Merge pull request #11610 from jketema/scanf

C++: Model `scanf` and `fscanf` as flow sources
2026-05-04 13:15:21 +02:00 · 2022-12-08 19:14:39 +01:00
parent f373b7fe7c 8f9a73ee09
commit 89cd4790d5
8 changed files with 102 additions and 60 deletions
--- a/cpp/ql/lib/change-notes/2022-12-08-support-scanf-dataflow.md
+++ b/cpp/ql/lib/change-notes/2022-12-08-support-scanf-dataflow.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `scanf` and `fscanf` functions and their variants are now recognized as flow sources.
--- a/cpp/ql/lib/semmle/code/cpp/models/Models.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/Models.qll
@@ -27,7 +27,7 @@ private import implementations.StdString
 private import implementations.Swap
 private import implementations.GetDelim
 private import implementations.SmartPointer
-private import implementations.Sscanf
+private import implementations.Scanf
 private import implementations.Send
 private import implementations.Recv
 private import implementations.Accept
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Sscanf.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Sscanf.qll
@@ -1,6 +1,6 @@
 /**
- * Provides implementation classes modeling `sscanf`, `fscanf` and various similar
- * functions. See `semmle.code.cpp.models.Models` for usage information.
+ * Provides implementation classes modeling the `scanf` family of functions.
+ * See `semmle.code.cpp.models.Models` for usage information.
 */

 import semmle.code.cpp.Function
@@ -9,18 +9,15 @@ import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
+import semmle.code.cpp.models.interfaces.FlowSource

 /**
- * The standard function `sscanf`, `fscanf` and its assorted variants
+ * The `scanf` family of functions.
 */
-private class SscanfModel extends ArrayFunction, TaintFunction, AliasFunction, SideEffectFunction {
-  SscanfModel() { this instanceof Sscanf or this instanceof Fscanf or this instanceof Snscanf }
-
+abstract private class ScanfFunctionModel extends ArrayFunction, TaintFunction, AliasFunction,
+  SideEffectFunction {
  override predicate hasArrayWithNullTerminator(int bufParam) {
    bufParam = this.(ScanfFunction).getFormatParameterIndex()
-    or
-    not this instanceof Fscanf and
-    bufParam = this.(ScanfFunction).getInputParameterIndex()
  }

  override predicate hasArrayInput(int bufParam) { this.hasArrayWithNullTerminator(bufParam) }
@@ -36,7 +33,7 @@ private class SscanfModel extends ArrayFunction, TaintFunction, AliasFunction, S
    )
  }

-  private int getArgsStartPosition() { result = this.getNumberOfParameters() }
+  int getArgsStartPosition() { result = this.getNumberOfParameters() }

  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
    input.isParameterDeref(this.(ScanfFunction).getInputParameterIndex()) and
@@ -70,3 +67,36 @@ private class SscanfModel extends ArrayFunction, TaintFunction, AliasFunction, S
      ]
  }
 }
+
+/**
+ * The standard function `scanf` and its assorted variants
+ */
+private class ScanfModel extends ScanfFunctionModel, LocalFlowSourceFunction instanceof Scanf {
+  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
+    description = "Value read by " + this.getName()
+  }
+}
+
+/**
+ * The standard function `fscanf` and its assorted variants
+ */
+private class FscanfModel extends ScanfFunctionModel, RemoteFlowSourceFunction instanceof Fscanf {
+  override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
+    description = "Value read by " + this.getName()
+  }
+}
+
+/**
+ * The standard function `sscanf` and its assorted variants
+ */
+private class SscanfModel extends ScanfFunctionModel {
+  SscanfModel() { this instanceof Sscanf or this instanceof Snscanf }
+
+  override predicate hasArrayWithNullTerminator(int bufParam) {
+    super.hasArrayWithNullTerminator(bufParam)
+    or
+    bufParam = this.(ScanfFunction).getInputParameterIndex()
+  }
+}
--- a/cpp/ql/test/library-tests/dataflow/source-sink-tests/local-flow.ql
+++ b/cpp/ql/test/library-tests/dataflow/source-sink-tests/local-flow.ql
@@ -11,8 +11,20 @@ class LocalFlowSourceTest extends InlineExpectationsTest {

