Incremental update to NonConstantFormat.ql

This commit is contained in:
Benjamin Rodes
2024-02-02 16:06:59 -05:00
parent 643817e74e
commit 9577c35d85
2 changed files with 34 additions and 46 deletions

View File

@@ -17,6 +17,11 @@
import semmle.code.cpp.ir.dataflow.TaintTracking
import semmle.code.cpp.commons.Printf
import semmle.code.cpp.security.FlowSources
class UncalledFunction extends Function {
UncalledFunction() { not exists(Call c | c.getTarget() = this) }
}
// For the following `...gettext` functions, we assume that
// all translations preserve the type and order of `%` specifiers
@@ -79,38 +84,23 @@ predicate isNonConst(DataFlow::Node node, boolean isIndirect) {
)
)
or
exists(Parameter p | p = e.(VariableAccess).getTarget() |
p.getFunction().getName() = "main" and p.getType() instanceof PointerType
)
or
e instanceof CrementOperation
or
e instanceof AddressOfExpr
or
e instanceof ReferenceToExpr
or
e instanceof AssignPointerAddExpr
or
e instanceof AssignPointerSubExpr
or
e instanceof PointerArithmeticOperation
or
e instanceof FieldAccess
or
e instanceof PointerDereferenceExpr
or
e instanceof AddressOfExpr
or
e instanceof ExprCall
or
e instanceof NewArrayExpr
or
exists(Variable v | v = e.(VariableAccess).getTarget() |
v.getType().(ArrayType).getBaseType() instanceof CharType and
exists(AssignExpr ae |
ae.getLValue().(ArrayExpr).getArrayBase().(VariableAccess).getTarget() = v
)
)
or
exists(UncalledFunction f, Parameter p| f.getAParameter() = p |
p = e.(VariableAccess).getTarget())
or
node instanceof FlowSource
or
(
node instanceof DataFlow::DefinitionByReferenceNode and
not exists(FormattingFunctionCall fc | node.asDefiningArgument() = fc.getOutputArgument(_)) and
not exists(Call c | c.getAnArgument() = node.asDefiningArgument() and c.getTarget().hasDefinition())
)
)
or
node instanceof DataFlow::DefinitionByReferenceNode and
@@ -132,11 +122,13 @@ predicate isSinkImpl(DataFlow::Node sink, Expr formatString) {
module NonConstFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
exists(boolean isIndirect, Type t |
isNonConst(source, isIndirect) and
t = source.getType() and
not cannotContainString(t, isIndirect)
)
// isNonConst(source)
isNonConst(source,_)
// exists(boolean isIndirect, Type t |
// isNonConst(source, isIndirect) and
// t = source.getType() and
// not cannotContainString(t, isIndirect)
// )
}
predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _) }
@@ -146,13 +138,18 @@ module NonConstFlowConfig implements DataFlow::ConfigSig {
module NonConstFlow = TaintTracking::Global<NonConstFlowConfig>;
from FormattingFunctionCall call, Expr formatString
// import NonConstFlow::PathGraph
from
FormattingFunctionCall call, Expr formatString, DataFlow::Node sink
// ,NonConstFlow::PathNode src,
// NonConstFlow::PathNode sink
where
call.getArgument(call.getFormatParameterIndex()) = formatString and
exists(DataFlow::Node sink |
NonConstFlow::flowTo(sink) and
isSinkImpl(sink, formatString)
)
select formatString,
//NonConstFlow::flowPath(src, sink) and
NonConstFlow::flowTo(sink) and
//isSinkImpl(sink.getNode(), formatString)
isSinkImpl(sink, formatString)
select formatString, //sink.getNode(), src, sink,
"The format string argument to " + call.getTarget().getName() +
" should be constant to prevent security issues and other potential errors."

View File

@@ -11,14 +11,5 @@
| test.cpp:63:12:63:18 | * ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:64:12:64:18 | & ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:65:12:65:39 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:67:10:67:35 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:70:12:70:20 | ... + ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:76:12:76:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:82:12:82:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:88:12:88:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:93:12:93:18 | ++ ... | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:100:12:100:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:110:12:110:24 | new[] | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:115:12:115:16 | hello | The format string argument to printf should be constant to prevent security issues and other potential errors. |
| test.cpp:130:20:130:26 | access to array | The format string argument to sprintf should be constant to prevent security issues and other potential errors. |
| test.cpp:157:12:157:15 | data | The format string argument to printf should be constant to prevent security issues and other potential errors. |