From 899ae90ba412eb0e86a414e67a55d040ecfa94a3 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 24 Feb 2022 16:42:37 +0000 Subject: [PATCH] C++: Add GVN. --- cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql | 3 ++- .../Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected | 5 ----- .../test/query-tests/Security/CWE/CWE-319/UseOfHttp/test.cpp | 2 +- 3 files changed, 3 insertions(+), 7 deletions(-) diff --git a/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql b/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql index e451ef1c626..1410873a06b 100644 --- a/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql +++ b/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql @@ -12,6 +12,7 @@ import cpp import semmle.code.cpp.dataflow.TaintTracking +import semmle.code.cpp.valuenumbering.GlobalValueNumbering import DataFlow::PathGraph /** @@ -61,7 +62,7 @@ class HttpStringToUrlOpenConfig extends TaintTracking::Configuration { // block taint starting at `strstr`, which is likely testing an existing URL, rather than constructing an HTTP URL. not exists(FunctionCall fc | fc.getTarget().getName() = ["strstr", "strcasestr"] and - fc.getAnArgument() = src.asExpr() + fc.getArgument(1) = globalValueNumber(src.asExpr()).getAnExpr() ) } diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected index da627962ee2..3203e72e426 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected @@ -7,8 +7,6 @@ edges | test.cpp:40:11:40:17 | access to array | test.cpp:11:26:11:28 | url | | test.cpp:46:18:46:26 | http:// | test.cpp:49:11:49:16 | buffer | | test.cpp:49:11:49:16 | buffer | test.cpp:11:26:11:28 | url | -| test.cpp:93:28:93:36 | http:// | test.cpp:104:11:104:13 | ptr | -| test.cpp:104:11:104:13 | ptr | test.cpp:11:26:11:28 | url | | test.cpp:110:21:110:40 | http://example.com | test.cpp:121:11:121:13 | ptr | | test.cpp:121:11:121:13 | ptr | test.cpp:11:26:11:28 | url | nodes @@ -21,8 +19,6 @@ nodes | test.cpp:40:11:40:17 | access to array | semmle.label | access to array | | test.cpp:46:18:46:26 | http:// | semmle.label | http:// | | test.cpp:49:11:49:16 | buffer | semmle.label | buffer | -| test.cpp:93:28:93:36 | http:// | semmle.label | http:// | -| test.cpp:104:11:104:13 | ptr | semmle.label | ptr | | test.cpp:110:21:110:40 | http://example.com | semmle.label | http://example.com | | test.cpp:121:11:121:13 | ptr | semmle.label | ptr | subpaths @@ -31,5 +27,4 @@ subpaths | test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | http://example.com | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. | | test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. | | test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. | -| test.cpp:93:28:93:36 | http:// | test.cpp:93:28:93:36 | http:// | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. | | test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. | diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/test.cpp index 91859431c00..2aac68564d0 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/test.cpp +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/test.cpp @@ -90,7 +90,7 @@ void test3(char *url) void test4(char *url) { const char *https_string = "https://"; // GOOD (https) - const char *http_string = "http://"; // GOOD (we are not constructing the URL) [FALSE POSITIVE] + const char *http_string = "http://"; // GOOD (we are not constructing the URL) char *ptr; ptr = strstr(url, https_string);