hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

[CPP-370] Intermediate commit, file not in usable state.

Browse Source
This commit is contained in:
Ziemowit Laski
2019-04-29 13:55:49 -07:00
parent d8b8dda439
commit 91902e52f6
1 changed files with 0 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
View File

@@ -42,16 +42,8 @@ predicate whitelistFunction(Function f, int arg) {
(arg = 1 or arg = 2)
}
<<<<<<< HEAD
predicate whitelisted(FunctionCall fc) {
exists(Function f, int arg | f = fc.getTarget() | whitelistFunction(f, arg))
=======
predicate underscoreMacro(Expr e) {
exists(MacroInvocation mi |
mi.getMacroName() = "_" and
mi.getExpr() = e
)
>>>>>>> [CPP-370] First attempt at isAdditionalFlowStep().
}
predicate isNonConst(DataFlow::Node node) {
@@ -96,26 +88,11 @@ predicate isNonConst(DataFlow::Node node) {
)
)
or
<<<<<<< HEAD
node instanceof DataFlow::DefinitionByReferenceNode
}
class NonConstFlow extends TaintTracking::Configuration {
NonConstFlow() { this = "NonConstFlow" }
=======
// we let the '_' macro through regardless of what it points at
underscoreMacro(e)
}
predicate isConst(Expr e) {
e instanceof StringLiteral
or
whitelisted(e)
}
class ConstFlow extends DataFlow::Configuration {
ConstFlow() { this = "ConstFlow" }
>>>>>>> [CPP-370] First attempt at isAdditionalFlowStep().
override predicate isSource(DataFlow::Node source) { isNonConst(source) }
@@ -124,20 +101,6 @@ class ConstFlow extends DataFlow::Configuration {
sink.asExpr() = fc.getArgument(fc.getFormatParameterIndex())
)
}
override predicate isAdditionalFlowStep(DataFlow::Node source, DataFlow::Node sink) {
none()
or
// an element picked from an array of string literals is a string literal
exists(Variable v, int a |
a = sink.asExpr().(ArrayExpr).getArrayOffset().getValue().toInt() and
v = sink.asExpr().(ArrayExpr).getArrayBase().(VariableAccess).getTarget()
|
// we disallow parameters, since they may be bound to unsafe arguments
// at various call sites.
not v instanceof Parameter and source.asExpr() instanceof StringLiteral
)
}
}
from FormattingFunctionCall call, Expr formatString