  override predicate hasActualResult(Location location, string element, string tag, string value) {
    tag = "local_source" and
-    value = "" and
-    exists(LocalFlowSource node |
+    exists(LocalFlowSource node, int n |
+      n =
+        strictcount(LocalFlowSource otherNode |
+          node.getLocation().getStartLine() = otherNode.getLocation().getStartLine()
+        ) and
+      (
+        n = 1 and value = ""
+        or
+        // If there is more than one node on this line
+        // we specify the location explicitly.
+        n > 1 and
+        value =
+          node.getLocation().getStartLine().toString() + ":" + node.getLocation().getStartColumn()
+      ) and
      location = node.getLocation() and
      element = node.toString()
    )
--- a/cpp/ql/test/library-tests/dataflow/source-sink-tests/remote-flow.ql
+++ b/cpp/ql/test/library-tests/dataflow/source-sink-tests/remote-flow.ql
@@ -11,8 +11,20 @@ class RemoteFlowSourceTest extends InlineExpectationsTest {

  override predicate hasActualResult(Location location, string element, string tag, string value) {
    tag = "remote_source" and
-    value = "" and
-    exists(RemoteFlowSource node |
+    exists(RemoteFlowSource node, int n |
+      n =
+        strictcount(RemoteFlowSource otherNode |
+          node.getLocation().getStartLine() = otherNode.getLocation().getStartLine()
+        ) and
+      (
+        n = 1 and value = ""
+        or
+        // If there is more than one node on this line
+        // we specify the location explicitly.
+        n > 1 and
+        value =
+          node.getLocation().getStartLine().toString() + ":" + node.getLocation().getStartColumn()
+      ) and
      location = node.getLocation() and
      element = node.toString()
    )
@@ -26,8 +38,20 @@ class RemoteFlowSinkTest extends InlineExpectationsTest {

