Thanks to @owen-mc that provided a good solution of that I couldn't solve that myself

2025-12-18 09:43:15 +01:00 · 2023-11-21 20:14:54 +01:00
parent b8c800608e
commit 75e01d3648
2 changed files with 27 additions and 17 deletions
--- a/go/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql
+++ b/go/ql/src/experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql
@@ -48,17 +48,41 @@ module DecompressionBombsConfig implements DataFlow::StateConfigSig {
  }

  predicate isBarrier(DataFlow::Node node) {
-    // here I want to the CopyN return value be compared with < or > but I can't reach the tainted result
+    // `io.CopyN` should not be a sink if its return value flows to a
+    // comparison (<, >, <=, >=).
    exists(Function f, DataFlow::CallNode cn |
      f.hasQualifiedName("io", "CopyN") and cn = f.getACall()
    |
      node = cn.getArgument(1) and
-      TaintTracking::localTaint(cn.getResult(0),
-        any(DataFlow::RelationalComparisonNode rcn).getAnOperand())
+      localStep*(cn.getResult(0), any(DataFlow::RelationalComparisonNode rcn).getAnOperand())
    )
  }
 }

+/**
+ * Holds if the value of `pred` can flow into `succ` in one step through an
+ * arithmetic operation (other than remainder).
+ *
+ * Note: this predicate is copied from AllocationSizeOverflow. When this query
+ * is promoted it should be put in a shared location.
+ */
+predicate additionalStep(DataFlow::Node pred, DataFlow::Node succ) {
+  succ.asExpr().(ArithmeticExpr).getAnOperand() = pred.asExpr() and
+  not succ.asExpr() instanceof RemExpr
+}
+
+/**
+ * Holds if the value of `pred` can flow into `succ` in one step, either by a standard taint step
+ * or by an additional step.
+ *
+ * Note: this predicate is copied from AllocationSizeOverflow. When this query
+ * is promoted it should be put in a shared location.
+ */
+predicate localStep(DataFlow::Node pred, DataFlow::Node succ) {
+  TaintTracking::localTaintStep(pred, succ) or
+  additionalStep(pred, succ)
+}
+
 module DecompressionBombsFlow = TaintTracking::GlobalWithState<DecompressionBombsConfig>;

 import DecompressionBombsFlow::PathGraph
--- a/go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected
+++ b/go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.expected
@@ -3,13 +3,7 @@ edges
 | test.go:58:15:58:26 | selection of Body | test.go:136:19:136:22 | definition of file |
 | test.go:59:16:59:27 | selection of Body | test.go:147:20:147:23 | definition of file |
 | test.go:60:16:60:46 | call to FormValue | test.go:106:20:106:27 | definition of filename |
-| test.go:61:20:61:48 | call to PostFormValue | test.go:77:24:77:31 | definition of filename |
 | test.go:63:13:63:24 | selection of Body | test.go:97:17:97:19 | definition of src |
-| test.go:77:24:77:31 | definition of filename | test.go:78:25:78:32 | filename |
-| test.go:78:2:78:33 | ... := ...[0] | test.go:81:12:81:12 | f |
-| test.go:78:25:78:32 | filename | test.go:78:2:78:33 | ... := ...[0] |
-| test.go:81:3:81:19 | ... := ...[0] | test.go:83:37:83:38 | rc |
-| test.go:81:12:81:12 | f | test.go:81:3:81:19 | ... := ...[0] |
 | test.go:97:17:97:19 | definition of src | test.go:98:29:98:31 | src |
 | test.go:98:2:98:32 | ... := ...[0] | test.go:102:11:102:26 | type conversion |
 | test.go:98:29:98:31 | src | test.go:98:2:98:32 | ... := ...[0] |
@@ -164,14 +158,7 @@ nodes
 | test.go:58:15:58:26 | selection of Body | semmle.label | selection of Body |
 | test.go:59:16:59:27 | selection of Body | semmle.label | selection of Body |
 | test.go:60:16:60:46 | call to FormValue | semmle.label | call to FormValue |
-| test.go:61:20:61:48 | call to PostFormValue | semmle.label | call to PostFormValue |
 | test.go:63:13:63:24 | selection of Body | semmle.label | selection of Body |
-| test.go:77:24:77:31 | definition of filename | semmle.label | definition of filename |
-| test.go:78:2:78:33 | ... := ...[0] | semmle.label | ... := ...[0] |
-| test.go:78:25:78:32 | filename | semmle.label | filename |
-| test.go:81:3:81:19 | ... := ...[0] | semmle.label | ... := ...[0] |
-| test.go:81:12:81:12 | f | semmle.label | f |
-| test.go:83:37:83:38 | rc | semmle.label | rc |
 | test.go:97:17:97:19 | definition of src | semmle.label | definition of src |
 | test.go:98:2:98:32 | ... := ...[0] | semmle.label | ... := ...[0] |
 | test.go:98:29:98:31 | src | semmle.label | src |
@@ -311,7 +298,6 @@ nodes
 | test.go:297:25:297:31 | tarRead | semmle.label | tarRead |
 subpaths
 #select
-| test.go:83:37:83:38 | rc | test.go:61:20:61:48 | call to PostFormValue | test.go:83:37:83:38 | rc | This decompression is $@. | test.go:61:20:61:48 | call to PostFormValue | decompressing compressed data without managing output size |
 | test.go:103:23:103:28 | newSrc | test.go:63:13:63:24 | selection of Body | test.go:103:23:103:28 | newSrc | This decompression is $@. | test.go:63:13:63:24 | selection of Body | decompressing compressed data without managing output size |
 | test.go:112:37:112:38 | rc | test.go:60:16:60:46 | call to FormValue | test.go:112:37:112:38 | rc | This decompression is $@. | test.go:60:16:60:46 | call to FormValue | decompressing compressed data without managing output size |
 | test.go:125:37:125:38 | rc | test.go:60:16:60:46 | call to FormValue | test.go:125:37:125:38 | rc | This decompression is $@. | test.go:60:16:60:46 | call to FormValue | decompressing compressed data without managing output size |