hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Add GVN.

Browse Source
This commit is contained in:
Geoffrey White
2022-02-24 16:42:37 +00:00
parent 0bb9a95563
commit 899ae90ba4
3 changed files with 3 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
View File

@@ -12,6 +12,7 @@
import cpp
import semmle.code.cpp.dataflow.TaintTracking
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
import DataFlow::PathGraph
/**
@@ -61,7 +62,7 @@ class HttpStringToUrlOpenConfig extends TaintTracking::Configuration {
// block taint starting at `strstr`, which is likely testing an existing URL, rather than constructing an HTTP URL.
not exists(FunctionCall fc |
fc.getTarget().getName() = ["strstr", "strcasestr"] and
fc.getAnArgument() = src.asExpr()
fc.getArgument(1) = globalValueNumber(src.asExpr()).getAnExpr()
)
}

5
cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected
View File

@@ -7,8 +7,6 @@ edges
| test.cpp:40:11:40:17 | access to array | test.cpp:11:26:11:28 | url |
| test.cpp:46:18:46:26 | http:// | test.cpp:49:11:49:16 | buffer |
| test.cpp:49:11:49:16 | buffer | test.cpp:11:26:11:28 | url |
| test.cpp:93:28:93:36 | http:// | test.cpp:104:11:104:13 | ptr |
| test.cpp:104:11:104:13 | ptr | test.cpp:11:26:11:28 | url |
| test.cpp:110:21:110:40 | http://example.com | test.cpp:121:11:121:13 | ptr |
| test.cpp:121:11:121:13 | ptr | test.cpp:11:26:11:28 | url |
nodes
@@ -21,8 +19,6 @@ nodes
| test.cpp:40:11:40:17 | access to array | semmle.label | access to array |
| test.cpp:46:18:46:26 | http:// | semmle.label | http:// |
| test.cpp:49:11:49:16 | buffer | semmle.label | buffer |
| test.cpp:93:28:93:36 | http:// | semmle.label | http:// |
| test.cpp:104:11:104:13 | ptr | semmle.label | ptr |
| test.cpp:110:21:110:40 | http://example.com | semmle.label | http://example.com |
| test.cpp:121:11:121:13 | ptr | semmle.label | ptr |
subpaths
@@ -31,5 +27,4 @@ subpaths
| test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | http://example.com | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. |
| test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. |
| test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. |
| test.cpp:93:28:93:36 | http:// | test.cpp:93:28:93:36 | http:// | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. |
| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com | test.cpp:15:30:15:32 | url | A URL may be constructed with the HTTP protocol. |

2
cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/test.cpp
View File

@@ -90,7 +90,7 @@ void test3(char *url)
void test4(char *url)
{
const char *https_string = "https://"; // GOOD (https)
const char *http_string = "http://"; // GOOD (we are not constructing the URL) [FALSE POSITIVE]
const char *http_string = "http://"; // GOOD (we are not constructing the URL)
char *ptr;
ptr = strstr(url, https_string);