,11 +16,11 @@ module GetenvToGethostbynameConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module GetenvToGethostbynameFlow = DataFlow::Make<GetenvToGethostbynameConfig>;
|
||||
module GetenvToGethostbynameFlow = DataFlow::Global<GetenvToGethostbynameConfig>;
|
||||
|
||||
from Expr getenv, FunctionCall fc, DataFlow::Node source, DataFlow::Node sink
|
||||
where
|
||||
source.asIndirectExpr(1) = getenv and
|
||||
sink.asIndirectExpr(1) = fc.getArgument(0) and
|
||||
GetenvToGethostbynameFlow::hasFlow(source, sink)
|
||||
GetenvToGethostbynameFlow::flow(source, sink)
|
||||
select getenv, fc
|
||||
|
||||
@@ -17,11 +17,11 @@ module EnvironmentToFileConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module EnvironmentToFileFlow = DataFlow::Make<EnvironmentToFileConfig>;
|
||||
module EnvironmentToFileFlow = DataFlow::Global<EnvironmentToFileConfig>;
|
||||
|
||||
from Expr getenv, Expr fopen, DataFlow::Node source, DataFlow::Node sink
|
||||
where
|
||||
source.asIndirectExpr(1) = getenv and
|
||||
sink.asIndirectExpr(1) = fopen and
|
||||
EnvironmentToFileFlow::hasFlow(source, sink)
|
||||
EnvironmentToFileFlow::flow(source, sink)
|
||||
select fopen, "This 'fopen' uses data from $@.", getenv, "call to 'getenv'"
|
||||
|
||||
@@ -30,9 +30,9 @@ module NetworkToBufferSizeConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module NetworkToBufferSizeFlow = TaintTracking::Make<NetworkToBufferSizeConfig>;
|
||||
module NetworkToBufferSizeFlow = TaintTracking::Global<NetworkToBufferSizeConfig>;
|
||||
|
||||
from DataFlow::Node ntohl, DataFlow::Node offset
|
||||
where NetworkToBufferSizeFlow::hasFlow(ntohl, offset)
|
||||
where NetworkToBufferSizeFlow::flow(ntohl, offset)
|
||||
select offset, "This array offset may be influenced by $@.", ntohl,
|
||||
"converted data from the network"
|
||||
|
||||
@@ -14,8 +14,8 @@ module TestConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module TestFlow = DataFlow::Make<TestConfig>;
|
||||
module TestFlow = DataFlow::Global<TestConfig>;
|
||||
|
||||
from DataFlow::Node sink, DataFlow::Node source
|
||||
where TestFlow::hasFlow(source, sink)
|
||||
where TestFlow::flow(source, sink)
|
||||
select sink, source
|
||||
|
||||
@@ -25,8 +25,8 @@ module TestConfig implements DataFlow::ConfigSig {
|
||||
}
|
||||
}
|
||||
|
||||
module TestFlow = DataFlow::Make<TestConfig>;
|
||||
module TestFlow = DataFlow::Global<TestConfig>;
|
||||
|
||||
from DataFlow::Node sink, DataFlow::Node source
|
||||
where TestFlow::hasFlow(source, sink)
|
||||
where TestFlow::flow(source, sink)
|
||||
select sink, source
|
||||
|
||||
@@ -7,8 +7,8 @@ module Cfg implements DataFlow::ConfigSig {
|
||||
predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof VariableAccess }
|
||||
}
|
||||
|
||||
module Flow = DataFlow::Make<Cfg>;
|
||||
module Flow = DataFlow::Global<Cfg>;
|
||||
|
||||
from Expr sink
|
||||
where Flow::hasFlowToExpr(sink)
|
||||
where Flow::flowToExpr(sink)
|
||||
select sink
|
||||
|
||||
Reference in New Issue
Block a user