hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 05:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Fix new UnsafeDaclSecurityDescriptor FP

Browse Source 
This query uses data flow for nullness analysis, which is always going
to be a large overapproximation. The overapproximation became too big
for one of the test cases after the recent change to make data flow go
across assignment by reference.

To make this query more conservative, it will now only report that the
`pDacl` argument can be null if there isn't also evidence that it can be
non-null.
This commit is contained in:
Jonas Jensen
2019-04-02 11:31:12 +02:00
parent 71659594c8
commit 842aafc888
3 changed files with 86 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.cpp
View File

@@ -89,4 +89,44 @@ void Test()
NULL, // DACL is going to be removed from security descriptor. Default/inherited access ==> should not be flagged
FALSE);
}
}
PACL returnUnknownAcl();
PACL returnNull() {
return NULL;
}
PACL returnMaybeAcl(bool b) {
PACL pDacl = NULL;
if (b) {
SetEntriesInAcl(0, NULL, NULL, &pDacl);
}
return pDacl;
}
void Test2()
{
PSECURITY_DESCRIPTOR pSecurityDescriptor;
PACL pDacl1 = returnUnknownAcl();
SetSecurityDescriptorDacl(
pSecurityDescriptor,
TRUE, // Dacl Present
pDacl1, // Give `returnUnknownAcl` the benefit of the doubt ==> should not be flagged
FALSE);
PACL pDacl2 = returnNull();
SetSecurityDescriptorDacl(
pSecurityDescriptor,
TRUE, // Dacl Present
pDacl2, // NULL pointer to DACL == BUG
FALSE);
PACL pDacl3 = returnMaybeAcl(true);
SetSecurityDescriptorDacl(
pSecurityDescriptor,
TRUE, // Dacl Present
pDacl3, // should not be flagged
FALSE);
}

1
cpp/ql/test/query-tests/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.expected
View File

@@ -1,2 +1,3 @@
| UnsafeDaclSecurityDescriptor.cpp:70:9:70:33 | call to SetSecurityDescriptorDacl | Setting a DACL to NULL in a SECURITY_DESCRIPTOR will result in an unprotected object. |
| UnsafeDaclSecurityDescriptor.cpp:76:9:76:33 | call to SetSecurityDescriptorDacl | Setting a DACL to NULL in a SECURITY_DESCRIPTOR using variable pDacl that is set to NULL will result in an unprotected object. |
| UnsafeDaclSecurityDescriptor.cpp:120:5:120:29 | call to SetSecurityDescriptorDacl | Setting a DACL to NULL in a SECURITY_DESCRIPTOR using variable pDacl2 that is set to NULL will result in an unprotected object. |