  override predicate hasActualResult(Location location, string element, string tag, string value) {
    tag = "remote_sink" and
-    value = "" and
-    exists(RemoteFlowSink node |
+    exists(RemoteFlowSink node, int n |
+      n =
+        strictcount(RemoteFlowSink otherNode |
+          node.getLocation().getStartLine() = otherNode.getLocation().getStartLine()
+        ) and
+      (
+        n = 1 and value = ""
+        or
+        // If there is more than one node on this line
+        // we specify the location explicitly.
+        n > 1 and
+        value =
+          node.getLocation().getStartLine().toString() + ":" + node.getLocation().getStartColumn()
+      ) and
      location = node.getLocation() and
      element = node.toString()
    )
--- a/cpp/ql/test/library-tests/dataflow/source-sink-tests/sources-and-sinks.cpp
+++ b/cpp/ql/test/library-tests/dataflow/source-sink-tests/sources-and-sinks.cpp
@@ -26,3 +26,17 @@ void test_readv_and_writev(iovec* iovs) {
  readv(0, iovs, 16); // $ remote_source
  writev(0, iovs, 16); // $ remote_sink
 }
+
+struct FILE;
+
+int fscanf(FILE *stream, const char *format, ...);
+int scanf(const char *format, ...);
+
+void test_scanf(FILE *stream, int *d, char *buf) {
+  scanf(""); // Not a local source, as there are no output arguments
+  fscanf(stream, ""); // Not a remote source, as there are no output arguments
+  scanf("%d", d); // $ local_source
+  fscanf(stream, "%d", d);  // $ remote_source
+  scanf("%d %s", d, buf); // $ local_source=40:18 local_source=40:21
+  fscanf(stream, "%d %s", d, buf);  // $ remote_source=41:27 remote_source=41:30
+}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/TaintedPath.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/TaintedPath.expected
@@ -1,7 +1,6 @@
 edges
 | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName indirection |
 | test.c:31:22:31:25 | argv | test.c:32:11:32:18 | fileName indirection |
-| test.c:37:17:37:24 | fileName | test.c:38:11:38:18 | fileName indirection |
 | test.c:37:17:37:24 | scanf output argument | test.c:38:11:38:18 | fileName indirection |
 | test.c:43:17:43:24 | fileName | test.c:44:11:44:18 | fileName indirection |
 | test.c:43:17:43:24 | scanf output argument | test.c:44:11:44:18 | fileName indirection |
@@ -10,7 +9,6 @@ nodes
 | test.c:17:11:17:18 | fileName indirection | semmle.label | fileName indirection |
 | test.c:31:22:31:25 | argv | semmle.label | argv |
 | test.c:32:11:32:18 | fileName indirection | semmle.label | fileName indirection |
-| test.c:37:17:37:24 | fileName | semmle.label | fileName |
 | test.c:37:17:37:24 | scanf output argument | semmle.label | scanf output argument |
 | test.c:38:11:38:18 | fileName indirection | semmle.label | fileName indirection |
 | test.c:43:17:43:24 | fileName | semmle.label | fileName |
@@ -20,5 +18,5 @@ subpaths
 #select
 | test.c:17:11:17:18 | fileName | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:9:23:9:26 | argv | user input (argv) |
 | test.c:32:11:32:18 | fileName | test.c:31:22:31:25 | argv | test.c:32:11:32:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:31:22:31:25 | argv | user input (argv) |
-| test.c:38:11:38:18 | fileName | test.c:37:17:37:24 | fileName | test.c:38:11:38:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:37:17:37:24 | fileName | user input (scanf) |
+| test.c:38:11:38:18 | fileName | test.c:37:17:37:24 | scanf output argument | test.c:38:11:38:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:37:17:37:24 | fileName | user input (scanf) |
 | test.c:44:11:44:18 | fileName | test.c:43:17:43:24 | fileName | test.c:44:11:44:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:43:17:43:24 | fileName | user input (scanf) |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected
@@ -7,42 +7,12 @@ edges
 | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
 | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array indirection |
 | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array indirection |
-| tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 |
-| tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 |
-| tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 indirection |
-| tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 indirection |
-| tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 |
-| tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 |
-| tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 indirection |
-| tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 indirection |
 | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
 | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
 | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
 | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
 | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array indirection |
 | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array indirection |
-| tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 |
-| tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 |
-| tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 indirection |
-| tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 indirection |
-| tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 |
-| tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 |
-| tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 indirection |
-| tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 indirection |
-| tests.c:31:15:31:23 | array to pointer conversion | tests.c:31:15:31:23 | buffer100 |
-| tests.c:31:15:31:23 | array to pointer conversion | tests.c:31:15:31:23 | buffer100 indirection |
-| tests.c:31:15:31:23 | array to pointer conversion | tests.c:33:21:33:29 | buffer100 |
-| tests.c:31:15:31:23 | array to pointer conversion | tests.c:33:21:33:29 | buffer100 indirection |
-| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 |
-| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 indirection |
-| tests.c:31:15:31:23 | buffer100 | tests.c:33:21:33:29 | buffer100 |
-| tests.c:31:15:31:23 | buffer100 | tests.c:33:21:33:29 | buffer100 indirection |
-| tests.c:31:15:31:23 | scanf output argument | tests.c:33:21:33:29 | buffer100 |
-| tests.c:31:15:31:23 | scanf output argument | tests.c:33:21:33:29 | buffer100 indirection |
-| tests.c:33:21:33:29 | array to pointer conversion | tests.c:33:21:33:29 | buffer100 |
-| tests.c:33:21:33:29 | array to pointer conversion | tests.c:33:21:33:29 | buffer100 indirection |
-| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 |
-| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 indirection |
 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... |
 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... |
 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
@@ -65,16 +35,11 @@ nodes
 | tests.c:29:28:29:34 | access to array | semmle.label | access to array |
 | tests.c:29:28:29:34 | access to array indirection | semmle.label | access to array indirection |
 | tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
-| tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
 | tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
 | tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
-| tests.c:31:15:31:23 | buffer100 indirection | semmle.label | buffer100 indirection |
-| tests.c:31:15:31:23 | scanf output argument | semmle.label | scanf output argument |
-| tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
 | tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
 | tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
 | tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
-| tests.c:33:21:33:29 | buffer100 indirection | semmle.label | buffer100 indirection |
 | tests.c:34:10:34:13 | argv | semmle.label | argv |
 | tests.c:34:10:34:13 | argv | semmle.label | argv |
 | tests.c:34:10:34:16 | (const char *)... | semmle.label | (const char *)... |
@@ -84,11 +49,6 @@ nodes
 #select
 | tests.c:28:3:28:9 | call to sprintf | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
 | tests.c:29:3:29:9 | call to sprintf | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
-| tests.c:31:15:31:23 | buffer100 | tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
-| tests.c:31:15:31:23 | buffer100 | tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
 | tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | buffer100 | buffer100 |
-| tests.c:33:21:33:29 | buffer100 | tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
-| tests.c:33:21:33:29 | buffer100 | tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
-| tests.c:33:21:33:29 | buffer100 | tests.c:31:15:31:23 | buffer100 | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | buffer100 | buffer100 |
 | tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:33:21:33:29 | buffer100 | buffer100 |
 | tests.c:34:25:34:33 | buffer100 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:34:10:34:13 | argv | argv |